WAN to WAN port forwarding

Good evening,
I can't work out answer to my problem. I am trying to do "port forwarding" from WAN port to another device on WAN network.

I have OpenWrt router with wan address 172.21.40.15, and my ISP has mapped my public IP address to this IP. I have a neighbor on the same network with similar wan address (172.21.40.18) who does not have public IP address, and he wants to be accessible from internet using my public IP address on some port range (lets say 2000-2100). I do not want to connect him to my LAN ports.
I am currently forwarding couple of ports to my LAN devices with no problem. However, I am not able to configure port forwarding from WAN to WAN. I have tried this rule in /etc/config/firewall

config rule
	option enabled '1'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option name 'kas2000'
	option src_port '2000'
	option dest_ip '172.20.41.18'
	option dest_port '22'
	option src 'wan'
	option dest 'wan'

I have also tried option dest '*' instead of last row.
I have also changed settings of wan zone so that it accepts forward like that:

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	option network 'wan wan6'

After those changed I have performed full reboot of the router.

I can access my neighbors device directly from my OpenWrt router on address 172.20.41.18:22, but I cannot access the device from the outside internet using my public IP and port 2000.

I would be really grateful for any tips where to start..
Thanks!

You need to create both DNAT and SNAT rules:
https://openwrt.org/docs/guide-user/firewall/firewall_configuration#redirects

3 Likes

I have removed my config rule and replaced it with those two sections:


config redirect
	option	name		'DNAT WAN to WAN for SSH'
	option	src		'wan'
	option	src_dport	'2000'
	option	dest		'wan'
	option	dest_ip		'172.20.41.18'
	option	dest_port	'22'
	option	proto		'tcp udp'
	option	target		'DNAT'

config redirect
	option	name		'SNAT WAN to WAN for SSH'
	option	src		'wan'
	option	src_ip		'172.20.41.18'
	option	src_dip		'172.20.41.15'
	option	dest		'wan'
	option	proto		'tcp udp'
	option	target		'SNAT'

but alas, no success. Maybe I have messed up src_ip and src_dip?

My bad!
Actually it works! Thank you vgaetera for so fast reply!

1 Like

If it still doesn't work, you most likely need to replace src_ip with dest_port.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.