LAN-to-LAN SNAT not working

Hello community,

Have been using OpenWRT for a little over ten years now. Good stuff! Have ten VLANs, VLAN 0 (actual VLAN number is different) assigned to WAN and VLAN 1 - 9 (VL1-VL9) to LAN. Due to a new project hosting some test web sites for people I know I decided to increase the security of my internal network. I run a number of small VMware servers with NASses and other stuff on top. The VM's all have a mgmt-intf in VL1 and a data-intf in VL4. My desktops and printers are in VL5. Since servers can only have one default gateway configured its pointing out to VL4. However, I want mgmt traffic only to traverse VL1 and VL5 so I can keep data and mgmt separate. A normal solution would be to SNAT mgmt sessions from VL5 going to VL1 at the OpenWRT router's interface in VL1. For this I don't use the intf address but another address (not part of the DHCP pool).
Since the server only sees the SNAT address as the packet source it can safely reply over VL1 w/o need to use the default gateway.
However, I just can't get it to work. Having learned some things about IPtables I tried adding this to '/etc/firewall.user':

iptables -t nat -A postrouting_lan_rule -d \
  -j SNAT --to-source
iptables -t filter -A forwarding_lan_rule ! -s \
  -d -j REJECT --reject-with icmp-net-prohibited

With this config I can't ping from VL5 to VL1 anymore. The strange thing is: if I change VL1 to VL0 (i.e. 192.168.141.x => 192.168.140.x) it works (at least I don't loose connectivity with systems in VL0). So SNAT over LAN-to-LAN fails and SNAT over LAN-to-WAN works. After testing I removed my config lines.

Then having read some things about FW3 I added this in '/etc/config/firewall':

config redirect
        option name 'SNAT-For-System-Mgmt'
        option target 'SNAT'
        option src 'lan'
        option dest 'lan'
        option src_ip ''
        option dest_ip ''
        option src_dip ''
        options proto 'all'
	option enabled '1'

Same result as with plain IPtables config: I can't ping from VL5 to VL1.

I hope I overlooked something but I've no clue. I hope anyone reading this has?!

Thanx in advance,

Steijn van Essen
From i8088 to i7-980X in 25 years and still waiting …

  • this is a post routing rule

Ummm, you just send the traffic to the router, and it will forward it to the appropriate VLAN, as long as:

  • you allow the traffic from the remote device; or
  • the traffic is allowed from the sending client

No NAT is required.

Not entirety accurate. You can use policy-based routing:

  • make an IP route on the VMs on a Table 2 (if you prefer to name the table instead of just a number, you'll have to do more configs) - with a default gateway to the router IP of VLAN 1
  • make an IP rule (e.g. in and out interface rule and IP ranges) on the VMs - to reassign the management interfaces/IPs DSTs to Table 2

Thank you lleachii for your swift reply. As far as I know there's no restrictions (filters) on the client and server themselves (I installed them myself), so my first guess is that in '/etc/config/firewall' (or in '/etc/firewall.user') an extra statement needs to be added. But I have no clue.
Your suggestion of using policy-based routing on my server(s) is an interesting one. I do not want to go that path right now for two reasons:

  1. In a professional Cisco routing and ChkPt firewalling environment I've configured NAT (and also some incidental policy-based routing) for many years and it never failed me. So I hope it's merely my lack of understanding how IPtables and FW3 work that hampers me now.
  2. Making it work on one box (my OpenWRT router) is far better than having to configure it on all the servers in my (albeit modest) data center. Once again: if the server sees as the source it will happily reply to it over VLAN 1 (and I at least expect the router to DNAT (or unSNAT) the reply and forward it back to

So I hope that anybody can help me with IPtables and/or FW3 in the above ...

Steijn van Essen
From i8088 to i7-980X in 25 years and still waiting …

Can you please provide a more complete network description? Maybe a dump of your /etc/config/network contents. I've read you post multiple times but couldn't figure out your setup.

Also when you "can't ping" what's the exact situation?

