IP Masquerading

I was looking at the OpenWRT firewall configuration and realized that "masquerading" seems to be applied backwards in the UI.

NAT should be applied in the direction that initiates the NAT entry, not on the direction where traffic returns.

Since Masquerading here is about the same as Source NAT, where the inside source IP address (i.e. is changed to the public IP address on the way out, it should be applied on the LAN->WAN pair, not the WAN->LAN pair.

But in order to make it work, apply it as if you are attempting to Masquerading all outside traffic in as if it were to be sourced from your router's IP address.

Just an observation in case anyone else is confused by this.

Other than you're quite incorrect...have you tried setting up what you actually stated to find out it won't work?

For those who come across this: masquerade is applied usually to the outbound interface or to the destination network - this is WAN in OpenWrt's case; and therefore it's correct.


There is no such thing.

1 Like

I think the page layout is confusing you.

On the top row you have the LAN zone, that is allowed to forward traffic to the WAN zone. On the bottom row you have the WAN zone, that is not allowed to forward any traffic; also, traffic leaving the WAN zone is masqueraded.

Each row represents a zone, not a traffic flow; there is no "LAN->WAN" interface.


Sorry, I edited my post. I meant to say "pair", not interface. But it doesn't change the thought at all. I will read the articles above and see what the justification is for applying a source NAT on the destination.

Your post wasn't talking about Source NATs - your post is about Masquerade. Source NAT is different thing than Masquerade (or "a specialized case of Source NAT" as the manual says).

See: https://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html#ss6.1

Perhaps you've confused the terms with another vendor's (i.e. Cisco)?


The default configuration is for the standard home router use case where packets going to the Internet must be masqueraded to the public IP that the ISP has provided. This is the IP of the WAN interface, so it is correct that checking the masquerade box on WAN will convert all outgoing packets to have the WAN interface as their source IP.

If the box is not checked, the source IP of packets bound to the Internet from the LAN (by forwarding them to WAN) will remain as the LAN IP of the originating PC. This will not work since the ISP does not keep a route back to your LAN.


@eduperez mentioned each row represents a zone, not a single traffic flow. This is what was confusing me, as the UI was giving me the impression that each row was a flow.

So I get it now, the Masquerade in the iptables config is applying to the outside interface, which is applied to the wan zone.

(@lleachii I was talking about NATing the source address, not the destination address. Cisco refers to it as source NAT overload. Sorry for the confusion.)