My OpenWRT router connects my LAN to the WAN. The WAN has a single public dynamic IP. My OpenWRT router does NAT aka. PAT.
It has a LAN IP of 192.168.193.1 and I have the LAN subnet 192.168.193.0/24 directly connected to the OpenWRT router. Then I have a static route to a second LAN subnet 192.168.194.0/24 behind a second router reachable via 192.168.193.254. So far so good.
And a simple port forward. /etc/config/firewall contains:
Clients from 192.168.193.x can access the SSH service through the public IP without issues.
However clients from 192.168.194.x can NOT access the SSH service through the public IP. They can only access it through the private IP 192.168.193.20.
Is there a setting or additional firewall rule that I have to set to make NAT hairpin / loopback work for the not directly attached subnet 192.168.194.0/24 's clients?
While it might be possible it'd probably be simpler all round to just use the real IP where possible. Why are you wanting to use the public IP internally?
Hi thanks for the reply! I used SSH as an standin expample. But I have a particular other app that really needs all clients to use the same IP. I need the NAT loopback to work. Any idea how I could massage the OpenWRT firewall rules so it also knows that the 192.168.194.x address are local LAN addresses that it should include in the NAT loopback?
Note that this subnet will also be included in the SNAT (reflection) rule, meaning that requests from both local subnets will be "seen" by 192.168.193.20 as originating from the router itself.
thanks for the reply! I added the whole 192.168.x.x range to the lan firewall zone so it's included n the SNAT (reflection) rule as per the suggestion:
A bug? You never said you were forwarding requests to a device located on a subnet not directly reachable by the OpenWrt router. For a proper SNAT rule, the router must have an IP address on the subnet in question.
As you can see, everything regarding the ssh rule looks correct, so your initial question has been answered.
You are correct that I didn't mention in my first post that have an additional port forward to a server not directly attached to the OpenWRT router, but behind the second router. I didn't know that the fix for the one forward's loopback NAT would result in breaking the other forward.
Why did I ask if this was a bug? Because it seemed like there was no conceivable case where the right thing to do for LuCi to was to create rules where the source address was replaced by a network address, rather than a host address.
Okay back to topic: How can I make hairpin routing work for all my forwards for all my clients in both my internal, private address subnets?
Just so I am not accused of leaving out important details again, here are my other two forwards in /etc/config/firewall:
config redirect
option dest 'lan'
option target 'DNAT'
option name 'hbbs/hbbr TCP'
list proto 'tcp'
option src 'wan'
option src_dport '21114-21119'
option dest_ip '192.168.194.150'
option dest_port '21114-21119'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'hbbs UDP'
list proto 'udp'
option src 'wan'
option src_dport '21116'
option dest_ip '192.168.194.150'
option dest_port '21116'
For a proper SNAT rule, the router must have an IP address on the subnet in question.
Apparently I don't know enough about how hairpinning works internally. What's the technical reason that the OpenWRT router does have to be directly attached to the server's subnet? Does anybody have a link for me so I can read up on this topic?