Port Forward to Router Service

Hi folks,

I can't find a specific example documented anywhere. Is it possible to create a firewall port-forward rule to a service running on the router itself?

So traffic hitting WAN IP on port 1234 gets forwarded to the router service running on port 5678?

I can see I could forward to the WAN interface back to the router on it's WAN IP but as the WAN IP could change this seems fragile. I could also forward to LAN interface and back to the router on it's LAN IP, but this seems like an unnecessary traversal. Is there a way to forward directly to the router (like an ingress rule but with a port forward)?

I thought I'd solved it using a 'Traffic Rule' but this won't do the port translation. Still looking for an answer.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Why? This is a generic networking question not a configuration issue with my device.

ok then ...


It appears you are using firmware that is not from the official OpenWrt project.

When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.

You may find that the best options are:

  1. Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
  2. Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
  3. Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).

If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.

1 Like

What are you basing this on, the screenshot? It's from LuCI. It's the latest official build on x86.

He was just asking, too many freeloaders

You need a redirect rule:
https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)

/etc/config/firewall
config redirect
	option dest 'wan'
	option target 'DNAT'
	option name 'Allow-http'
	option src 'wan'
	option src_dport '8080'
	option dest_port '80'

1 Like

Hey so if I use your example as-is I get this:

config redirect
        option proto 'tcpudp'
        option src 'wan'
        option dest 'wan'
        option name 'Port Remap'
        option target 'DNAT'
        option src_dport '1234'
        option dest_port '5678'

Which LuCI displays like this:

However taking inspiration from another DNAT rule I saw in the wild, if I omit the dest option from the rule then LuCI displays it like this, which better matches the intent of the rule:

Are they functionally any different?

Although LuCI represents the rule in different ways, the end result translated into nftables is the same. You can check it by running

nft list chain inet fw4 dstnat_wan
1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.