WAN-WAN masquerading (transparent UDP relay)

alchark · July 2, 2023, 1:59pm

Hi!

I’d like to set up my OpenWRT router to transparently relay UDP packets it receives from WAN on a specified port to a remote server (also on WAN, with a fixed UDP listening port), and similarly return the packets from that remote server’s replies back to the client who initiated the session.

So the flow should be something like this:

Client sends a UDP packet to the Router’s WAN IP address, port 12345
Router records the client’s public IP address and port, rewrites the source IP address in the packet to its own WAN IP address and sends it to the Server, port 23456
Server responds with a UDP packet to the Router’s WAN IP address, at the port number the Router used for sending the previous UDP packet in this session
Router recalls which Client IP and port last sent it those UDP packets which exited from this particular outbound port, rewrites the source IP address in the packet to its own WAN IP address and sends it to the respective Client

So the router should act pretty much like a NAT gateway with masquerading, but only for a single “upstream” server and port, and the clients behind this NAT should be identified not by the network interface where their traffic shows up but by the WAN UDP port number where they sent the packets.

What is the right way to configure that, if at all possible?

iplaywithtoys · July 2, 2023, 2:05pm

Set up a NAT rule, with 'src' and 'dest' both set to 'wan', 'src_dip' set to your router's WAN IP address, 'src_dport' set to the port your router listens on, 'dest_ip' set to the real target's IP address, 'dest_port' set to the target's listening port, and 'target' set to 'snat' or 'masquerade' (I forget which 'target' applies here).

alchark · July 2, 2023, 3:33pm

Thanks a lot! I used 'masquerade' and also added a DNAT rule to forward traffic to the remote server, and then it worked!

Here's the config I ended up with:

config nat
        option name 'UDP forward'
        list proto 'udp'
        option src 'wan'
        option dest 'wan'
        option src_dport '55888'
        option dest_ip 'remote_server_ip'
        option dest_port '55888'
        option target 'MASQUERADE'

config redirect
        option dest 'wan'
        option target 'DNAT'
        option name 'UDP to upstream server'
        list proto 'udp'
        option src 'wan'
        option src_dport '55888'
        option dest_ip 'remote_server_ip'
        option dest_port '55888'

system · July 12, 2023, 3:34pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.