How does lan masquerading work?

Hi all !

I don't quite understand how masquerading works if you enable it on both the wan and lan interfaces at the same time.
Whether this is good or bad in terms of security, that's what interests me.

It's not a security thing.

1 Like

example: if you block icmp at the raw_prerouting level on the wan interface, you may have connection problems.
But if you enable masquerading on the lan interface, everything works fine, with icmp blocked.
That's the question, I don't quite understand how it works, is it dangerous or not.
It seems to me that it's cool or am I wrong?

It is not a security thing per se, but as all traffic now originates from the routers IP address you loose logging and access control.
For me that is a security thing

1 Like

You're wrong. Leave things you don't understand alone. Your grasp of networking concepts is already poor, do not attempt to overcomplicate it with more things you don't understand.

2 Likes

The log doesn't bother me, I'm more interested in if you block icmp on the wan interface, then icmp comes from the lan interface or what, I don't understand

Why are you blocking ICMP?

1 Like

where are you pinging from ? LAN or internet ?

1 Like

just a task to block all icmp traffic on the wan interface

Why are you blocking ICMP

1 Like

change the default traffic rules, for whatever reason you want to do it.

I am satisfied with such a combination, I just don't understand how it works

how what works ? the firewall ?

1 Like

Why, thanks to the masquerade on the LAN interface and the ICMP blocking on the WAN interface, everything works fine, and is it possible to leave it like that ?
I don't need traceroute and ping usage

you could have left it without any changes, too ...

1 Like

of course it is possible without changes, but it is not interesting

If you enable masquerade on the LAN interface, you may experience anomalies when internally routing (e.g. you ever create a second LAN or VPN) interfaces.

By default masquerade on WAN (IPv4) is enabled because:

Usually ISPs issue one IPv4 address. Masquerade, a form of Network Address Translation (NAT) was designed so Private IP (RFC 1918) can be used internally, while traffic to the Internet uses the WAN IP. It's a type of Source NAT. Since the Private Address are not Publicly Routable, the WAN IP must be used to send traffic, hence the need to masquerade WAN.

This is basic networking knowledge and masquerade not OpenWrt-specific.

https://tldp.org/HOWTO/IP-Masquerade-HOWTO/ipmasq-background2.1.html

1 Like

I consider ICMP traffic dangerous, so the goal is to turn it off completely for the Internet and force the router to work without this protocol

Then just disable the ping firewall rule. Viola.

Still other ways the router could respond, though (e.g. you still have the default rule as REJECT). So not sure why ping is considered insecure in particular.

1 Like

It's not. Blocking it is neither necessary, nor a good idea.

1 Like