I am attempting to forward traffic from "external" port 8080 on lan (br-lan) to internal wlan (wlan0) client specific IP address 192.168.1.1. I have tried configuring firewall as shown below but it is not working. Wlan is a wireless station client connected to an access point with the IP address 192.168.1.1 and assigned an IP address via DHCP (usually 192.168.1.3). Please could someone advise?
Is the zone for 'wlan' not sufficient? In my /etc/config/wireless I have an sta defined on network wlan (interface wlan0). How do I tell /etc/config/firewall about the interface if this is not enough?
If your access point is capable, it may be easier to make a route to 10.0.0.0/8 on the AP, via gateway 192.168.1.3.
Basically, masquerade is what's occurring when Network Address Translation is in use.
When traffic leaves the OpenWrt for 192.168.1.1, it knows where its going (as there's a route since you connected to the AP)....but, when 192.168.1.1 tires to send a reply, it doesn't know how to find 10.0.0.0/8 behind 192.168.1.3...it would try to use it's gateway instead. You need to reconfigure this so it knows that 10.0.0.0/8 is behind 192.168.1.3.
You have a "double NAT" setup, and that is a bad thing; if you can, configure your secondary router using WPS or relayd, so you only have one 192.168.1.x network.
In principle, this is a routing problem, you should not need to configure any NAT. But you already are allowing traffic from LAN to WLAN. Can the devices at LAN reach devices on WLAN? Can they reach the internet?
Perhaps the issues is that the service at 192.168.1.1 is filtering the traffic coming from the 10.x.x.x network. Can you control the firewall on that device?
Or you could masquerade the traffic at the secondary router, and make it appear as coming from its 192.168.1.3 address; you need a "SNAT" rule for this, not a "DNAT".
192.168.1.1 device is an IP camera with wireless AP. Gives router IP address 192.168.1.3 via wlan0 interface (wireless client)
LAN br-lan (10.0.0.0/8) is bridged network with fixed router IP address 10.188.0.1
I need computers on 10.0.0.0/8 wired network to be able to access HTTP port 8080 of camera without knowledge of 192.168.1.1/24 network. For example: computer 10.0.0.15 (from DHCP) can put in URL http://10.188.0.1:8080 to a web browser and access camera front end. I don't want to (pseudo)bridge the LAN and WLAN networks as I may need to add another IP camera (also with 192.168.1.1) to another router on the network and bridging would cause conflict and addressing issues.
I assumed this was as simple as port forwarding 192.168.1.1:8080 from the OpenWRT/LEDE router?
That won't work unless you masquerade the access point. Of course the OpenWrt LAN knows of 192.168.1.0/24; because you connected to the AP and a route now exists.
The camera has an IP pf 192.168.1.1...who possesses the 10.188.0.1 IP you noted???
No, it isn't, as there are no ports to forward. As @eduperez noted:
Your problem is solved if your add a route to 10.0.0.0/8 via 192.168.1.3 on the AP.
The camera has an IP pf 192.168.1.1...who possesses the 10.188.0.1 IP you noted???
The OpenWRT/LEDE router has the IP address 10.188.0.1 (on br-lan)
Your problem is solved if your add a route to 10.0.0.0/8 via 192.168.1.3 on the AP.
You would then access the device via http://192.168.1.1:8080
Unfortunately not as if I add another OpenWRT/LEDE router 10.188.0.2 with wlan0 to another IP camera with IP address 192.168.1.1 then there will be a conflict. I need it to be accessed via 10.188.0.1 etc so that all devices only need 10.0.0.0/8 network access. Also I cannot modify the firmware on the IP camera to alter the routing tables.
So if I understand correctly I can't forward traffic from 10.188.0.1:8080 to 192.168.1.1:8080 because 192.168.1.1 does not know route back to 10.0.0.0/8?
Is there another standalone utility that can run on the OpenWRT/LEDE router to listen on 10.188.0.1 port 8080 and relay traffic to and from a TCP connection to 192.168.1.1 port 8080? Like a middle man utility.
Aaah, I flipped the octets in my mind while reading...but as you noted that IP is on LAN, unless you want to setup an odd redirect that places the packet in wlan then routes it back...I don't understand what you're trying to accomplish, though.
You NEVER purposely configure networks to have conflicts...perhaps I'm confused...
Are you saying that you plan to add an AP and router each time you want a new camera???
That makes no sense, you can configure one router properly and simply not waste equipment. Most even use multiple SSIDs, so you can get a 2nd IP from the AP if you need to.
YOU CAN, IF YOU ENABLE MASQUERADE FROM 10/8 to 192.168.1.0/24...but you can't have conflicting 192.168.1.0/24 networks!!!
As you just said yourself, you plan to configure a conflict in the future.
You're making this setup extremely confusing for yourself; and anyone trying to assist you.
Again thanks for the help. I think the confusion is in me trying to explain the scenario. The AP IS the camera! I don't plan to add a conflict but it is inevitable as the cameras have fixed IP of 192.168.1.1 and to add another camera to the network without a level of abstraction is to create a conflict.
Whether or not this can be achieved with the firewall port forwarding I'm not sure but I have solved the problem with:
With this I am able to browse to http://10.188.0.1:8080/ and get the IP camera web interface.
I can create another router with identical setup but IP address 10.188.0.2 connected to another camera in another building and browse to that camera with http://10.188.0.2:8080/
Not sure if it's the most efficient solution, but it works!
