I am trying to mark and SNAT packets based on the port that receives packet with a specific source IP.
I have 3 physical ports configured as follows:
All ports bridged.
Bridge VLAN filtering enabled (port0 => VLAN1, port1 => VLAN2, port2 => VLAN3, all untagged).
VLAN interfaces are assigned separate firewall zones (VLAN1 => zone1, VLAN2 => zone2, VLAN3 => zone3). Forwarding is only allowed between zone2/3 and zone1. Forwarding is rejected between zone2 and zone3.
Goal is to send packets from physical ports 1 and 2 to port0 while separate devices connected to port1 and port2 uses the same IP address. The source IP of these packets will then be set with different marks based on the firewall zone that receive them and then be SNAT based on the marks set.
Result observed was that the packets received from both devices end up being SNAT to the same IP. This seems to indicate that the packets from both devices somehow arrived on the same firewall zone, despite the bridge VLAN interfaces being assigned different firewall zones?
Communication between devices on the same subnet cannot be controlled by the firewall because that data is switched (L2) not routed (L3).
Let's take a look at your config so we can better understand your current state:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
Oh right, I totally forgot about that. And to think I just learnt that in a separate post.
I have removed the bridging and the ports are now separate interfaces with no VLANs. This still does not work. The result is the same as my previous attempt with bridged VLANs. Why?
I am not currently able to get the configuration. Will post that when I can.
config defaults
option custom_chains '1'
option synflood_protect '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config include
option path '/etc/firewall.user'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'lan'
config nat
option src '*'
option src_ip '192.168.124.124'
option target 'SNAT'
option snat_ip '192.168.123.125'
option mark '9991'
list proto 'all'
config nat
option src '*'
option src_ip '192.168.124.124'
option target 'SNAT'
option snat_ip '192.168.123.126'
option mark '9992'
list proto 'all'
config zone
option name 'lan1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'lan1'
config zone
option name 'lan2'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'lan2'
config forwarding
option src 'lan'
option dest 'lan1'
config forwarding
option src 'lan'
option dest 'lan2'
config forwarding
option src 'lan1'
option dest 'lan'
config forwarding
option src 'lan2'
option dest 'lan'
config rule
option src 'lan1'
list src_ip '192.168.124.124'
option target 'MARK'
option set_mark '9991'
option dest '*'
config rule
option src 'lan2'
list src_ip '192.168.124.124'
option target 'MARK'
option set_mark '9992'
option dest '*'
/etc/firewall.user is empty
One sender (192.168.124.124) is connected to "lan1" port and another (also 192.168.124.124) to "lan2" port and the receiver (192.168.123.124) is connected to "lan0" port.
Since you can define SRC zone with the SNAT rule, why are you attempting to perform an extra [uncessary] step of [target] marking the packets first before [target] SNATting them?
Specifiy by SRC IP or subnet (i.e., just fix your SNAT rules and delete the mark rules). Unless there's a reason to mark, I didn't understand the reply.
Luci is the web user interface... There is no source zone option when configuring SNAT using the web user interface, only destination zone. I assumed that meant source zone is not configurable for SNAT.
Consider the configuration as the following: "specifying the destination where the SNAT has to be used."
I'm trying to understand why you're trying to mark the SRC zone, instead of just making a SNAT rule. In other words to be clear: you don't need to mark nor specify the SRC zone.
I have 2 sender of the exact same IP and a receiver of a different IP in a different subnet.
I want to translate the source IP of packets from both senders to different source IPs before the packets reach the receiver.
The reason why I used MARK then SNAT (based on mark set), instead of SNAT only, is because LuCI did not give me an option to specify source zone when configuring SNAT.
Unless you know for certain this is the cause of the problem or are sure SNAT rules allow specification of source zone and does not just ignore such configuration, please focus on the problem instead of questioning the choices of my past attempt.
Traffic only routes once passing the firewall. So you can't both mark and SNAT without routing the packets again. You can kludge it by marking and DST the packets to an interface where they route again - then SNAT.
Yes, we know you cannot specify the SRC zone/interface for an SNAT rule.
Sorry, thought that was already clear.
Maybe your wording (as it's still not clear why the avaliable SRC IP field isn't usable)?
Are these 2 different devices, with different IPs that you want to use the exact same IP with SNAT?
Or
One device (1 SRC IP) - mark - SNAT - 2 DST IPs?
Or
(Invalid) You have 2 interfaces/zone identically numbered - hence 2 devices in 2 different network having the same IP and you're trying to SNAT to different DST IPs?
The latter seems best describe the statement in Post No. 1:
What do you mean by DST? Destination? If so, why would I be SNAT-ing to different destination IPs? SNAT is literally Source NAT...
The senders (PCs) are two different devices with the same IP, that I want to use different source IPs via SNAT.
The interfaces/zones the two senders are connected to are different.
The reason why I have two senders with the same IP has got nothing to do with the configuration of my router.
My problem is not why my senders have the same IP but how can I configure my router to SNAT the same source IP (from the two senders) differently based on which sender the packets are from.
To make it even clearer, here is my setup:
Sender A (IP = 192.168.123.123)
Sender B (IP = 192.168.123.123)
Receiver (IP = 192.168.124.123)
Receiver connects to port0
Sender A connects to port1
Sender B connects to port2
I want to change packets from Sender A to have source IP 192.168.124.124 and packets from Sender B to have source IP 192.168.124.125.
Im not sure where you interpreted further confusion. I was merely trying to glean that you had an invalid SRC config. I apologize for the poor verbose wording.
In other words - you cannot identically number 2 different VLANs/networks - which is why there's no ability to select SRC interfaces or zones, only SRC IPs. No contradiction - I originally referred to the mark, not the SNAT (I mistakenly assumed you saw a SRC interface field and it cause me confusion).
Initially, (in good faith) I hadn't considered invalid network configurations. I hope that clarifies things now.
What exactly do you mean by 'identically number" 2 different VLANs/networks? I don't remember setting the same "number" or even name for different VLANs/networks. Are you referring to the two VLANs/networks using the same subnet? What is this "number" you have been referring to exactly?
(Invalid) You have 2 interfaces/zone identically numbered -