Redirect external IP/Port to Internal IP/Port

Hi! I have only one subnet 192.168.8.0/24 on OpenWrt 23.05.0 and want to redirect all traffic from Source 192.168.8.167 that assume to be on outside to 77.88.44.242 on port 3128 to my internal port 192.168.8.203 on port 3128. But it does not work. Inspiration was from Need help redirecting traffic to local network - #7 by himekifee but when I am trying to change DNAT to SNAT, Luci converts it to NAT rule. It also does not work.
Is it only one solution to make another subnet with zone and make NAT rule of maybe I missed something? Thanks for any advice

uci add firewall redirect 
uci set firewall.@redirect[-1].dest='wan'
uci set firewall.@redirect[-1].target='DNAT'
uci set firewall.@redirect[-1].name='Test'
uci set firewall.@redirect[-1].src='lan'
uci set firewall.@redirect[-1].src_ip='192.168.8.167'
uci set firewall.@redirect[-1].src_port='3128'
uci set firewall.@redirect[-1].src_dip='77.88.44.242'
uci set firewall.@redirect[-1].src_dport='3128'
uci set firewall.@redirect[-1].dest_ip='192.168.8.203'
uci set firewall.@redirect[-1].dest_port='3128'
uci set firewall.@redirect[-1].dest='lan'

Can you post /etc/config/firewall segment pertaining this forward. It forwards Source port 3128, you likely mean source dport instead.

Yeah, I think option src_port '3128' is not necessary here, but here the segment

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Test'
        option src 'lan'
        option src_ip '192.168.8.167'
        option src_dip '77.88.44.242'
        option src_dport '3128'
        option dest_ip '192.168.8.203'
        option dest_port '3128'

Is your device assigned this IP on WAN?

If this LAN redirect rule to access a service that has another Port Forward from WAN?

No, 77.88.44.242 is an external server somewhere else. OP wants to highjack traffic from device 192.168.8.167 to that server, and redirect it to the internal server 192.168.8.203.

2 Likes

"option dest" signals the original destination if the packets to be redirected; in your case, it should be WAN instead.

2 Likes

If change option dest to wan

config redirect               
        option dest 'wan'      
        option target 'DNAT'
        option name 'Test'
        option src 'lan'  
        option src_ip '192.168.8.167'
        option src_dip '77.88.44.242'
        option src_dport '3128'   
        option dest_ip '192.168.8.203'
        option dest_port '3128'

The connection hang to 77.88.44.242:3128
And network dump like this

In addition to the DNAT rule, you need a SNAT rule.
Assuming the router IP is 192.168.8.1

config nat
        option  name 'SNAT to Squid'
        option target 'SNAT'
        option src 'lan'
        option src_ip '192.168.8.167'
        option dest_ip '192.168.8.203'
        option dest_port '3128'
        option snat_ip '192.168.8.1'
1 Like

Thanks to all for advice!
Working config is

config redirect               
        option dest 'wan'      
        option target 'DNAT'
        option name 'DNAT to Squid'
        option src 'lan'  
        option reflection '0'
        option src_ip '192.168.8.167'
        option src_dip '77.88.44.242'
        option src_dport '3128'
        option dest_ip '192.168.8.203'
        option dest_port '3128' 

config nat     
        option  name 'SNAT to Squid'
        option target 'SNAT'
        option src 'lan'       
        option src_ip '192.168.8.167'
        option dest_ip '192.168.8.203'
        option dest_port '3128' 
        option snat_ip '192.168.8.1'

option reflection '0' did the trick at least

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.