Nginx Server behind OpenWRT zone masquerading

include1 · December 12, 2023, 6:39pm

Im referring to the original issue this user had here: My server is behind OpenWrt but for some reason i cannot get on my servers the client's real ip address

I am having the same issue, but have a question regarding LUCI and CLI.

For this to work, i went to LuCI > Network > Firewall > NAT Rules and created a rule there like so:

As soon as i applied that, i immediately started seeing the real_ip of the client connecting to the webserver.

My question is, is this the exact same as doing what @vgaetera posted below?

uci set firewall.@zone[3].masq_dest="!192.168.78.20/32"
uci commit firewall
/etc/init.d/firewall restart

or does the way i did it have any other security side effects?

Also, what/where is the GUI way of @vgaetera's cmds above?

thanks in advance

lleachii · December 12, 2023, 7:13pm

No.

To accomplish what you desire, generally SNAT or masquerade can be used.

You used SNAT
@vgaetera used a config masquerade traffic whose destination is not 192.168.78.20

include1 · December 12, 2023, 10:26pm

Thanks @lleachii. A bit confused..you say no, but proceed to explain that they both achieve the same result then.

lleachii · December 12, 2023, 11:02pm

Correct, you asked if you did the same thing as another poster who made a masquerade rule - you did not - you made an SNAT rule. You later discuss if it produced the same results - that answer is yes.

In your situation - where you wanna configure traffic to alter the source, you have 2 possible solutions:

Masquerade configuration
Source NAT

You choose to configure the latter. My apologies if you merely wanted to know if the same thing was accomplished.

system · December 22, 2023, 11:05pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.