Redirect global ip to local ip

Hi,
First, thanks for this project, I was able to install OpenWrt on my TPLink RE450 in minutes :slight_smile:
I am new to OpenWrt and have only a basic understanding of networking. It's not that I have no idea on how the things work, but there was never a need to dive to deep.
I am sorry if my question is already asked several times or is dump, but I was not able to find how to configure OpenWrt to redirect a global ip to a local one.

My problem is:
I have a couple of smart devices that communicate to a specific ip address (similar to 18.158.53.112), however I found that everyone out there is able to control these devices because the server is not really secured. So I want to forward the call to the server's ip address to a local one (eg 192.168.178.30) and run my own server on this device.

What I've tried:
Static IPv4 Route
Target: 18.158.53.112
IPv4 Gateway: 192.168.178.30

The original does not answer pings, so a simple test was to ping 18.158.53.112 but this still results in 100% package loss.

Is the Static IPv4 method correct?
Is it even possible to do so?
Are there alternative methods?

Thank you very much,
Andreas

If you use the static route then you have to configure 18.158.53.112/32 as an additional IP address on the server, since the packet will be forwarded without translating the destination address.

Another method is to use DNAT.

4 Likes

Wow, that was fast, thanks!
So I need to add 127.0.0.1 18.158.53.115/32 to the /etc/hosts of my server?

I've looked around regarding DNAT, I'd prefer to do it, as it seems to allow me not to have to configure the server's hosts file.
Is this the right command?:

iptables -t nat -A OUTPUT -p tcp -d 18.158.53.112 --dport 80 -j DNAT --to-destination 192.168.178.30

No, that line won't work. You can use /etc/hosts to associate a hostname with the addition IP address. But the address itself has to added in the network configuration. How it's done depends on the operating system, and method that's used.

DNAT can be configured in uci. https://openwrt.org/docs/guide-user/firewall/firewall_configuration?#redirects

3 Likes

No, you'd need another interface, or an IP alias.

No, and better use the UCI or Luci for that.
A SNAT will be needed as well.
I think the easiest way to do it in one shot is to make a redirect from wan to that IP and enable nat loopback so that traffic from lan going to that IP will also be redirected to the lan host. It will also create the necessary SNAT.

3 Likes

thank you,
on my pi server I tried executed:
sudo ip addr add 18.158.53.115 dev wlan0
however, this seems not make a difference..

Could you please help and explain what to do exactly?
Most likely wrong, but this is what I've tried:

Firewall NAT Rule:
Protocol: Any
Outbound zone: Any zone
Source address: any
Destination address: 18.158.53.115
Action: SNAT
Rewrite IP address: 192.168.178.30

However, I'm sure I miss the one or the other important thing and have no idea how to enable nat loopback :-/

It would be very nice if you could give me the steps.

mikma, thank you again, I missed your comment...
The server is a Pi3 and I used this command as alternative:
sudo ip addr add 18.158.53.112 dev wlan0
With this line executed, ping gives me the expected result from the pi/server. And "ip addr" shows:

...
    inet 18.159.54.124/32 scope global wlan0
       valid_lft forever preferred_lft forever
...

However, all the other devices are still able to connect to the original server.

For the firewall I've added:


config redirect
	option	name		'DNAT WAN to LAN for thermostat'
	option	src		'wan'
	#option	src_dport	'19900'
	option	dest		'lan'
	option	dest_ip		'192.168.178.30'
	#option	dest_port	'22'
	option	proto		'tcp'
	option	target		'DNAT'

config redirect
  	option	name		'SNAT thermostat'
	option	src		'dmz'
	option	src_ip		'192.168.178.30'
	option	src_dip		'18.158.53.112'
	option	dest		'wan'
	option	proto		'icmp'
	option	target		'SNAT'

Do you have an idea what's missing here?

It is not needed. Just make sure the RPi has a permanent IP in the lan.

Port Forward:
_General Settings_
Protocol: Any
Source zone: wan
Destination zone: lan
Internal IP address: IP_OF_RPi
_Advanced Settings_
External IP address: 18.159.54.124
Enable NAT Loopback: Check!

That should be all that you need.

1 Like

@trendy, thank you again - I have tested this but is seems not to work.
My setup:
Fiber Router

  • OpenWrt
    | - [ Pi, SmartDevice1, SmartDevice2, ... ]
  • PC
  • ...others

OpenWrt is configured as Wifi AccessPoint, the wan zone is marked red and shows (empty) on hover - could this be the problem?

As you can see below I also tried to add SNAT, but this seems not to help..

Configuration Details:

#etc/config/firewall
....
config redirect
	option dest 'lan'
	option target 'DNAT'
	option dest_ip '192.168.178.45'
	option src_dip '18.158.52.123'
	list proto 'all'
	option src 'wan'
	option name 'TestPortForward1'

config nat
	option target 'SNAT'
	option dest_ip '18.158.52.123'
	option snat_ip '192.168.178.45'
	option src '*'
	option name 'TestNat1'

config redirect
	option src 'lan'
	option dest 'lan'
	option target 'DNAT'
	option dest_ip '192.168.178.45'
	option src_dip '18.158.52.123'
	list proto 'all'
	option name 'TestPortForward2'
#etc/config/network
config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.178.1'
	option ipaddr '192.168.178.123'
#etc/config/wireless
config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0'
	option htmode 'VHT80'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option key 'XXXXXXXXXXX'
	option ssid 'Wohnzimmer'
	option encryption 'psk2'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'platform/ahb/18100000.wmac'
	option htmode 'HT20'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option key 'XXXXXXXXXXXXXXXXXXX'
	option ssid 'Wohnzimmer'
	option encryption 'psk2'
#config/dhcp
config dhcp 'lan'
	option interface 'lan'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '1'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

You need to have OpenWrt as your router (in the position connected to your ISP directly on a network diagram) not just as an access point.

2 Likes

Damn, this is not possible... For my ISP I need to have a DOCSIS 3.1 router, as far as I know there is no OpenWrt compatible one available...
Isn't there another option to "fake" a global IP?

Just put your own router behind the docsis one. Also maybe there is a bridge mode for your modem

1 Like

If there is no bridge mode in your modem, there is poor man's bridge.

2 Likes

Thank you all! @trendy configuration works perfectly after I have added an additional VLAN interface and configured wan. :smiley:
Local DNS is not working for devices in the first router but I will investigate in this later.
Thanks for your patience with me!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.