Firewall question

e9hack e9hack at
Wed Feb 9 14:37:20 PST 2022

Hi Jo,
> I do not understand however how the guest routing works in your network
> currently...

Guest network is wifi only with wan access, but without access to the lan
network. It is used for cell phones only, which does synchronize data with
nextcloud via a ddns name over the wan address. This shall work,
independently if they are using the data plan or the wifi network.

To generate the rules for the hotplug script, I looked to the generated
forward and reflection rules for lan:

iptables-save | grep '...'
-A zone_lan_postrouting -s -d -p tcp -m tcp --dport 8443 -j SNAT --to-source
-A zone_lan_prerouting -s -d 93.x.y.z/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination
-A zone_wan_prerouting -p tcp -m tcp --dport 443 -j DNAT --to-destination

 From this, I generate this three rules for the hotplug script:
iptables-save | grep '...'
-A postrouting_guest_rule -s -d -p tcp -m tcp --dport 8443 -j SNAT --to-source
-A postrouting_guest_rule -s -d -p tcp -m tcp --dport 8443 -j SNAT --to-source
-A prerouting_guest_rule -s -d 93.x.y.z/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination

For the postrouting rule, it wasn't clear for me which gateway address I've
to use. Reflection did work. I saw an increasing package counter of the
prerouting rule. The package counters of both postrouting rules did remain
at 0. The package counter of the lan postrouting rule was increase instead.
So I did remove both guest postrouting rules.

> I am not sure what you mean with 3rd network. Does it mean the server has an
> address in the guest subnet? Maybe you can describe its network setup in more
> detail...

Simply generate a network for the server only like the lan network, use the
forward/reflection rule for the server with the new network and use two
rules for lan and guest like the old rule from hotplug script with the new
destination address of the server.

> The following should be equivalent:
> config redirect
>      option name 'guest: Redirect wan HTTPS from port 443 to on
> port 8443'
>      option target 'DNAT'
>      option src 'wan'
>      option dest 'lan'
>      option proto 'tcp'
>      option family 'ipv4'
>      option src_ip ''
>      #option src_ip 'guest' # alternative that does not hardcode guest subnet
>      option src_dip 'wan' # sic! "wan" is resolved to the current IP
>      option src_dport '443'
>      option dest_ip ''
>      option dest_port '8443'
>      option reflection '0'

Yeah, this does the trick.

Reflection does work, if exchange 'option src wan' by 'option src guest'.


More information about the openwrt-devel mailing list