Questions about Masquerading UI

My new and unmodified 19.07.4 OpenWRT Virtualbox VM's Firewall Zone Settings looks thus:

I actually have 2 related questions. One is why is the checkbox for the interface to masquerade checked on the WAN->reject entry, rather than the LAN->WAN entry? I think of IP masquerading as something that happens to outgoing packets (LAN->WAN) rather than incoming from the WAN.

My other question is I notice that one can create a rule for masquerading in the NAT rules tab of the same UI page (the ACTION pulldown has a MASQUERADING choice). How do these 2 settings interact -- does one override the other?

I need to point out that the router works OOTB; I am not claiming a bug necessarily. I am just trying to understand why LuCI lays these 2 items out the way it does. Thank you for your work on this essential software. I will be grateful for constructive responses.

This is a forwarding which allows your LAN traffic to go to WAN.

No traffic forwardings allowed from the WAN zone.

Needs to be applied to the outgoing interface/zone that is WAN:

2 Likes

I think you are reading that screen wrong, each line gives information about a zone, the traffic allowed from that zone to others, and the masquerading options.

So, first line gives info about the LAN zone: it is allowed to forward traffic to WAN, both input and output are allowed, and traffic leaving that zone is not masqueraded.

Second line is about the WAN zone: it is not allowed to forward traffic, output is allowed but not.input, and all traffic leaving that zone is masqueraded.

5 Likes

I am familiar with masquerading for decades. My question was about the layout of the information. I am sorry if I did not make that clear.

1 Like

That was my own conclusion also. There is really nothing in the layout of the data on that page that indicates that the first item on each line is the index. It looks, rather, as if the first 2 items (the "from->to") would be the index, since the heading is re what to do with packets traveling from zone to zone, not just where they originate.

Maybe a dev will review this UI and make it clearer. Currently it is slightly confusing.

2 Likes

Forum monitoring is outside the scope of the developers.
If you believe this is an issue, you should report it properly:

1 Like

The relevant package is luci-app-firewall, and this is LuCI's issue tracker:

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.