Ip_forwarding and NAT on OpenWRT

I'm trying to use my OpenWRT device as an internet edge gateway for my ZeroTier network. For this, I need to enable ip_forwarding and NAT. On a CentOS, I would do the following:

sysctl net.ipv4.ip_forward=1

def=$(ip route | grep ^default | awk '{ print $5 }')

for iface in $(ls /sys/class/net | grep $def) ; do 
    iptables -t nat -A POSTROUTING -o "${iface}" -j MASQUERADE ;
    ip6tables -t nat -A POSTROUTING -o "${iface}" -j MASQUERADE ;

I tried the same on my OpenWRT device and nothing seems to happen, not even an error. Can someone help me here?

Forwarding is enabled by default for IPv4 and IPv6.

If you want to get a default route, I recommend: ip route show default; or even better, if you have installed the ip-full package, then use: ip --json route show default.

Do you want to enable Masquerade on all your VPN(?) interfaces? Are these known upfront, or created dynamically?

If they are known upfront: Configure them in /etc/config/firewall in a config zone, i.e. with option name zerotier and list network .... Example:

config zone
    option  name            zerotier
    list    network         ztif0
    list    network         ztif1
    option  input           ACCEPT
    option  output          ACCEPT
    option  forward         ACCEPT
    option  masq            1

(The "network" is the same as configured in /etc/config/network...)

If the interfaces are not known upfront, then I would use a hook/hotplug script, i.e. located in /etc/hotplug.d/iface/

Does it help?


Thanks for the pointer, I updated my firewall config accordingly and now everything works fine :clinking_glasses:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.