Port forwards that dynamically follow internal hosts by their DHCP lease/mac address or hostnames?

It would be in this dialog

Instead of specifying a destination by IP address, you could write a mac address, hostname or even select a "host" from the dhcp lease

for instance


(also I wonder, it is possible to create a "static" lease without specifying an ip address ?)

This would require a event script to update the internal firewall rules when --dhcpscript even is fired from the dhcp server. Plus maybe a once per 15 minutes check that reads all port forward rules and ensure that the firewall IP destination for the port forward actually matches the port forward port definitions

Typically the best way to handle this is a dhcp reservation. This ensures that the ip address never changes. Is there a reason that the dhcp reservation doesn’t accomplish the same thing you are trying to handle?


In my case it is an dev environment. Where VMs got generated multible times by day. Wie did use rules for hostnames ans MAC so hostnames and MAC are known bevore the vm got online.
Static Leases can not keep up with that and it would not be very effective since we then would ned a person that the whole day does nothing else than setting static leases.

Script a static lease reservation and trigger it by hotplug on a DHCP server event:

1 Like

To be clear, I specifically do not want to set static IP addresses per mac. I want a dynamic address lease a d the packer forward rules to point at the lease current address as it changes.

Best way I found so far is to create a script that is executed on every DHCP event and if the host is the subject of firewall rules, then updates those rules.

It is quite clunky

This is probably the best possible way for your specific scenario, since static leases work with both IPv4 and IPv6 setups, and it doesn't look like a problem for most OpenWrt users.

I want only the gateways and maybe the switches to have fixed IP and nothing else.

Whenever a specific computer is VM is addressed, I want to address it by mac or by hostname.

If it were possible, I would prefer to banish all static IP addresses from my network.

It's just an extra layer of unnecessary management. Especially when you end up quoting up addresses by name in firewall rules. You make one change and then it snowballs into changing more and more and more things.

The computer boot it gets an IP from the pool, then based on mac or DHCP options, it gets an hostname and from here on out, that computer should only be referred to by its hostname.

There must be something wrong with DNS too based on the IT même that all problems are caused by DNS.

All DNS queries should be answered within 5 microseconds and the answers should never be stale.

This sounds like your own goal, but what benefits does it provide to other users to motivate developers to implement it?


I don't want to maintain a list of IP static addresses, in the dhcp server, in the firewall and routing rules and other computers accross the network.

It seems to like a cumbersome and unnecessary burden.

It is generally considered a bad practice to hard-code numerical values into software. Instead you define those numerical value in one place and you have every where else that needs to refer to those values consult the one record.

DHCP is clearly the record, DNS is how this record is access. Why is networking 30 years late to this party ?

I tried exploring the question further with a chatbot

In any case, IPv6 will make this completely impractical, I don't plan on trying to remember 64 byte numbers !

You do know that you can create DHCP reservations, right? And you also know those reservations can also be used as DNS records? And, you probably know that you define this once for each device -- all in your dhcp configuration -- and it perisists across reboots, and even can persist across upgrades. And, you are surely aware that this technology exists in OpenWrt now (and has been there for a long time).

You don't have to "maintain" this list across other computers since they will all be able to access DNS records from the main router. And there's actually no routing or firewall rules to maintain, either, you are working with devices on different subnets (and even if you are, those rules are really pretty easy to use).

Exactly... that's the purpose of the DHCP reservation + DNS... one place (your router) and you're done.

I'm unable to see why this isn't the solution you are looking for... it does everything you're asking.



I don't know if a "dhcp reservation" can be used here ?
to bring it back to the first post of this thread

Can you place a domain name or dhcp reservation in the place where it says "Internal IP address" in the port forward setup dialog ?

Not exactly. You select the relevant device (by IP address) as per normal, but the DHCP reservation means that the device is always allocated the same address by the DHCP server. Which means there's never a need to update the port forward.


I know you have been ask about NAT but I seriously recommend to spend the time on IPv6. NAT is and will be always an ugly hack and introduced lots of issues.
The TCP IP model was build with routing in mind.
Either get IPv4 addresses and use these or move to IPv6 and enjoy the peace of mind to not have to deal with workarounds and what not all the time.

