I am trying to work out the correct way to support NAT reflection on my home router when I have several additional local subnets accessible via a static route (through a second openwrt router).
Currently, the fw3-generated firewall NAT rules set the source address scope to match the "lan" zone. This excludes the IP address ranges of the subnets served by my second router, which causes NAT reflection to fail for any of my hosts on the routed subnets.
Any advice or assistance would be gratefully received. Scouring the web and forum have failed me so far. I guess a clean solution would be to add my routed subnets to the "lan" firewall zone - but I can't figure out how to do that (I can only add interfaces to zones).
In the meantime, I have put some hand-crafted rules into /etc/firewall.user to fix this, but that means hard-coding my public IP which is subject to change by my ISP.
Details
edgerouter is a Ubiquiti Edgerouter X running OpenWrt 19.07.3.
Relevant parts of edgerouter /etc/config/network:
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
...
config route
option target '192.168.1.0'
option gateway '192.168.2.10'
option netmask '255.255.255.0'
option interface 'lan'
A Port redirect rule from /etc/config/firewall:
config redirect
option dest_port '5789'
option src 'wan'
option name 'Allow-wan-5789'
option src_dport '5789'
option target 'DNAT'
option dest_ip '192.168.1.90'
list proto 'tcp'
option dest 'lan'
which generates the following iptables rules (iptables-save | grep 5789):
-A zone_lan_postrouting -s 192.168.2.0/24 -d 192.168.1.90/32 -p tcp -m tcp --dport 5789 -m comment --comment "!fw3: Allow-wan-5789 (reflection)" -j SNAT --to-source 192.168.2.1
-A zone_lan_prerouting -s 192.168.2.0/24 -d XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 5789 -m comment --comment "!fw3: Allow-wan-5789 (reflection)" -j DNAT --to-destination 192.168.1.90:5789
-A zone_wan_prerouting -p tcp -m tcp --dport 5789 -m comment --comment "!fw3: Allow-wan-5789" -j DNAT --to-destination 192.168.1.90:5789
(where XXX.XXX.XXX.XXX is my router's public IP address.)
The issue is with the -s 192.168.2.0/24, which specifically excludes the subnets served by router2.
thanks in advance, Glenn.