Redirect external IP to local server

ampr · March 18, 2026, 6:20pm

Hello!
I have the following setup

          .-~~~-.                                                   
  .- ~ ~-(       )_ _                   ┌──────────────────────────┐
 /                     ~ -.       ┌─────►  Wan IP:192.168.3.4(DMZ) │
|         Internet          \     │     ├──────────────────────────┤
 \                         .'     │     │   OpenWRT_main_router    │
   ~- . _____▲_______ . -~        │     ├──────────────────────────┤
             │                    │     │    Int.IP:192.168.3.1/24 │
             │                    │     └───────────▲──────────────┘
             │                    │                 │               
 ┌───────────▼──────────────┐     │ ┌────────────┐  │  ┌───────────┐
 │  Ext.IP:123.123.123.123  │     │ │192.168.1.10◄──┴──►192.168.1.2│
 ├──────────────────────────┤     │ ├────────────┤     ├───────────┤
 │      ISP router          │     │ │Phone       │     │Home server│
 ├──────────────────────────┤     │ └────────────┘     └───────────┘
 │   Int.IP:192.168.3.1/24  ◄─────┘                                 
 └──────────────────────────┘

The 123.123.123.123 address is a placeholder for my real address.

I'd like to access my home server from my phone.

I have a domain at ex.amp.le, which from external dns servers is pointing to 123.123.123.123, but ex.amp.le is served on OpenWRT_main_router's dnsmasq as 192.168.1.2. The same is also served from home server's split dns zones. External zone (for every address but 192.168.1.1/24) is pointing ex.amp.le to 123.123.123.123. Internal zone ( only for 192.168.1.1/24) is pointing ex.amp.le to 192.168.1.2.

My phone used to use either internal dns servers (dnsmasq at 192.168.1.1 or bind at 192.168.1.2). But now it defaults to Google's 8.8.8.8 and ex.amp.le is pointed to external, not internal ip.

I don't want to change DNS setup and since DNS setup on devices is unreliable, how can I route all traffic from lan (192.168.1.1/24) to 123.123.123.123 on OpenWRT, preferable through LuCI/uci?

My current attempt is compiled from previous posts on this forum:

config redirect
        option target 'DNAT'
        option src 'lan'
        option src_ip '192.168.1.1/24'
        option src_dip '123.123.123.123'
        option src_dport '0-65535'
        option dest_ip '192.168.1.2'
        option dest 'lan'
        option dest_port '0-65535'
        option reflection '0'

config nat
        option target 'SNAT'
        option src 'lan'
        option src_ip '192.168.1.1/24'
        option dest_ip '192.168.1.2'
        option snat_ip '192.168.1.1'
        list proto 'all'

It does not work:

$ curl -v 123.123.123.123
# hangs

$ traceroute 123.123.123.123
traceroute to 123.123.123.123 (123.123.123.123), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *

$ ping 123.123.123.123
PING 123.123.123.123 (123.123.123.123) 56(84) bytes of data.
64 bytes from 123.123.123.123: icmp_seq=1 ttl=63 time=1.44 ms
64 bytes from 123.123.123.123: icmp_seq=2 ttl=63 time=1.36 ms
^C
--- 123.123.123.123 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 1.361/1.398/1.436/0.037 m

frollic · March 18, 2026, 6:28pm

Wouldn't it be enough to intercept the DNS ?

system · March 28, 2026, 6:28pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.