0

I have an OpenWRT router with 1 WAN port and many LAN ports.

I have assigned a second IP to the WAN port by adding a command to the startup scripts like that:

ip addr add X.Y.Z.G/24 dev eth0.2

Before that I have removed the bridge that is added to the WAN port so br-wan is gone.

I also added the following commands to forward connections coming to this second IP and port 80 to a machine on LAN.

iptables -t nat -I POSTROUTING 1 -p all -s 192.168.3.87 -j SNAT --to X.Y.Z.G
iptables -t nat -A PREROUTING -p tcp -d X.Y.Z.G --dport 80 -j DNAT --to-destination 192.168.3.87:80
iptables -I FORWARD -p tcp -d 192.168.3.87 --dport 80 -j ACCEPT

This way I have 2 web servers each one mapped to a separate public IP.

The problem I have is that with this setup the clients inside the LAN cannot access IP X.Y.Z.G:80 for some reason. Everybody else on the web is able to. So far my knowledge around iptables tells me that the last rule should allow forwarding connections to the internal IP from everywhere.

j0k
  • 411
  • 9
  • 16
flipm0de
  • 1
  • 1
  • 3
  • It is allowing connections for everyone, but your second machine is trying to access it using it's public IP. You need to re-route traffic coming from the inside, to the same internal IP. Your second option is to use another resolve from the inside, so that it resolves to the internal IP. However, this requires more maintenance. – jishi Jan 04 '13 at 13:56
  • Ok so what commands can I add so a computer on the LAN that will normally use the other public IP to access the internet can have a rerouting again so when the traffic goes out of the first IP it will be accepted from the second IP? I thought with the current rules iptables would be doing this without problem. As a matter of fact these exact commands were used on a DD-WRT installation and they worked. But now I moved to OpenWRT and I am hitting this problem. – flipm0de Jan 05 '13 at 21:32
  • To start with, you are only allowing 192.168.3.87 which is unnecessary I think, what you need to allow is X.Y.Z.G on the internal interface. It's been a long time since I worked with IPTABLES. – jishi Jan 06 '13 at 15:01
  • These are all the rules that I added to forward the X.Y.Z.G:80 to 192.168.3.87:80 and to mark all the traffic going out of 192.168.3.87 as going out of X.Y.Z.G. The rest are the standard OpenWRT settings + rules. – flipm0de Jan 06 '13 at 21:42

1 Answers1

0

After looking at what else OpenWRT does to forward normally ports and looking at the firewall status (Status->Firewall from the menu) which included the current iptables rules, I replicated some of the rules and it turned out that the magic happened :).

iptables -t nat -A POSTROUTING -p tcp -s 192.168.3.0/24 -d 192.168.3.87 --dport 80 -j SNAT --to 192.168.3.1

Turned out I have to explicitly add an SNAT rule from the internal network in order to get everything to work.

flipm0de
  • 1
  • 1
  • 3