How to implement "Device as router with disabled NAT, additional routing rules"

I wonder how to implement "Device as router with disabled NAT, additional routing rules" settings mentioned on page "Router vs switch vs gateway and NAT".

The page describes situation that I have but I'm not sure how to configure openwrt for that.

Long story:
I have TP-LINK TL-WDR3600 on which I'll install openwrt (snapshot) and I have to configure it according to network settings I got from our network "administrator".

He said that "you get network which will be routed throught address".

As I understand that means the router will have external address, hosts "behind" router will have addresses from network and hosts from "outside" would have access to our hosts. Further, if I'm not wrong, I should switch off NAT and configure routing rules. If a packet goes to address outside our network it should be routed to (our current default gateway). The router will provide DHCP and DNS services for "internal" hosts as well as print-server (this is the primary purposes for the router). Besides that connection to Internet from hosts inside subnet should be "nated". For last I assume it is possible to use nftables (I prefer to use it as it has more "readable" syntax):

# nft add rule net postrouting ip saddr oif wan snat to

You can disable NAT on the downstream router if you own the upstream one.
Simply add a static route on the upstream router to the subnet behind the downstream one via its IP.

I didn't find information about disabling NAT on, may be I my search foo isn't good enough.

Network administrator is very friendly.

You mean doing something like following on my router

config 'zone' option 'name' 'wan' option 'input' 'ACCEPT' option 'output' 'ACCEPT' option 'forward' 'REJECT' option 'mtu_fix' '1' option 'masq' '0'
config 'forwarding' option 'src' 'wan' option 'dest' 'lan'

(found here: Is this "disabling NAT" it is?

Correct me if I'm wrong but if I follow all receipts from document above and masquerading is set on router then all packets from router will have router IP address as outgoing address. This weekend I'll try to turn off masquerading and test because all hosts must be identified by they IP (except hosts from subnet which should have as outgoing address) as they have in "internal" network.

To clarify, below is diagram of our network configuration.

                             +-------+     +----------+
            +----------------| PROXY |-----| INTERNET |
            |                +-------+     +----------+
  | "External" network |.....
      | Our router |
        |       |
    +---+--+    |
    | WIFI |    |
    +------+    |
             | LAN |

On the upstream router, which is missing on your scheme:

ip route add via

Assuming your admin can convert the runtime setting to the persistent one.

This is a necessary condition. :slight_smile:

That is not a good idea for multiple reasons.

Will learn it, thank you.

Could you elaborate this? You mean to use nftables or doing such thing?

In general case, the names of L3 devices can be dynamic and unpredictable.
OpenWrt operates networks/interfaces, that are a higher level abstraction above L3 devices.

So, most services do not use L3 devices in their UCI configs, but strongly rely on networks/interfaces.
With the hotplug subsystem, it makes possible to avoid potential race conditions and deadlocks.
At the same time, it provides dynamic service management and status tracking.

This also applies to fw3 aka OpenWrt firewall, which backend is based on iptables.
By the way, the upcoming release of fw4 should utilize the nftables backend.

NAT is also known as masquerading, since the source address of packets is rewritten to make them appear to be from the router doing NAT. To disable NAT simply uncheck the masquerade box on the WAN firewall zone, or remove the option masquerade from the config file. If present, mtu_fix should also be removed.

By default the firewall allows outgoing LAN->WAN connections but not incoming. If you want someone on the .107 network to have direct incoming access to one of your .150 machines, you will need to add this to the firewall. Likely though, you should not trust the .107 network very much, and leave the firewall closed.

1 Like