Networking/Routing question. (Not trivial one)

Actually, this is not OpenWrt related issue itself, but since we're all using it, decided to ask community to disclose whether it's possible and what can be its implementation in OpenWrt. Will try to be as concrete as I can...

  1. All IPs in LAN zone ping each other, packets are flying.

  2. All traffic that is originated from some IPs of LAN zone is routed to one IP in another zone IPS0.

# ip rule
0:      from all lookup local
215:    from lookup vpn0
216:    from lookup vpn0
217:    from lookup vpn0
220:    from all lookup 220
32766:  from all lookup main
32767:  from all lookup default

All IPs pings from LAN to IPS0 and vise versa are flying.

  1. Then link to another zone (IPS1) is up. And from IPS1 I can ping LAN, but only IPs that are NOT routed to IPS0 as described above (which is predictable, as although INBOUND traffic seems is accepted, those IPs can send OUTBOUND reply to the IPS0 only).

I'm afraid it's not possible, but what I'd like to do - to keep the traffic that is initiated from those IPs still to be routed to IPS0, but at the same time those IPs to send traffic that is IN RESPONSE to the initiator (in IPS1, or whatever it is) . (NAT/masquerading? add another zone??)

TNX for your time

From the sound of it, you seem to be describing NAT Masquerading. This, of course, is trivially easy to implement within OpenWrt. It is, in fact, the default state for the wan with IPv4.

All of the hosts on will appear to be coming from a single IP address on the wan.

If this is not what you're asking, maybe you can give more specific examples of your question/goal.

Why wan? Could you explain please.

The vast majority of home users, as an example, are assigned just a single IP address from their ISP. The router will use NAT Masquerading to share that single address with an entire network behind the router. So, basically all of the IPs behind the router are routed through one IP facing the ISP/internet.

Masquerading doesn't have to be applied to the wan if there is symmetric routing. And masquerading can be applied to other zones if needed. The wan is just the most common use case.

1 Like

To be honest this just sounds like a routing issue. Have you tried adding a specific route for return traffic to IPS1 in the relevant routing table?

I understand that. Point is wan is not involved in my case, that's why I asked.

That's the question... Add WHERE and WHAT?
If I just allow another direction to IPS1, and IPS0 is down, all traffic will go to IPS1. Unacceptable in my case.

Given you've provided next to no specific detail how do you expect us to tell you that? You need to determine the required routing rule and then add it to the relevant routing table.

Just not to grow the topic too much I tried to avoid inflating it by specific info. Let's operate by zones. I'm talking about principle.

The main question is how allow IPs to reply to the certain initiator only.

I think for that I need to select certain traffic and reply only to it.

So you've got your answer then.

hint - key word is "how".

Masquerading?... For which zone?
Can it be done by routing only? (keeping given restrictions)

Hint - 'how' is impossible to answer in any useful, specific, way when you don't want to be specific.

But yes, it can be done by routing (in principle). As I've already said twice...

Just forget about it )))

@portuquesa - You appear to have given up (while also showing a lot of attitude -- please keep it civil, and remember that the quality of help that people get is related to the attitude of the users asking for it).

We were trying to answer your question. If the answers didn't make sense, it is because you weren't specific enough in how you presented your question.

I explained that masquerading doesn't have to apply only to the wan zone, but nobody can answer further how you might achieve your goals because you haven't given specific examples.

1 Like

No, I'm not giving up. I'll do all myself.

PS Where you found any signs of inappropriate attitude BEFORE such from krazeh?
Given info was enough to give some ideas (if anyone really wanted to help, and not just to show off)

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.