Port forwarding using mac of a destination host

I have a requirement where I want to redirect the traffic from wan to a host.
I don't want to use the IP of the host. As the IP of the host is dynamic, so I want to use the mac of the host to redirect.
For redirect config, there is no option of dest_mac.
How I can add a port forwarding(redirect,DNAT) rule to redirect traffic from wan to a particular host.

Can you not give the host a reserved address in DHCP? Or a static address?

2 Likes

That is not possible. The DNAT is rewritting the destination address field. Assign a static IP or a static dhcp lease to that host and redirect to that IP.

3 Likes

Port forwarding is a layer 3 operation but MAC addresses are layer 2. To configure a port forward, the destination must have a known numeric IP address.

So configure the device for DHCP. Set a reserved IP on the DHCP server (router) based on MAC address. This is generally the better way to do it versus configuring the endpoint with a static IP.

4 Likes

yes, that can be done. But, the requirement is to achieve port forwarding for a host with dynamic IP.

In Linux / OpenWrt the forward is done with entries in the kernel iptables table. This table is statically configured one time, thus the target of the forward must be at a static location. To optimize speed there is no provision in the kernel to dynamically look up MAC addresses or hostnames before forwarding.

To make it work the way you hope it would would require a major rewrite of the operating system and also incur a speed penalty.

There is a way for a LAN host (once it has obtained an IP address) to request the router configure a port forward to it via SNMP, but this is often considered a security risk.

3 Likes

The host in question is behind the OpenWrt router, right? Is the OpenWrt router also the DHCP server on the network? Is there a reason that the host cannot be assigned a DHCP reservation (in the router itself)? The reservations work such that the system still gets an IP via DHCP but it is always the same IP. This, in turn, means that you can guarantee the IP address of the system behind the router, and thus assign the port forwards to the correct host via a known IP address.

3 Likes