Routing without NAT through the router gateway

I have three public IP addresses from my ISP. One of them is assigned to the router (12.34.56.211), the other two are for my home server (12.34.56.217) and desktop PC (12.34.56.218).

I want these IP addresses to be assigned to these devices directly without any NAT rules.

I have a problem: if clients use the router’s public IP address (12.34.56.211) as a gateway, then they will access the Internet using the router’s IP address, but I need them to use their own IP address. Changing the gateway from the router's IP to the provider's IP (12.34.56.209) solves this problem, but creates a new one: my router is configured with PBR for VPN (outgoing requests to some servers go through the VPN), and if I use the provider's gateway, the traffic goes bypassing my router, and PBR is accordingly ignored.

Is there any solution without using NAT and other firewall settings?

Interface options:

config device
    option name 'br-wan'
    option type 'bridge'
    list ports 'wan'
    list ports 'lan1'
    list ports 'lan2'

config interface 'wan'
    option device 'br-wan'
    option proto 'static'
    option ipaddr '12.34.56.211/28'
    option gateway '12.34.56.209'
    list dns '1.1.1.1'
    list dns '8.8.8.8'

Disable masquerade on the firewall. See https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_nat#masquerade as a reference

1 Like

Problem solved.

I found out that in /etc/config/firewall there was a masq '1' on the WAN interface, which caused the router to change the source IP address. I made masquarading work only for LAN sources then WAN clients started accessing the Internet using their IP address.

Current firewall settings of WAN:

config zone
    option name 'wan'
    list network 'wan'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option mtu_fix '1'
    option masq '1'
    list masq_src '!wan'
1 Like

Well that's a horrendously bad idea.

And that's not much better.

Why do you think so?

Because you've essentially disabled the firewall. There's a reason those options are defaulted to Reject, rather than Accept.

I agree with @krazeh you are exposing your LAN so that could be dangerous.

I propose a different direction to solve this: one-to-one nat:

One-to-one NAT (aka Static NAT) is a way to make systems behind a firewall and configured with private IP addresses appear to have public IP addresses.

Not sure how to do that with OpenWRT but basically you add all Public IP addresses to the WAN interface, then DNAT a specific Public IP address to the server in the LAN, SNAT traffic coming from the LAN server back to that specific public IP and allow FORWARD traffic to that LAN server.

Edit found some solutions but there are more:

In the current configuration, wan is a bridge, so the servers are directly on the Internet with no participation from OpenWrt at all. This is a workable configuration but of course there is no firewalling possible other than what the servers themselves implement.

Another approach is to set up a "DMZ" network and route the two extra public IPs from wan to DMZ. The servers would be physically connected to DMZ and hold public IPs directly, but since OpenWrt is actively forwarding their traffic, the OpenWrt firewall can be used to help protect them.

The OpenWrt WAN network would be the third public IP as a /32 to support conventional NAT'd lan->wan Internet usage. The NAT still needs to be made conditional so it does not affect DMZ.

I'm thinking of setting up REJECT forwarding for WAN -> LAN, but if I want to avoid NAT, the right solution would be to connect to the LAN through a separate physical port so that I can access the LAN and WAN from my PC. But there is only one port on the PC, but what solution can you recommend?

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.