Opened 5 years ago

Last modified 3 years ago

#12990 accepted defect

Port forwarding gives router ip as source, but should be public ip.

Reported by: mitchhubers@… Owned by: jow
Priority: normal Milestone: Chaos Calmer 15.05
Component: packages Version: Trunk
Keywords: ip port forwarding firewall Cc:


I am using port forwarding to open the port 28960 for a game server. When i connect from LAN to the public ip (wan) i get ingame the local ip from the router. It should be the public ip. When i was using the firmware from Netgear I got the public ip ingame worked.

Router: WNDR3700 (v1)
OpenWrt: Barrier Breaker r35572

The forward rule i am using:

From any host in wan
Via any router IP at port 28960
IP 192.168.1.x, port 28960 in lan

Attachments (0)

Change History (9)

comment:1 Changed 5 years ago by GrimDemon <wispwind@…>

Is this really a problem? I think it's normal behavior of the router. Your WNDR3700 recognizes that you are connecting from local network. Try to connect to the server from another network.

comment:2 Changed 5 years ago by Halo2

There a comfortable things which work on Netgear Firmware like:
You forward a port, i.e. 80, to an internal lan ip.
So when you access your routers wan address from external you get to the internal ip on port 80 like you want.
But you also get to port 80 of the internal ip when accessing it with the wan address and already beeing on the lan side.
Unusual, but very comfortable. It i.e. allows you to use your dyndns address on apps of your phone, and it simply works, neitherless you're in wlan or in 3g (and away). Without having to switch addresses in the app again and again.
I don't know how they realized that technically. But it would be painfully for a user to do that in openwrt for every forward they already did in the gui.

comment:3 Changed 5 years ago by anonymous

NAT Loopback/Reflection??

comment:4 Changed 5 years ago by jow

  • Owner changed from developers to jow
  • Status changed from new to accepted

The nat reflection indeed uses the lan ip as snat source atm - I'll eventually change that to use the external ip of the external iface associated to the redirect.

comment:5 Changed 3 years ago by anonymous

Nearly two years past by, and I am experiencing the same problem: I need the original IP from the internet passed through to a server inside a DMZ. How can I achieve this? (Using OpenWrt 12.09)

comment:6 Changed 3 years ago by Steffen

Three days ago I installed OpenWrt on my WDR3600 and was positively surprised that NAT reflection uses the LAN IP as source address. If you change that to the external IP then please introduce an option to keep the current behavior.

comment:7 Changed 3 years ago by anonymous

You can toggle the behavior with "option reflection_src internal" and "option reflection_src external". Also documented here:

comment:8 Changed 3 years ago by andreeeee

While the reflection_src thingie seems to work (I can see either internal or external router IP when I connect from insde), there's a worse problem with this.

After setting up the forwarding as down below (vi LuCi), the destination machine doesn't see the external IP of machines connecting on it - it's always the internal IP of the router:

sshd: Failed password for invalid user test from port

Instead I would like to see the public address of the remote machine in the logs...

config redirect

option target 'DNAT'
option src 'wan'
option proto 'tcp'
option src_dport '22'
option name 'sshfwd'
option dest_ip ''
option dest 'lan'


comment:9 Changed 3 years ago by jow

You likely have masquerading set on the lan zone, disable it.

Add Comment

Modify Ticket

as accepted .

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.