SNAT and DNAT at the same time

Installing and Using OpenWrt Network and Wireless Configuration
1

My network design consists of 2 subnets:

  1. A subnet for Wi-Fi stations: 10.17.144.0/23
  2. A subnet for network device management: 172.29.49.64/26

My hardware includes both OpenWrt devices and some TP-Link devices which are not supported thus I have no choice but to use stock firmware. The stock firmware has an Access Point mode, which basically bridge WAN port to 4 LAN ports, along with the Wi-Fi. It allows the IP address of the bridge to be set, but not the gateway, however:

Screenshot 2023-06-10 115101
Screenshot 2023-06-10 115101927×423 16.2 KB

As a result, the TP-Link access points cannot communicate outside of the subnet 10.17.144.0/23, while I want to connect to it from outside.

My computer can connect to the gateway, and the gateway can connect to the Wi-Fi subnet. My idea is to do both DNAT and SNAT:

  • DNAT: I can use an IP address inside the network device management subnet such as 172.29.49.68 from my computer to send packets to the TP-Link access point. That address will be translated to 10.17.144.4 by the gateway.
  • SNAT: the IP address of my computer will be masqueraded by the gateway to one of those inside the Wi-Fi subnet, for the TP-Link access points to be able to send packets back.
config zone 'public'
	option name 'public'
	list network 'public'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1' # source NAT

config redirect
	option name 'dnat to tp-link access point'
	option target 'DNAT'
	list proto 'all'
	option src 'vpn'
	option src_dip '172.29.49.68'
	option dest 'public'
	option dest_ip '10.17.144.4'
	option enabled '1'

When I try to connect to http://172.29.49.68 from my computer which is outside of the Wi-Fi subnet, it works perfectly. I do not want to masquerade all traffic to the public zone, however -- only on TP-Link access points which I have to.

So I delete the option masq '1' and add another SNAT redirect:

config redirect
	option name 'snat to tp-link access point'
	option target 'SNAT'
	list proto 'all'
	option src 'vpn'
	option src_dip '172.29.49.68'
	option dest 'public'
	option dest_ip '10.17.144.4'
	option enabled '1'

It does not work. Why and how can I correct it? I guess only 1 of the config redirect has effect, and the other is skipped.

2

The snat redirect is not correct.
Leave the masquerade enabled on the public zone and configure it to be used only when the destination is the TP-Link.

2 Likes
3

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.