WAN Interface alias and NAT/DNAT/DMZ/VLAns

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi everyone,

I’m trying to set up a somewhat non-standard home network configuration that will allow me to separate traffic between different network segments: home, lab, and the internet. Since I have multiple public IP addresses, I want to use them to create DMZ, LAB, and define zones that will utilize different public IPs.

Here’s an image to illustrate my setup: https://excalidraw.com/#json=Ncn8ZoimhTuHPQzUUmAbK,v4ZtbVjWUm0w2Vwus8eWhw

I know how to configure something like this on a regular Linux system or Cisco devices, but I’m not sure if it’s possible to achieve the same setup using OpenWRT.

I have a standard WiFi router running OpenWRT (24.10) with:

• 1 WAN port

• 4 LAN ports (VLAN enabled)

However, I’m struggling to properly configure multiple public (WAN) IP aliases and NAT rules on the WAN interface so that outbound traffic from different LAN ports (or VLANs or CIDR subnet) gets NATed using specific public IPs.

Additionally, I’m not sure how to ensure that incoming traffic to a specific public IP gets DNATed to the corresponding internal server on the LAN side.

A lot of questions, but not many answers! :slightly_smiling_face:

Has anyone in the group worked on more advanced OpenWRT setups and could provide some guidance?

Thanks in advance!

2 
opkg update; opkg install kmod-macvlan

# /etc/config/network

config interface 'wan'
        option proto 'dhcp'
        option device 'wan'

config device
        option name 'vwan1'
        option type 'macvlan'
        option ifname 'wan'

config interface 'vwan1'
        option proto 'static'
        option device 'vwan1'
	    option ipaddr '1.2.3.4'
        option netmask '...'
	    option metric '10'

# /etc/config/firewall

config nat
        option name 'SNAT_VLAN_200'
	    option target 'SNAT'
	    option src 'wan'
        list proto 'all'
        option src_ip '192.168.20.0/24'
        option snat_ip '1.2.3.4'

# /etc/config/firewall

config redirect
	    option name 'HTTP_to_VLAN200'
        option target 'DNAT'
        option src 'wan'
	    option dest 'lan'
	    option src_dip '1.2.3.4'
        option dest_ip '192.168.20.101'
        list proto 'tcp'
	    option dest_port '80'

If you feel bored, you can complicate things further by creating multiple firewall zones.