How to forward wan request to lan?


I do not find a way to make the following (I give an example to make it easier):
I have a tool to synchro some files from my laptop to a NAS with SFTP from wherever I am.
My openwrt is doing port forwarding from wan (public.ip.address:66) to NAS.ip:22 for doing so.
It works well.
Yet, when I am at home, so in my lan, it doesn't make sense to go from my computer to internet then back to my NAS, it is rather slow and I would prefer to stay on my lan and go direct to my NAS
So I would like that each request to public.ip.address:66 is routed at the router level into NAS.ip:22 (and not going outside my lan)
I don't see such option in LUCI GUI or I missed it. May-be I have to write down an iptables rules but it is beyond my knowledge


One possible approach might be to rewrite your tool to detect if you're at home or not. If you're at home, use the NAS's real internal IP address. If you're not at home, use your public IP address.

1 Like

Sure but not sure freefilesync (the tool that I use) support it... and moreover I was sure (but I could be wrong) that it was doable in the router with openwrt

Set up a VPN and use the same IP and port from LAN and VPN.
Even better, you can avoid exposing NAS on the WAN.


Why not set up the local resolver to resolve your NAS-DNS-name to the local IP? E.g. in /etc/config/dhcp:

list address '/'

Use the same value for that you would use from the internet, i.e. probably some DDNS address.


i do it like that. in my lan e.g. resolve to the local ip of the server and from outside it resolves to the external ip.

1 Like

You mean on the machine? I was willing to avoid that because it would mean to do it on each familly member machine...not the solution I would prefer, but interesting solution.
I really thought there was something "easy" to do on the router side

Probably my syntax is not correct, but I was thinking of something like this:
iptables -t nat -A PREROUTING -d public.ip.adress --dport 66 -j DNAT --to NAS.ip:22

You can probably add an equivalent rule with luci, but the command to put in /etc/firewall.user would look something like

iptables -t nat -I prerouting_rule 1 -i br-lan -p tcp --dest public.ip.adress --dport 66 -j DNAT --to-destination NAS.ip:22

Port forwards configured via UCI/LUCI do NAT reflection automatically. NAT reflection allows you to reach services on your LAN through the external IP WITHOUT the packets actually going through the internet. In other words, if you have the port forwarded there is no step 2. It's already working exactly as you want it to work when connecting to this service while you are connected to the LAN network.

1 Like

Really?? I am doing it already without knowing it.... nice :wink:

Yes :slight_smile: If you open the Firewall page in Luci under Status and search for "Reflection" on said page, you will find multiple firewall rules taking care of this :slight_smile:

No, what @treysis means is something similar to "split-brain DNS", where you get a different response depending on where you are.

When you're away from home, using dynamic DNS, you connect to your home network using your usual DDNS hostname. Your DNS lookup goes to the usual DNS server for your chosen DDNS provider.

When you're at home, you still connect using your usual DDNS hostname... but your router (or DNS server) intercepts the DNS query and directs the client to the internal IP address.

1 Like

Not a fan of NAT. Probably still causes a hit on performance.

1 Like

Sure, I was just giving him the correct syntax for the rule he posted in the preceding post. There are a number of ways to skin this particular cat, some of which will be better than others.

1 Like