How to disable MASQUERADE on LAN interface?


I forward a couple of destination ports on the WAN interface to hosts on my LAN. I'd like the logs on those internal hosts to record the public source IP of the connection. In order to do this, I need to disable MASQUERADE on the LAN interface, while retaining it on the WAN interface.

What is the proper OpenWRT way to do this? Nothing in the LuCi interface jumped out at me.

The problematic rule is:

-A zone_lan_postrouting -m comment --comment "!fw3" -j MASQUERADE


So I'm digging in to this a little bit more, and I think my zones aren't ideal. Here's how they are currently.

I suspect I need to add a "wan -> lan" zone just for forwarding ports, but I'm not quite wrapping my head around how zones fit into my understanding of iptables.

Can I just add "lan" as a destination to my existing wan zone and then disable masquerade for that?

You should only have masquerading and MSS clamping active on the WAN interface, that is the default configuration. Unless you have a good reason, I would disable both on the LAN interface.

1 Like

For a start is there a good reason to enable masquerade in the lan and wg zone?

Thanks! That got me over my overthinking-axle-wrapping-brainfart. :slight_smile:

This is what I have now and a quick smoke test verifies it's working as I needed.

Just for my understanding: I need to focus on the "Name" of the zone when configuring the Input, Output, Forward, Masquerade, and MSS, correct? What confused me was that I was focusing on the shiny colors and trying to wrap my head around disabling Masquerade on the lines which were forwarding to the Lan interface, which is in two zones. duh. Bright colors often distract me, for sure. :stuck_out_tongue:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.