Outbound NAT with Static Port for dynamic IP

Bob.Dig · June 17, 2025, 8:06am

You already can do Outbound NAT with Static Port with SNAT instead of Masquerade. But this will not work with dynamic IPs many people have at home.

For better connectivity (IPv4) this option should be available to everyone.

According to this discussion, it can be done via a fw4 wrapper or a hot plug script. But I am lacking any knowledge about this stuff. I am just a user, who wishes OpenWRT would catch up to other solutions like pf/OPN-Sense with these type of more basic tasks.

lleachii · June 17, 2025, 8:16am

To be clear, are you asking for:

192.168.1.xxx:yyyyy [<Outbound_NAT_Static_Port>] <WAN_IP>:zzzzz

Where zzzzz equals your desire to alter the SRC port of outbound traffic?
And otherwise - making an SNAT rule instead of a masquerade rule for dynamic WANs?

Better connectivity?

It's unclear what you mean by "port". Are you referencing a Ci$co term?

_bernd · June 17, 2025, 8:27am

I assume it's: a local IP with a static src port should SNAT to WAN IP and static (src) port.

lleachii · June 17, 2025, 8:40am

Yes, I read the discussion and the Proton article. It's still unclear what the OP is actually requesting. Because:

The LuCI screenshot shows no port
Additionally, it clearly allows traffic to "egress device address" (OP mentions here not possible with dynamic IP?)
The example in the Proton article is a VPN setting on an app - it doesn't mention what the OP requested

Hence, I asked for clarification. From the Proton article, it seems the user wishes to allow inbound (i.e., Port Forward or DNAT) traffic. From the discussion in the other thread, the user wants to configure SNAT for the reply traffic (instead of masquerading) - because of pavelgl's [general] comment that it's "faster"?

What's still unclear is why is one attempting to "SNAT a dynamic outbound IP" and what is meant by the word "port".

You'd agree that's an impossible basis for writing code or building features for other.

Edit:

If so, this makes the Proton article confusing in context of the OP's request - as altering reply traffic via SNATs would break connectivity.

Excellent question.

Bob.Dig · June 17, 2025, 9:12am

Kinda:
Some local IPs with any src port should SNAT to WAN IP and the same (src) port.
It is about NAT traversal, which is much easier if the src-port is known to/via a third party.

brada4 · June 17, 2025, 10:00am

snat and masqueade tries to allocate same src port as the client behind nat. Both have "persistent" flag to keep remembering last mapping address after connection state expires. That half of the request just demands defaults.

Bob.Dig · June 17, 2025, 10:48am

brada4 is right, Masquerade already does it in OpenWRT. I had read somewhere that it doesn't but I was wrong. So Action SNAT is not needed in the first place for this.

brada4 · June 17, 2025, 1:58pm

You have 2 public IPs, could be improved towards poor mans mwan Thanks for feature requests.

Firs info is nft manual page, enhanced by iptables-extras manual and iptables-translate. If that fails examine debug guide (-d netlink , nftrace) if it is still glitching - kernel sources.

system · June 27, 2025, 1:59pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.