What is Masquerading and do I need to use it in the LAN -> WAN Firewall config?


I'd like to know what Masquerading is and whether I need to use it in a default LAN -> WAN Firewall config!
Is there any kind of benefit from using it?


Masquerading is the technology that translate/masquerade your private LAN IPs to the one WAN IP address your router has and handles the return packets respectively.
So yes it is needed for the router to function correctly in a LAN -> WAN setup


See https://en.wikipedia.org/wiki/Network_address_translation


But openwrt default is no masquerading?

No...you have to masquerade or the Internet won't work, because private IP addresses aren't allowed on the Internet. That's why it's the out-of-box default for the firewall (all out allowed, masquerade out, nothing in except established/related).

1 Like

No, that is not the default state. By default, OpenWrt has masquerading enabled for IPv4 on the WAN.

1 Like

For vpn I suggère reject In input like a Wan :+1::ok_hand:and is good

It is still unclear to me what use case will require the masquerading for lan->wan...why additional operation (consume hardware resources) and possibly even softbricking the device when all features are working?

I'm not entirely sure what the confusion is here, but I'll try to summarize masquerading.

Every device needs an IP address in order to use the network/internet. Typically, ISP's only offer a single IPv4 address to each subscriber (in the case of most home and small business accounts). In order for multiple devices to share that single external IP address, NAT masquerading is used. This allows the formation of an internal/private network which then shares an external IP for internet connectivity.

You can think about it as an apartment building or a building with multiple businesses. That structure has a single street address (i.e. external IP address). Each apartment/business can have a 'private' address inside the building, but they all share a single address that is used when referencing the location within the city.

By default, masquerading is enabled because the vast majority of users will have a single IPv4 address on the WAN and will want to share that address with many devices inside their network.

EDIT: also worth noting -- most typical routers actually have hardware acceleration for the NAT masquerading functionality, so the 'resources' issue is often moot. But even when a device does not have the ability to use hardware offloading for NAT masquerading, it is required on most networks, so the user doesn't really have a choice if they want a functional network with multiple devices online (using IPv4).


I think the masquerading you are talking about is on the wan zone. There is also a masquerading option on the lan zone and question is when is that needed?

Yes, I was responding to this:

Masquerading on the LAN would be unusual in most typical configurations. But, there is nothing magical about the LAN zone -- masquerading can be enabled on any zone. The LAN zone is just the one that is typically associated with an internal network, but it could be used/renamed for other purposes. In OpenWrt, all zones have the same options available, thus why LAN has the option to have masquerading enabled.


The option exists because LAN and WAN are just names, and OpenWrt allows you to configure your route in and infinite number of scenarios.

1 Like

One possible use case for LAN masquerading would be handling a VPN tunnel without dealing with routing.


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.