NAT 1:1 Implementation

rrggpr · May 11, 2023, 9:10pm

Hello everybody,

My Openwrt has two network interfaces:
LAN - 172.21.1.61/16
WAN - 172.20.1.61/16

at LAN interface there are connected Two hosts:
Host1: 172.21.1.71/16
Host2: 172.21.1.72/16

at WAN interface are connected many hosts, but the follow IP Adresses are not in use:
172.20.1.71/16
172.20.1.72/16

What I need is to implement nat 1:1 in this way:
when one host from the network 172.20.0.0/16 ping the not in use IP 172.20.1.71 all traffic must be redirect to the host: 172.21.1.71
the same when one host from the network 172.20.0.0/16 ping the not in use IP 172.20.1.72 all traffic must be redirect to the host: 172.21.1.72

If it is possible I would like to implement all this by Luci

Someone can help me?

Many thaks in advance.

lleachii · May 12, 2023, 10:15am

Welcome to the community.

A standard redirect rule will do this. And yes, it's possible to add this rule via LuCI.

config redirect
        option target 'DNAT'
        option src 'wan'
        option src_ip '172.20.0.0/16'
        option src_dip '172.20.1.x'
        option name 'REDIRECT'
        option dest_ip '172.21.1.7x'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option dest 'lan'

I believe I wrote that correctly - your example IP schemes are so similar
BTW, you must assign the unused IPs to the WAN interface

# under WAN in /etc/config/network
 list ipaddr '172.21.1.71/32'
 list ipaddr '172.21.1.72/32'

(/16 will work also - this can also be added via LuCI)

Hope this helps.

rrggpr · May 12, 2023, 10:42am

Hello lleachii,
thank-you for answer.
I want to redirect all traffic, not ICMP only.
It is not clear (for me) in which file I have to isert the follow:
config redirect
option target 'DNAT'
option src 'wan'
option src_ip '172.20.0.0/16'
option src_dip '172.20.1.x'
option name 'REDIRECT'
option dest_ip '172.21.1.7x'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option dest 'lan'

Have I to create a new file under \etc\config\ named "redirect"?

lleachii · May 12, 2023, 10:47am

Then remove those lines:

config redirect
        option target 'DNAT'
        option src 'wan'
        option src_ip '172.20.0.0/16'
        option src_dip '172.20.1.x'
        option name 'REDIRECT'
        option dest_ip '172.21.1.7x'
        option family 'ipv4'
        option dest 'lan'

No, you'll insert the rule into /etc/config/firewall

EDIT: Just to be clear, I used the x as a placeholder, you'll need to make 2 rules - one for each IP.

rrggpr · May 12, 2023, 12:03pm

OK, now it is clear.

I alreadi have the two host with IP 172.21.1.71 and 172.21.1.72 - do I need also to modify the network file like below?

under WAN in /etc/config/network

list ipaddr '172.21.1.71/32'
list ipaddr '172.21.1.72/32'

Below the actual Firewall configuration

package firewall

config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'ACCEPT'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
option masq '1'

config zone
option name 'wan'
option output 'ACCEPT'
option mtu_fix '1'
list network 'WAN'
option input 'ACCEPT'
option forward 'ACCEPT'
option masq '1'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config forwarding
option src 'wan'
option dest 'lan'

config redirect
option target 'DNAT'
option src 'wan'
option src_ip '172.20.0.0/16'
option src_dip '172.20.1.71'
option name 'REDIRECT'
option dest_ip '172.21.1.71'
option family 'ipv4'
option dest 'lan'

config redirect
option target 'DNAT'
option src 'wan'
option src_ip '172.20.0.0/16'
option src_dip '172.20.1.72'
option name 'REDIRECT'
option dest_ip '172.21.1.72'
option family 'ipv4'
option dest 'lan'

Below actually Network configuration

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd44:f7df:148b::/48'

config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ip6assign '60'
list ipaddr '172.21.1.61/16'
option gateway '172.21.1.254'
list dns '208.67.222.222'

config interface 'WAN'
option proto 'static'
option device 'eth1'
list ipaddr '172.20.1.61/16'

lleachii · May 12, 2023, 12:36pm

If you want to 1:1 NAT from these IPs, they have to be assigned to the WAN interface.

These are the IPs you add to WAN.

config interface 'WAN'
 option proto 'static'
 option device 'eth1'
 list ipaddr '172.20.1.61/16'
 list ipaddr '172.20.1.71/16'
 list ipaddr '172.20.1.72/16'

(BTW, this is missing the gateway and DNS config, not sure why you have one set for LAN.)

Sorry for the mistake, the similar subnets confused me.

rrggpr · May 12, 2023, 2:14pm

Many thanks to IIeachii!

It seems to work fine now, this below is my last configuration:

NETWORK

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd44:f7df:148b::/48'

config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ip6assign '60'
list ipaddr '172.21.1.61/16'
option gateway '172.21.1.254'
list dns '208.67.222.222'

config interface 'WAN'
option proto 'static'
option device 'eth1'
list ipaddr '172.20.1.61/16'
list ipaddr '172.20.1.71/16'
list ipaddr '172.20.1.72/16'

FIREWALL

onfig defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option forward 'ACCEPT'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
option masq '1'

config zone
option name 'wan'
option mtu_fix '1'
list network 'WAN'
option forward 'ACCEPT'
option masq '1'
option output 'ACCEPT'
option input 'ACCEPT'