Ok beside the fact that no one remotely wants to understand @shodanx.
I exactly have the same issue. OpenWrt goes the easy way while other solutions have that feature implemented for years.
Therefore I do not have a solution but I have a hint for @shodanx at least for IPv6. If you are able to switch your internal network to IPv6 it will get easier. IPv6 Addresses do not need DHCP they are normally generated in a predictable way. So If set up correctly the non network part of your IPv6 never changes. Even if you get a new address from your provider it is only the network part that changes. You can setup static leases if yiu want to use DHCP for IPv6 only for the non network part and the network part is added automatically. That way your config never changes. I do not know for windows but under linux the ipv6 address is calculated using /etc/machine_id and network device GUID. In case your mac addresses change occasionally like it is on XenServers you can rely on the DUID.

Thanks Swtrse

/etc/machine_id, I imagine that is a new feature in latest openwrt, as my last version router lacks this file.

I imagine you are referring to IPv6 "unique local address" ?

I have to say I don't understand how these addresses will not change if they are assigned in a decentralized manner and based on random numbers.

I'm also confused how are IPv6 unique local address different from IPv6 link-local address.

I think at the end of the day, I would like my firewall rules to apply to a domain name and the dhcp server to manage the relation between a mac address, a domain name and a dynamically assigned IP address and that I would never handle IP addresses directly, with possibly the only exception being the router's LAN side address.

I feel like used static IP addresses is like hardcoding literal numerical values in code, instead of defining variable constants.

I understand it might have been reassuring back in the old days to not rely on the dhcp server to give the file server an address and to always refer to servers by their static IP addresses, but I think trying to remember 39 character long IPv6 addresses is going to get old very fast.

(and of course, in the firewall rules, it cannot be matching a domain name because there is no time to perform DNS resolution and wait for the answer on each single packets, so there should be something that keep the actual ip addresses in the firewall synced up with all the domainnames refered to in firewal rules)

What SOHO firewall does dynamic address selection and adjust the nat rule? Or is it just a static assignment and then the static nat rule?

I don't quiet see a point in such a setup.

  1. Nat by definition is number translation. So you need an artificial wrapper for a name on top anyway.
  2. Outside the Soho space people use expensive and some times even more shitty solutions which do lots of magic till it breaks anyway. Afaik all do the same: user sets a fqdn for a rule? Then name resolution is done and nat rule or firewall is configured with the address and the UI only translates it back. If you are lucky the resolution is done periodically and that's not given and stuff breaks. Or even more wrapper scripts are involved and this box which also handles DHCP has to update rule after a lease has changed.
  3. All this is just to mask that people have no clue about "proper" network design and how to come up with a Dane address plan.
  4. I'm an grumpy old man and get annoyed by this shinny vendor crap which gives no benefit and no improvement in the end.
  5. Again, just use IPv6 and never think about NAT again as IPv4 was originally intended :slight_smile:

Especially with IPv6, I will not be trying to remember static IPv6 addresses.

The firewall, NAT and all other routing components have to understand domain names and do it in an efficient and sane way.

So not resolving every domain name before routing each packet

And also maintaining awareness of domain name to IP resolution changes.

Which should not be a problem when the heart of the network is the machine doing the assignements of IPs through DHCP and the assignements of domain names to IPs in it's DNS server.

I always find it extremely archaic when I see routers and servers with statically defined IP addresses. All my servers and VM and dynamically addressed.

I'm very annoyed at proxmox for instance, for refusing to use it's dhcp client to obtain an address and requiring the user to give it a static address in the server itself ! You take that server on another network and it just stops working unless you go in and manually change it ! So unreliable, impractical and labour intensive for zero benefits.

there are more then one valid use case for dynamic address assignments but routers aren't one. The address on MGMT interfaces on a switch are also open for rebate...
Servers? Could be. Depends on function and scale.
VM? Sure why not.

Implementing a new etwork function with IPv4 dst nat in 2023, near 2024? I still have rally hard feelings for all the morons teaching docker and shit and doing nat all the way even that all these container solutions support normal layer-3 and I have to explain to developers even basic network knowledge and fix there broken architecture. NAT, most of the times, does not solve a problem but introduces new one. If there there are no address conflicts there is mostly no reason to use NAT.
Ok that home users want to reach there lan3stuff from wan... But that's a a good job for a vpn.
Hosting stuff for others at home... Yeah this comes with so many restrictions and I would argue a dynamic name nat helper does not solve a single one.

Regarding IPv6 address are not memorial:
You can have short addresses too. 2001:db8:1000::1 is a wonderful address and there are plenty of easy and short addresses in each prefix.
You have DNS. Even if you have to configure a static address some where. Create a name record. And if you need the address. Look it up. Set the address. In a clean network it's also good style to have records for all names and numbers because it eases the daily work of every user on the network...