Nomatter what I try, I can’t get luci to generate a rule similar to what Gemini came up with:
nft add chain inet fw4 temp_output_dnat '{ type nat hook output priority dstnat; policy accept; }'
nft add rule inet fw4 temp_output_dnat ip daddr 66.23.x.y tcp dport 443 dnat ip to 10.10.2.200:443
nft add rule inet fw4 temp_output_dnat ip daddr 66.23.x.y udp dport 443 dnat ip to 10.10.2.200:443
All it wants to do on the output chain is:
chain srcnat_wan {
ip saddr 66.23.x.z/28 ip daddr 10.10.2.200 tcp dport 443 snat ip to 66.23.x.y comment "!fw4: proxy-443 (reflection)"
ip saddr 66.23.x.z/28 ip daddr 10.10.2.200 udp dport 443 snat ip to 66.23.x.y comment "!fw4: proxy-443 (reflection)"
meta l4proto icmp ip saddr 66.23.x.z/28 ip daddr 10.10.2.200 snat ip to 66.23.x.y comment "!fw4: proxy-443 (reflection)"
meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
}
So essentially the rule needs to match destination address of the local WAN ip.
The working rule exists as such:
chain temp_output_dnat {
type nat hook output priority dstnat; policy accept;
ip daddr 66.23.x.y tcp dport 443 dnat ip to 10.10.2.200:443
ip daddr 66.23.x.y udp dport 443 dnat ip to 10.10.2.200:443
}
How would I make this sort of rule in LuCI?
Config is:
config redirect
option dest 'lan'
option target 'DNAT'
option name 'proxy-443'
option src 'wan'
option src_dport '443'
option dest_ip '10.10.2.200'
option dest_port '443'
list proto 'tcp'
list proto 'udp'
list proto 'icmp'
option src_dip '66.23.x.y'
option reflection_src 'external'
list reflection_zone 'lan'
list reflection_zone 'wan'
These look like what you want. I don’t know that it makes sense to include wan in the reflection zones.
They do, but don’t work, because the source isn’t lan, or wan, or any zone, its the device itself. There’s no option specifically for ‘anything’ or ‘device’ as being a potential checkbox source (ie, not a single dropdown option)
The rule Gemini gave that worked hooks output, not prerouting like the dstnat chains do. IE: the source being openwrt itself, not a device it is routing.
I’m not sure how to setup such a rule that hooks output in LuCI or the uci config files.
At first I speculated at first it may have needed to be in srcnat_wan instead, and that the daddr should have been the WAN ip. source WAN subnet, dest WAN ip. But as it is the dest is the LAN ip instead. But then thinking further and reading what those actually hooked, (postrouting) that it may be the wrong place. Especially when the working rule hooks ‘output’.
make a proxmox LXC container for Headscale accessible from a public IP
be client in the tailnet (*headnet?) which requires authentication via a url https://example.com:443
Proxmox server by its lonesome on a /30; OpenWRT routing an external ip in dedicated /28 to be port forwarded to internal containers, via Nginx Proxy Manager Plus.
So i need to, from the openwrt router, access https://external.ip:443 and have packets go to 10.10.2.200:443
You generally use lo for this
That doesn’t really make sense to me. lo is (or logically should be, if it instead means “device” in this scenario that’d be annoying) 127.0.0.1 and not the source address when Linux talks to a local IP on an interface.
I’ve never seen linux use 127.0.0.1 for a source address to an address on another interface: its always the interface IP to the same interface. To wit, nc to my own laptop from my laptop to its interface IP: nc 192.168.0.12 22
tcp 0 0 192.168.0.12:44358 192.168.0.12:22 ESTABLISHED 1000 150360686 2429805/nc
split-horizon DNS to where the URL would resolve internally to 10.10.2.200 wouldnt be ideal, since I really want to be able to have different ports forward different places, not just to NPMPlus.
Ive seen certain parts of the LuCI UI That will allow “device” as an option. But not a port forward.