Redirecting all Traffic Destined to WAN Interface IP to LAN IP

Installing and Using OpenWrt Network and Wireless Configuration
1

WAN IP on OpenWrt is DHCP
Currently its 192.168.1.9

I configured NAT to forward anything coming into the OpenWrt box to 10.1.1.2

NAT
NAT998×457 20.8 KB

I couldn't get any traffic to reach the 10.1.1.2 on the LAN side. I decided to sniff traffic on the OpenWrt box and I see immediate RSTs with no NAT attempts.

root@OpenWrt:~# tcpdump -nnn -i any port 3389
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
18:28:07.197706 IP 192.168.1.20.56134 > 192.168.1.9.3389: Flags [S], seq 1573100929, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
18:28:07.197795 IP 192.168.1.9.3389 > 192.168.1.20.56134: Flags [R.], seq 0, ack 1573100930, win 0, length 0
18:28:07.705977 IP 192.168.1.20.56134 > 192.168.1.9.3389: Flags [S], seq 1573100929, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
18:28:07.706031 IP 192.168.1.9.3389 > 192.168.1.20.56134: Flags [R.], seq 0, ack 1, win 0, length 0
18:28:08.211650 IP 192.168.1.20.56134 > 192.168.1.9.3389: Flags [S], seq 1573100929, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
18:28:08.211699 IP 192.168.1.9.3389 > 192.168.1.20.56134: Flags [R.], seq 0, ack 1, win 0, length 0
18:28:08.715280 IP 192.168.1.20.56134 > 192.168.1.9.3389: Flags [S], seq 1573100929, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
18:28:08.715336 IP 192.168.1.9.3389 > 192.168.1.20.56134: Flags [R.], seq 0, ack 1, win 0, length 0

I figured I'd just cheat and do it via iptables from CLI by doing the following, which didn't work.

iptables -I FORWARD -d 10.1.1.2 -j ACCEPT

If the WAN IP was a static IP, I would try setting up a PREROUTING and POSTROUTING rule but that won't work if the WAN IP renews.

I can't see anything on the OpenWrt box that is set to block,reset,drop the traffic instead of NATing it.

In the end I need something like a 1:1 NAT where all traffic that hits the WAN interface gets redirected to a single IP on the LAN side.... without knowing what the WAN IP would be at any given time.

Any tips/suggestions would be greatly appreciated.

2

Try using port forwards instead. NAT rules are used to rewrite the source address not the destination address.

1 Like
3

Thanks, noob mistake.

4

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.