Is OpenWrt possible IP masquerading between IP addresses in local network

I have in openwrt an IoT network isolated from the home and guest network.
Unfortunately, this comes with the problem that those devices that are outside the IoT network are not discoverable to the IoT server. It is also not possible to move devices that are used in the main network to the IoT network without losing functionality.
The only solution as I see would be with help of masquerading showing to the IoT server the necessary home network devices within the IoT network IP range.
I Have no Idea if this is possible or how to achieve this.
I hope someone knows a solution

Actually, the solution you may be looking for is to disable masquerading, and to establish routes and firewall rules that permit the server to connect to the IoT devices. There are a bunch of nuances, of course, but this is generally the best method.

Is the OpenWrt router the only router in your network?

Yes it is

My server is now inside IoT and connecting to IoT devices is no problem. Trouble is with some devices outside IoT network.
As for device discovery, the server documentation specifically says: If your device is not on the same subnet as Home Assistant this will fail. It may be possible to bypass this issue by using IP masquerading or a proxy.

So auto discovery typically only works while on the same subnet -- protocols like mdns are designed to work only within a single broadcast domain. If your IoT devices use mdns, you can install an mdns reflector/repeater to enable cross-subnet auto discovery.

Otherwise, without auto discovery, you can make connections by specifying the IP address directly (from HA > IoT device or from the IoT device > HA, depending on the context).

Did this come from the HA documentation or something else? Can you link to it? I'm not sure that this makes any sense, but maybe more context would help.

Could you give specific examples of the "devices" you are talking about? What's the device you want to be discovered? What's the device that does the discovering? Any hints on the protocol they are using?

I have the impression what you're looking for is not masquerading, but actually "forwarding broadcast traffic".
You might want to look into the general direction of the igmpproxy package instead.

Also, your firewall must permit the inter-VLAN connections to occur.... we haven't reviewed any of your configurations, so this is currently a big assumption and not a given that your firewall is setup correctly.

Assuming the case is similar and the problematic devices are located in the lan zone, try creating a SNAT rule.
Set the correct HA IP address.

uci add firewall nat
uci set firewall.@nat[-1].name='SNAT-HA-to-LAN'
uci set firewall.@nat[-1].src='lan'
uci set firewall.@nat[-1].target='SNAT'
uci set firewall.@nat[-1].src_ip='' # The correct HA IP address here
uci set firewall.@nat[-1].snat_ip=''
uci set firewall.@nat[-1].dest_ip=''
uci set firewall.@nat[-1].proto='all'
uci commit firewall
/etc/init.d/firewall restart
1 Like

Sorry I do not have the ability to reverse engineer that software so when documentation says IP masquerading or a proxy is needed I have nothing else but believe that

Sure, didn't expect that. But masquerading and proxying have little to do with discoverability features. So maybe you're mixing up two different documentation settings?

This answer really knocked me off my feet. Problem solved. Thanks! :+1:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.