Using OpenWrt as a DMZ host?

marcjero · August 9, 2021, 10:41am

HI,

I would like to keep my ISP router and forward all the incoming requests to a DMZ host that could be an Openwrt machine.
I know it's possible to cascade NAT but I don't want to do that. The DMZ host will have a single lan interface and will just forward requests to servers in the same network.

The ISP router will be used directly for the outgoing traffic. I will keep tusing he WIFI AP of the ISP router as well.

The DMZ host will offer firewalling, VPN, port forwarding, DNS, DDNS and maybe DHCP services.

My question is : how can I manage firewall and forwarding rules in OpenWRT using a single LAN interface ? Basically is it possible to define the WAN zone using the local IP or MAC address of the ISP router ?

Thank you for your help.

vgaetera · August 9, 2021, 12:06pm

Simply create a DNAT redirect omitting the destination zone:
https://openwrt.org/docs/guide-user/firewall/firewall_configuration#destination_nat

marcjero · August 9, 2021, 4:05pm

Hi vgaetera,

in this case I think that all traffic coming to Openwrt will be forwarded right ? (whatever the client is on the local network or on the Internet)

Maybe it's possible to define wan and lan zones using source IP networks. In this case it would be possible to define the wan as the zone where source IP is not a private IP. And the lan would be defined as a zone where source IP is from 192.168.0.0/16 for instance.

Of course I will have to disable NAT.

Thank you for your idea.

vgaetera · August 9, 2021, 5:21pm

Add the option src_ip and specify your subnet like !192.168.1.0/24 to invert the match.

marcjero · August 9, 2021, 9:34pm

Fantastic. I will try this. Thanks