Keeping the original client IP when forwarding to a transparent proxy

Hello everyone,

I am new to OpenWrt and want to forward and analyze the HTTP/80 traffic in my network with Charles Proxy on the PC with the IP 172.16.4.100 and the proxy port 8888.

The forwarding itself works. Unfortunately, however, I no longer see the original LAN IP source addresses ( 172.16.4.*) of the clients in the proxy logs, but all requests are logged with the IP of the gateway (172.16.4.1) in the proxy

Is there a way to preserve the original client IP addresses when forwarding to a transparent proxy?

Here is my configuration:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'ACCEPT'
 
config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
 
config zone
        option name 'wan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option input 'DROP'
        option masq '1'
        list network 'WANB'
        list network 'WANC'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'
        list network 'wwan2'
 
config forwarding
        option src 'lan'
        option dest 'wan'
        option enabled '1'
 
config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'
 
config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'
 
config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
 
config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'
 
config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
 
config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
 
config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'
 
config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
 
config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'
 
config include
        option path '/etc/firewall.user'
 
config include 'nat6'
        option path '/etc/firewall.nat6'
        option reload '1'
 
config zone
        option name 'guest'
        option forward 'REJECT'
        option output 'ACCEPT'
        option input 'REJECT'
        list network 'guest'
 
config forwarding
        option src 'guest'
        option dest 'wan'
        option enabled '1'
 
config rule
        option name 'Allow-DHCP'
        option src 'guest'
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'
 
config rule
        option name 'Allow-DNS'
        option src 'guest'
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'
 
config include 'vpn_server_policy'
        option type 'script'
        option path '/etc/firewall.vpn_server_policy.sh'
        option reload '1'
        option enabled '1'
 
config rule 'process_mark'
        option name 'process_mark'
        option dest '*'
        option proto 'all'
        option extra '-m owner --gid-owner 65533'
        option target 'MARK'
        option set_xmark '0x80000/0x80000'
 
config rule 'wan_in_conn_mark'
        option name 'wan_in_conn_mark'
        option src 'wan'
        option dest '*'
        option set_xmark '0x80000/0x80000'
        option target 'MARK'
        option extra '-m mark --mark 0x0/0x3f00 -j CONNMARK --set-xmark 0x80000/                              0x80000'
        option enabled '0'
 
config rule 'lan_in_conn_mark_restore'
        option name 'lan_in_conn_mark_restore'
        option src 'lan'
        option dest '*'
        option set_xmark '0x80000/0x80000'
        option target 'MARK'
        option extra '-m connmark --mark 0x80000/0x80000 -j CONNMARK --restore-m                              ark'
        option enabled '0'
 
config rule 'out_conn_mark_restore'
        option name 'out_conn_mark_restore'
        option dest '*'
        option set_xmark '0x80000/0x80000'
        option target 'MARK'
        option extra '-m connmark --mark 0x80000/0x80000 -j CONNMARK --restore-m                              ark'
        option enabled '0'
 
config include 'swap_wan_in_conn_mark'
        option type 'script'
        option reload '1'
        option path '/etc/firewall.swap_wan_in_conn_mark.sh'
        option enabled '0'
 
config rule 'block_dns'
        option name 'block_dns'
        option src '*'
        option device 'br-+'
        option dest_port '53'
        option target 'REJECT'
        option enabled '0'
 
config rule 'sambasharewan'
        option src 'wan'
        option dest_port '137 138 139 445'
        option dest_proto 'tcpudp'
        option target 'DROP'
 
config rule 'sambasharelan'
        option src 'lan'
        option dest_port '137 138 139 445'
        option dest_proto 'tcpudp'
        option target 'ACCEPT'
 
config rule 'glnas_ser'
        option src 'wan'
        option dest_port '6000-6002'
        option dest_proto 'tcp'
        option target 'DROP'
 
config rule 'webdav_wan'
        option src 'wan'
        option dest_port '6008'
        option dest_proto 'tcp'
        option target 'DROP'
 
config include 'gls2s'
        option type 'script'
        option path '/var/etc/gls2s.include'
        option reload '1'
 
config include 'glblock'
        option type 'script'
        option path '/usr/bin/gl_block.sh'
        option reload '1'
 
config redirect
        list proto 'tcp'
        option src_dport '80'
        option dest_ip '172.16.4.100'
        option src 'lan'
        option name 'Charles PreRouting'
        option dest 'lan'
        option reflection '0'
        option dest_port '8888'
        option target 'DNAT'
        option src_ip '!172.16.4.100'
 
config rule
        option src_port '80'
        option src 'lan'
        option name 'Allow Charles'
        option dest 'lan'
        option target 'ACCEPT'
        option dest_port '8888'
        list proto 'tcp'
 
config nat
        list proto 'tcp'
        option name 'Charles Post Routing'
        option target 'SNAT'
        option snat_ip '172.16.4.1'
        option src 'lan'
        option dest_ip '172.16.4.100'

Short answer: no with your current setup

Long answer: yes if you move the pc with the proxy to another subnet so the router doesn't have to do hairpinning.

Thank you very much for your answer! Can you perhaps give me another tip or link on how best to set this up for my purpose? There seem to be several options => https://openwrt.org/docs/guide-user/network/dsa/dsa-mini-tutorial

If you are using a router with DSA, you only need to:

• remove one of the ports from br-lan
• create a new interface using that one port (lan1 for example), use a different subnet (assign it to the same firewall zone "lan").
• enable dhcp on that interface
• connect the pc with the proxy