Vlans and port forwarding

hey guy,
so here is my setup, i have two vlans 127, 100 and i set a port forwarding from the wan to web-server on vlan 127.
all works as expected until im trying to reach the web server using the public ip from the 100 vlan pc. if i disconnect from wifi on my phone and use the mobile data i can reach the web-server without a problem .
can someone please try to help me
ill provide any information needed.


Does your firewall allow traffic from that network to the VLAN containing the server?

Yes, when im using the private ip of the webserver ( from my pc ( i get a response.

Huh...then what's the issue?

Are you trying to redirect to the Public IP instead???

  • You'll need to setup a firewall redirect if you prefer to use the Public IP; or
  • Setup a DNS record using the Private IP (most folks in the forum suggest this method, as no CPUs to firewall local traffic)

im able to reach the web server using the public ip (using port forwarding) when im on my cellphone's data plan also when im on the same vlan as the webserver.
but when im trying to get to the web server using the public ip from the other vlan i wouldn't get to the web server.
i just moved from mikrotik to openwrt. i had the same issue and i solved it on the mikrotik. using masquerade. but it didnt work for me here. maybe because i didnt configure it properly

I understand everything you just stated. Of course the access works from the same VLAN, as they are in the same firewall zone. Masquerade won't work (or rather I haven't tried). Anyways, WAN already knows the IP in the LAN, no NAT is needed. This is how I redirect from LAN to a server in another VLAN:

config redirect                       
        option target 'DNAT'                                 
        option src 'wan'                                     
        option proto 'tcp'            
        option src_dport '80'         
        option dest_port '80'         
        option src_ip ''
        option dest 'lan'                                
        option dest_ip '192.168.y.xxx' 
        option name 'REDIRECT_HTTP_LAN'

Yes, the destination is LAN, this is not an error. It causes the destination IP to change and forwarding under your zone's firewall rule to occur.

1 Like

@lleachii thank you so much . all working great now. have a great day.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.