Dear OpenWRT users,
I have a quite simple scenario here:
- An OpenWRT firewall with a LAN and WAN interface
- I have multiple IPs from my ISP, so I want to use one for my firewall, another for my mailserver, which is in my LAN
The Idea is to assign both IP addresses to the WAN interface of the OpenWRT device and then use DNAT/SNAT to forward traffic to the public IP of the mailserver to my mailserver in my LAN
Moreover, only specific ports (e.g. 25, 80, 443, 143...) should be forwarded to my mailserver.
In order to do so I created a second WAN network interface like the following:
config interface 'wan1'
option proto 'static'
option ipaddr '195.34.137.131'
option netmask '255.255.255.248'
option ifname 'eth1'
In my firewall I created DNAT/SNAT and a wan1 zone, furthermore an access rule for port 25 (which is currently disabled) like so:
config nat
option name 'snat1'
option src_ip '192.168.8.149'
option target 'SNAT'
option snat_ip '195.34.137.131'
option src 'wan1'
list proto 'all'
config redirect
option src_dip '195.34.137.131'
option dest 'lan'
option dest_ip '192.168.8.149'
option target 'DNAT'
option name 'dnat-mailserver'
option src 'wan1'
list proto 'all'
config rule
option target 'ACCEPT'
option name 'SMTP Mail'
option src 'wan'
option dest 'lan'
list dest_ip '192.168.8.149'
option dest_port '25'
list proto 'tcp'
option enabled '0'
config zone
option name 'wan1'
option input 'REJECT'
option forward 'REJECT'
option network 'wan1'
option output 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan1'
My problem is now the following:
- The DNAT rule seems to work
- All traffic is routed to my mailserver, so there is no way to block traffic / permit specific ports
- The SNAT rules does not seem to work at all
Do you have any clues how to correct this?
Here is the complete content of "network":
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdf0:28e3:9cbd::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.8.200'
config interface 'wan'
option ifname 'eth1'
option _orig_ifname 'eth1'
option _orig_bridge 'false'
option proto 'static'
option netmask '255.255.255.248'
option ipaddr '195.34.137.130'
option gateway '195.34.137.129'
option broadcast '195.34.137.135'
option dns '195.58.160.194 195.58.161.122'
config route 'Gina'
option interface 'lan'
option target '10.209.0.0'
option netmask '255.255.0.0'
option gateway '192.168.8.2'
option metric '2'
config route 'mehrw_e_card_services'
option interface 'lan'
option target '172.16.0.0'
option netmask '255.240.0.0'
option gateway '192.168.8.2'
option metric '2'
config route 'extra_netz_1'
option interface 'lan'
option target '84.38.112.0'
option netmask '255.255.240.0'
option gateway '192.168.8.2'
option metric '2'
config route 'extra_netz_2'
option interface 'lan'
option target '193.46.140.0'
option netmask '255.255.255.0'
option gateway '192.168.8.2'
option metric '2'
config route 'extra_netz_3'
option interface 'lan'
option target '193.46.141.0'
option netmask '255.255.255.0'
option gateway '192.168.8.2'
option metric '2'
config route 'extra_netz_4'
option interface 'lan'
option target '193.46.142.0'
option netmask '255.255.255.0'
option gateway '192.168.8.2'
option metric '2'
config route 'extra_netz_5'
option interface 'lan'
option target '79.174.96.0'
option netmask '255.255.224.0'
option gateway '192.168.8.2'
option metric '2'
config interface 'wg0'
<hidden>
config wireguard_wg0
<hidden>
config interface 'wg1'
<hidden>
config wireguard_wg1
<hidden>
config interface 'wan1'
option proto 'static'
option ipaddr '195.34.137.131'
option netmask '255.255.255.248'
option ifname 'eth1'
And here the complete content of file firewall:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan wg0 wg1'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option name 'Allow-Wireguard-Inbound-wg0'
option target 'ACCEPT'
option src '*'
option proto 'udp'
option dest_port '51194'
config rule
option name 'Allow-Wireguard-Inbound-wg0'
option target 'ACCEPT'
option src '*'
option proto 'udp'
option dest_port '51195'
config rule
option dest_port '22'
list proto 'tcp'
option name 'SSH'
option target 'ACCEPT'
option src 'wan'
list src_ip <hidden>
list src_ip <hidden>
config rule
option dest_port '80'
list proto 'tcp'
option name 'xxx'
option target 'ACCEPT'
option src 'wan'
list src_ip <hidden>
list src_ip <hidden>
config zone
option name 'wg'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'wg0 wg1'
option masq '1'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'wg'
option dest 'wan'
config forwarding
option src 'wan'
option dest 'wg'
config forwarding
option src 'wg'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'wg'
config nat
option name 'snat1'
option src_ip '192.168.8.149'
option target 'SNAT'
option snat_ip '195.34.137.131'
option src 'wan1'
list proto 'all'
config redirect
option src_dip '195.34.137.131'
option dest 'lan'
option dest_ip '192.168.8.149'
option target 'DNAT'
option name 'dnat-mailserver'
option src 'wan1'
list proto 'all'
config rule
option target 'ACCEPT'
option name 'SMTP Mail'
option src 'wan'
option dest 'lan'
list dest_ip '192.168.8.149'
option dest_port '25'
list proto 'tcp'
option enabled '0'
config zone
option name 'wan1'
option input 'REJECT'
option forward 'REJECT'
option network 'wan1'
option output 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan1'
Any help is appreciated!
Best Regards,
Hermann