LAN to LAN port forwarding

totino · September 12, 2019, 3:14am

My setup is that all traffic with src port 32976 TCP should be redirected to lan ip 192.168.0.50 on port 32976 TCP. The src device can be any device in my lan or from an external network (wan). In the default tp-link firmware, this worked fine.

In OpenWRT, if the src device is from an external network, it works fine but if the src device is from my lan, it doesn't get redirected. Below is what I did to get the wan side working.

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp'
        option src_dport '32976'
        option dest_ip '192.168.0.50'
        option dest_port '32976'
        option name 'test1'

For the lan side, I tried creating a new redirection with everything the same except src is 'lan' but it still doesn't work. Any suggestion on how to solve this issue?

LGA1150 · September 12, 2019, 3:24am

Traffic from LAN to LAN in a subnet is switched by its internal ethernet switch, it won't even hit CPU.

totino · September 12, 2019, 3:38am

In the wan to lan case: the device will attempt to connect to my public ip at 32976 and it will get redirected to ip 192.168.0.50 with port 32976

In the lan to lan case: the device will attempt to connect to my public ip at 32976 and it should get redirected to ip 192.168.0.50 with port 32976

I am aware that I can type in 192.168.0.50 to get to the device directly in the lan to lan case but that would require me to keep swapping around two IPs in the application depending on whether the laptop is in my internal network or an external one.

In the default tp-link firware of the router, this worked fine when I forwarded the port (it had src port, dest port and dest ip). This should be doable in openWRT with way more options available.

yousong · September 12, 2019, 3:48am

br_netfilter and net.bridge.bridge-nf-call-iptables should work for this. See https://ebtables.netfilter.org/br_fw_ia/br_fw_ia.html

LGA1150 · September 12, 2019, 3:48am

I see. So it is not switched internally.
Did you enable NAT Loopback?

jeff · September 12, 2019, 3:51am

Local DNS also provides a “clean” solution to this general scenario. My public DNS for mail.example.com resolves to a public IP, but my internal DNS resolves it to an internal IP.

totino · September 12, 2019, 5:26am

Yes I have it enabled. It is not working.

totino · September 12, 2019, 5:28am

That is not an option in my case. The application I am using doesn't use a standard public DNS or dynamic DNS to resolve the public IP.

LGA1150 · September 12, 2019, 5:36am

Hmm..

You may try tcpdump to debug.
Install it on your router and run tcpdump -n -i br-lan tcp port 32976 then retry your connection.

What OpenWrt version are you using?

totino · September 12, 2019, 5:50am

OpenWrt 18.06.2 r7676-cddd7b4c77.

Below is what I get from the tcpdump. I replaced my public IP with MY_PUBLIC_IP.

01:44:50.650578 IP 192.168.0.90.57857 > MY_PUBLIC_IP.32976: Flags [S], seq 418888024, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
01:44:50.650766 IP MY_PUBLIC_IP.32976 > 192.168.0.90.57857: Flags [R.], seq 0, ack 418888025, win 0, length 0
01:44:51.152230 IP 192.168.0.90.57857 > MY_PUBLIC_IP.32976: Flags [S], seq 418888024, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
01:44:51.152430 IP MY_PUBLIC_IP.32976 > 192.168.0.90.57857: Flags [R.], seq 0, ack 1, win 0, length 0
01:44:51.655075 IP 192.168.0.90.57857 > MY_PUBLIC_IP.32976: Flags [S], seq 418888024, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
01:44:51.655269 IP MY_PUBLIC_IP.32976 > 192.168.0.90.57857: Flags [R.], seq 0, ack 1, win 0, length 0

totino · September 12, 2019, 5:54am

Above is in case I use the lan side. In the wan side, I get the traffic between my external public ip and 192.168.0.50:32976.

EXT_PUBLIC_IP.65290 > 192.168.0.50.32976
192.168.0.50.32976 > EXT_PUBLIC_IP.65290

LGA1150 · September 12, 2019, 6:15am

You got an RST/ACK from your router itself. The DNAT rule is not working at all.

totino · September 12, 2019, 6:56am

Yes but in the case I connect from an external device, the DNAT rule works!

192.168.0.90 is a device in my internal network trying to connect to the public IP at port 32976. It should get redirected to 192.168.0.50:32976 but it is not.

trendy · September 12, 2019, 8:08am

Please post here the output of the following command:

iptables -t nat -L -vn

Please use "Preformatted text </>" for logs, scripts, configs and general console output.

alixyz · March 21, 2020, 10:27pm

Did you ever find a solution?

alixyz · March 22, 2020, 12:30am

Added the following to the start up script, it works without the sleep command as well, but left it in there as a precaution.

sleep 1
/etc/init.d/firewall restart

trendy · March 22, 2020, 2:08am

The built-in NAT loopback works fine for me.


config redirect
        option target 'DNAT'
        option src 'wan'
        option proto 'tcp'
        option src_dport '31022'
        option dest_ip '10.100.122.31'
        option dest_port '22'
        option dest 'lan'
        option name 'test'

alixyz · March 25, 2020, 9:35am

After your comment, I played with it some more and realized the original command wasn't helping. It was simply clicking save on the Firewall->Custom Rules which would fix it and stop working after a reboot. To clarify the port forwarding always works when accessing it from outside of the network, the issue was when attempting to access it the router from the LAN via the WAN IP address.
So I added the firewall restart command at boot up and problem is resolved.

spammaster · January 6, 2021, 5:12am

I had a very similar problem:
internet -> WAN then redirected to VPN from outside worked but
LAN -> WAN then redirect to VPN did not work
I found a way in LUCI to allow getting WAN IP/port to VPN/port mapping by not using custom rules or explicit NAT entries) although it becomes a DNAT rule in the end

use the regular port forwarding from WAN to LAN as usual
then add a second rule
Port Forwarding from LAN to (VPN) LAN with the initial WAN IP as destination

Without 2. I was only able to get access from outside the LAN but not inside the LAN although LAN had direct access to VPN already

This is what I used in LUCI: Network - Firewall -> Port Forwards

Source zone: WAN
External port: 32976
Destination zone: LAN
Internal IP: 192.168.0.50
Internal port 32976

Under Tab "Advanced Settings"
External IP address: - in my case 'eth1.2'

in /etc/config/firewall this looks like:

config redirect
option src_dip '<your_wan_ip>'
option dest '' could be LAN, VPN etc.
option target 'DNAT'
option dest_ip ''
option src 'lan'
option dest_port '32976'
option src_dport '32976'
option name ''

system · January 16, 2021, 5:13am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.