Port forwarding lan to lan

I'm not sure why you quoted your words as mine, but OK...

Please clearly explain what port you wish to open on this device (I'm guessing RDP 3398/udp).

Please explain this - how port 80 on a public IP to a bank gets involved, if your devices are all on LAN.

Yes, and you were told:

So please explain why you want to place rules in the OpenWrt - as if it will control any firewall between the 2 devices on the same broadcast domain?

Also, the 2 IPs you show are not in the same subnet, so it brings more confusion regarding your "devices are on LAN side" description. Lastly, you still haven't explained why you're trying to backdoor the IP of a bank to get to a desktop.

OK, let's try a different approach.

I open the locked down device, I open Microsoft rdp, I type in, it opens a rdp session to another machine, also on my network, with ip

What port forwarding rule can I setup on my router to enable this.

  • None, not possible if these IPs are not on the same LAN.
  • The router is not involved if they are on the same LAN.
  • If they are on a different network src and dst network cannot both be LAN
  • These IPs have different subnet numbering, so they cannot both be on LAN

Now if you really being honest about thinking you control the firewall at at a bank for real...you'd make a port forward from WAN to LAN (not LAN to LAN). Otherwise your port forward rule was OK (except you can remove the public IP, and RDP is only TCP).

But none of this works until you can open the client's firewall, which you admit that you do not control.

Wow, are you trolling me? I'm finding it hard to describe this in simpler terms. But here goes again.

Imagine you are in your house, you have 2 machines A & B, which have ip addresses 1 & 2 respectively. You connect them together with a router, that is also in your house. Are you telling me it is impossible to set up the router so that when machine A opens a connection to ip address 3, it in fact gets routed to machine B?

Is this not the essence of port-forwarding? I know it is not impossible because, like I said, I have had it working before.

Wait...are you now saying that you have TWO routers?

  • Can you draw a diagram?
  • Are you using public IP space on one of these router networks?
  • Are these IPs in the same subnet?
  • Are they in the same physical network?


Then the rule would be WAN to LAN as I noted above:

Also, you might wish to consider not using IP space that belongs to Lloyd's of London, it would really fix alot of confusion.

Ok, you are trolling me. Fine. Well done.

  • You said devices are on same network
  • then you mention another router (i.e. not on the same network)
  • you provided a public IP address for one of the networks, twice - and you won't explain it
  • you won't explain how traffic will access the RDP machine if you can't open its firewall
  • and I told you EXACTLY how the firewall rule needs to be edited if you had a router, twice
config redirect
        option target 'DNAT'
        option proto 'tcp'
        option src_dport '80'
        option dest_ip ''
        option dest_port '3389'
        option name 'annapurna156'
        option dest 'lan'
        option src 'wan'

So now, how in the world am I trolling you!?!?

The solution is @lleachii's code with loopback option enabled to redirect traffic from lan zone as well.

I only thought this worked from the IP in question (; but otherwise, I also agree with your conclusion - given the scarce information the OP provided.

I honestly think the OP is using public address space (perhaps on one interface) and doesn't realize it...or want's to use a "hidden subnet" on the same LAN by forcing the firewall to redirect the packet....but then perhaps the OP's terminology in computer networking is not clear enough to convey that...

No, nobody is rolling you here. All answers you have received seem to me insightful and appropriate. You either do not know what you are doing, or are not capable of explaining yourself.

1 Like
tcpdump -n -i any tcp port 80 or tcp port 3389

It's OK I've got it, was a couple of things, firstly the src had to be 'wan', I guess I was confused because both machines were on my network, I thought it would be 'lan' to 'lan'.

Secondly, I needed to set up a static route from to Can't share the config as I did this via the Luci interface.

Maybe the second step is only needed because there's something wrong with the port forward config, but anyway, it's working!

config redirect
option target 'DNAT'
option proto 'tcp udp'
option src_dip ''
option src_dport '80'
option dest_ip ''
option dest_port '3389'
option name 'annapurna156'
option dest 'lan'
option src 'wan'

I explain above the issue; but you think I'm trolling you or something. Smh.

I thought you may have had the decency and honor to apologize, instead you act like I didn't provide this information.

Nonetheles, as others can now see, you are using a public IP belonging to a bank somewhere in your network. This is likely why your rigging some weird route and port forward, instead of configuring it correctly - is even necessary to accomplish your goal.

If you configured this network range as normal, it likely wouldn't be necessary for you to route IPs from a bank to your RDP computer.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

No.... I never said this.

Of two machines connected via a router? And you claim not to be trolling me? Here ya go!

Would you like to apologise for this? Is this an appropriate response to someone who is seeking your help? Obviously, if I knew exactly what I was doing then I wouldn't be posting here would I?

Lloyd's of London are an insurance underwriter, not a bank :man_facepalming:

Oh, so you did read my question!

Oh no, I guess you didn't

I was never trying to RDP to the locked down device, RTFQ

No you didn't. Because you left off the src_dip, without this all traffic is matched, also you didn't mention anything about the static route that was needed.

I have explained myself 3 times, plus my solution was 80% correct in the first place.

Wait, which is it? 1. I gave a satisfactory explanation of the problem and you gave me the solution. Or 2. I didn't explain the problem so you couldn't give me a solution. :laughing:

ctrl+f; "static route"
no matches

No, I'm not. Suggest you read up on OpenWrt firewall configuration.

I guess some people will never learn.

BTW, your diagram is missing the IP to a bank/insurance company or whatever.

Yes you are, this IP only shows up in 3 of your posts...and not even once in the link you posted. I guess you really don't understand, wow.


Yes, you failed to answer my questions and said I was trolling.

It's clear you don't wish to apologize. And you still don't get why you had to add that public IP from a FINANCIAL institution to your routes; or why you had to add it to your rule.

It's ok...don't worry about it. Glad you got it working, no matter how convoluted the solution is.

EDIT - maybe this will help my point (if it makes it worse, please don't worry about answering):


If it's not a public IP, how can I reach it then? (tracerotue also has a path)

Because... it's... not... part... of... my... network. Nor am I trying to connect to it! You are the only one who appears to be fixated upon it.

Actually, I completely understand this. It would appear that you are the one who doesn't understand this.

Whois and traceroute! Wow your knowledge of basic networking tools is formidable. (I never said it wasn't a public IP)

is a public ip address.

1 Like

He knows. LOL, a reverse troll!

(and he finally answered me!)


(The WAN IP of the router would also do the same thing...but he's using some arbitrary public IP and making a route, just to port forward this IP to a NATed LAN address.)

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.