How to do SNAT

nokoru · March 6, 2025, 9:48am

As the first step towards my goal, I need to figure out how to SNAT packets from one device to another going through my router. I tried this by connecting my two devices to two LAN ports with the two ports bridged as a single interface. I added SNAT rules with only the original source IP and desired source IP specified on both postrouting and input chains in the nat table. This did not work. The result was my receiver still receiving from the original IP address when viewed from Wireshark.

Rules:

iptables -t nat -A INPUT -s <original addr> -j SNAT --to-source <desired addr>
iptables -t nat -A POSTROUTING -s <original addr> -j SNAT --to-source <desired addr>

There were no other firewall rules besides the defaults (input = accept, out = accept and forward = reject) and no static routes.

Can someone tell me what I did wrong or provide me with an example to achieve this?

Thanks in advance.

egc · March 6, 2025, 10:02am

If the devices are on the same subnet the router is just bypassed.

Almost all OpenWRT targets nowadays are using nftables instead of iptables

Can you show the output of:

ubus call system board

nokoru · March 6, 2025, 10:08am

{
"kernel": "5.4.188",
"hostname": "OpenWrt",
"system": "UBNT_E300 (CN7030p1.2-1000-AAP)",
"model": "Ubiquiti EdgeRouter 4",
"board_name": "ubnt,edgerouter-4",
"release": {
"distribution": "OpenWrt",
"version": "21.02.3",
"revision": "r16554-1d4dea6d4f",
"target": "octeon/generic",
"description": "OpenWrt 21.02.3 r16554-1d4dea6d4f"
}
}

Had to copy this over by hand. Hopefully nothing is wrong.

If the router (along with the firewall) is bypassed because my devices are in the same subnet, will assigning them in different VLANs help? I actually tried this but I simply cannot get the packets from my sender to my receiver.

What I did:
Enable bridge VLAN filtering
Assigned different VIDs to the two untagged ports (they remained bridged) and make them participate on different VLANs.
Created different interfaces for the two VLANs
Assigned both VLAN interfaces to the same firewall zone
Configured the firewall zone as such: input = accept, output = accept, forward = accept

Result:
My receiver no longer receives.

maurer · March 6, 2025, 10:14am

not supported here - you need to upgrade to latest 24.10.0 or 23.05.5

nokoru · March 6, 2025, 10:18am

What is not supported? SNAT?

maurer · March 6, 2025, 10:32am

your openwrt version - you need to upgrade

brada4 · March 6, 2025, 11:14am

Go to luci/network/firewall

When you add NAT rule surprise surprise default type is SNAT with boxes to enter your IP addresses.

That will work same on fw3 and later fw4

nokoru · March 6, 2025, 11:44am

I attempted it both using iptables and luci. Neither way worked. If what egc said about being in the subnet is true, I think that could be the problem because I even tried a simple reject rule and my receiver was still receiving. It felt like the firewall rules were not applied at all.
However, I need them both to be in the same subnet because I'm not allowed to change their IP addresses, hence SNAT.
If anyone can tell me how to route between VLANs, that would be great.

wilsonyan · March 6, 2025, 11:45am

EDIT: Nevermind, I thought this might have been a different problem but I read the thread a bit more and it's covered.

brada4 · March 6, 2025, 12:00pm

Cannot help with such an old version.
You can check if rule gets any hits with iptables -L -n -v

eduperez · March 6, 2025, 12:39pm

If the ports are bridged together, traffic does not flow through the firewall; it could even be passing directly through the internal switch, and not reaching the CPU at all.

Try to use tcpdump on the router, and confirm whether you can detect the traffic between the devices.

Before diving into how to do what you need, is there any reason not to upgrade to a more recent version?

nokoru · March 7, 2025, 1:24am

No real reason. I just don't think there is any need for such a basic requirement. However, seems like there is substantial difference between this and later versions for help to be impossible, so I will attempt to upgrade it soon.

Edit:
After upgrading to 24.10, I was able to successfully SNAT with a simple SNAT rule.
My next challenge is setting mark then when mark is matched, do SNAT. This has been unsuccessful.

Also, can I just get a confirmation if I need to reboot after adding SNAT rule to activate it? From my experience, this seems to be the case. I don't think even "service firewall restart" works?

brada4 · March 7, 2025, 5:32am

Ïf you add ruldes via luci all restarts are done behind the scenes.

nokoru · March 10, 2025, 1:50am

After some testing, I am sure that adding/deleting SNAT rules via luci does require a device reboot, at least for the firmware version that I am using (24.10).

Restarting firewall via luci or via console command does not work.

nokoru · March 10, 2025, 2:39am

Anyway, since I am now able to do SNAT I will mark this thread as resolved.

In combination with changing to different subnet and upgrading the firmware, for some reason, rebooting the device is required for the firewall rules to take effect.