  • No reply at all => hints at routing issue
  • Destination port unreachable => hints at firewall policy

Furthermore, do you see increasing packet counters in iptables -t nat -nvL postrouting_lan_rule indicating the the rule is hit?

Dear jow, thx for your serious questions.

Since I currently have no access to my fancy drawing tools (like Visio and Draw) I'll post my network layout in char graphics (must look familiar to OpenWRT users):

Desktops & printers --- VL5 --- |                     |
                                | NETGEAR router with |
Servers mgmt intf's --- VL1 --- |                     | --- VL0 --- ISP router
                                | OpenWRT 15.05 image |
Servers data intf's --- VL4 --- |                     |
  • Private address range being 192.168.14x.0/24 for VLx; router interfaces all have the 192.168.14x.1 address.
  • The OpenWRT-router serves as DHCP and DNS server (forwarding requests for non local DNS names to the ISP router).
  • VL1-9 are considered/configured 'lan' in OpenWRT, VL0 is 'wan'. But since VL0 is merely a DMZ (with private subnet range) I disabled masquerading at the lan/wan connection.
  • Data access from internal network flows over VL5 & VL4 (bidirectional).
  • Data access from internet flows over VL0 & VL4 (bidirectional).
  • Mgtm access should flow over VL5 & VL1 (bidirectional), w/o SNAT rule, I currently have asymmetric routing (request goes over VL5 & VL1 and reply over VL4 & VL5) which I don't want because I can not fully block SSH traffic over VL4 now.
  • Default gateway for all servers is

Does this clarify my setup enough for you?

About the packet counters: I'm a (former) Cisco guy and not familiar yet with IPtables and FW3. So I just typed the command as you requested. Every time I start a 'ping' to the mgmt intf of my primary web server the counter increases by one, as far as I understand:

# iptables -t nat -nvL postrouting_lan_rule

Chain postrouting_lan_rule (1 references)
 pkts bytes target   prot opt in   out   source      destination 
    1    60 SNAT     all  --  *    *   to:

> ping

    2   120 SNAT     all  --  *    *   to:

> ping

    3   180 SNAT     all  --  *    *   to:

Note that the counter, to my interpretation, does not represent the # of ping packets I sent (from my Windows desktop, hence the '>' prompt), but the # of times I start the 'ping' command. So the SNAT rule is hit and seems session (not packet) oriented. Am I right?

  • VLAN 0 is invalid as a VLAN or as a tag in a trunked network - as VLAN 0 means UNTAGGED in such systems (it may work...and I think some OpenWrt based machines will do so, some will not) :warning: in any case, depending on the switch, you're exposing raw Internet packets to all the interfaces on the switch and wasting the bandwidth
  • VLAN 2 is used by default in OpenWrt devices (at least current ones) for WAN

This is antiquated with know/discovered security issues. Also, via any references/inquires you're making - our responses may not be compatible with 15.05 configs. Just an FYI.

Also, this example seems more simple (and explains this issue with attempting to do LAN-to-LAN settings thru a router):

Thx again for your response, lleachii (Wayne).

Yep, VL0 standing for VLAN 0 wouldn't work, that's why I actually assigned it 555 (VL0 = VLAN 555) but for ease of administration I dubbed it VL0, since it is the WAN side of my router.
This said: I'm aware that I don't run the latest of OpenWRT versions. But since basic filtering and NATting have been around for ages I'm not in a hurry to upgrade. Actually I thought for a while that my Netgear WNDR3800 were no longer supported but last week I think I found a viable 21.02 sysupgrade image (will apply it later).

Looking at your post you referred to me I conclude that it is about NATting on the LAN/WAN boundary. And since I have trouble with NATting within LAN boundaries it does not apply to my case. I haven't found many examples for NAT within the LAN zone, which is the reason that I turned to this forum for help.

Anymore suggestions/ideas? Anyone?!

Then you misread and misunderstand. It's regarding NATing when someone wants to NAT a packet that doesn't otherwise traverse the OpenWrt under normal cases :wink:

  • :warning: You cannot make a LAN to LAN rule; as the packet never touches the OpenWrt - this is why you don't see any examples
  • My example places another IP on LAN (or a dummy interface, it doesn't matter where it is) - so that you can make the NAT rule using this IP

What is that? An IP alias?
You should try using the interface IP address first.
Here are some iptables rules (for testing purposes only):

iptables -I FORWARD -d -j ACCEPT
iptables -I FORWARD ! -s -d -j REJECT
iptables -t nat -I POSTROUTING -d -j SNAT --to-source

Check the packet counters:

iptables -nvL FORWARD | grep 168\.141\.0; iptables -t nat -nvL POSTROUTING | grep 168\.141\.0
1 Like

Sorry, Wayne, you're probably right if you say LAN-to-LAN traffic doesn't traverse OpenWRT under normal cases. But my network is not a normal case: my LAN zone has multiple subnets and they ONLY connect THROUGH OpenWRT. But if you could confirm that OpenWRT does not NAT LAN-to-LAN by default than I would be happy to learn how/where I can change this behavior.

Dear Pavel, I did what you suggested and YES, LAN-to-LAN NAT between VL5 and VL1 now works. When I SSH into my webserver over its mgmt interface (eth0) I get connected. When I issue 'ifdown eth1' from there my Samba data shares and HTTP session get disconnected but my SSH session stays up. Now about the alias as you call it: I chose as a single address NAT pool for my desktops in VL5. This address is the last in my fixed address range within subnet, being reserved for DHCP. I want this address for extra security at the server side (applications like SSH and Apache can now tell for sure that those sessions come from VL5). Do I need to add another config statement for '.127' to make it work as a NAT source address? F.e. should I configure '.127' as a secondary IP on the router interface in VL1?
I don't recall the need for this with Cisco routers and this post (amongst others) does not prescribe secondary IP's to be configured for iptables driven systems.

Yes, because there must be a MAC address corresponding to the used SNAT IP address.

I don't know if the standard alias options can be used in release 15, but for the tests you can create an IP alias using ifconfig.

ifconfig eth0.1:0 up

If eth0.1 is not the correct physical interface name, you need to change it.

1 Like
  • This is the 3rd time I've presented that infomration to you
  • No network device performs NAT LAN-to-LAN normally (unless you are routing to an IP not in the subnet so that it passes the gateway - which is what people are suggesting to you) - this is a basic concept of networking - the point of a LAN is so that all machines talk without need of a router
  • Lastly, I guess you're misunderstanding that LAN traffic or IPs in the same network subnet never pass a gateway (i.e. router) - so you seem confused, as if the behavior can be changed

I hope someone else will be able to clearly explain. I hope the best for your setup. Also:

In order to change the behavior in normal cases, you would setup the device in another VLAN with another IP range. The traffic would then route between VLANs, accomplishing what you desire...but setting up another IP to NAT should also work.

1 Like

Dear @lleachii, maybe I didn't describe my starting point (my problem case) clear enough. I connect from my desktop in VL5 (subnet to my server's management's interface in VL1 (subnet In my OpenWRT config both VLANs (subnets) are considered part of my LAN zone. But still, this session will pass the OpenWRT router. So I was puzzled that the SNAT I configured didn't work. Pavel's suggestion to change the SNAT address from to helped me in the sense that my SNAT config now works.
@lleachii & @pavelgl: The only thing I don't understand now is that I would need to EITHER configure as a secondary IP address on the routers interface with primary address OR connect a virtual MAC to The post that I referred to Pavel (the URL that starts with "") doesn't mention any of these two requirements and I'm willing to believe that post is right. On the other hand, the post is about plain iptables and my problem is with OpenWRT. So my best guess is that my iptables syntax is right but that OpenWRT somehow blocks it. That's why I'm asking if I need to add another statement in my OpenWRT config to make the SNAT address of work.

Maybe I should follow Pavel's suggestion and add as a secondary IP and see what happens. And then come back to you. I'll let you know the result.

Gr, Steijn