Skip to main content

NAT and Port Forwarding in OpenWRT

If you happen to use port-forwarding with your OpenWRT-powered Linksys WRT54GL, then you must know that there had been a problem that made DNAT unstable after some period of time – the port forwarding stopped working completely or it started redirecting to different ports (weird, isn’t it?), as described in #2558. The bug was marked as fixed two weeks ago, so you may want to give the fixed netfilter nat module a try.

Update: no problems with port forwarding so far, looks like patch is correct.

For those who reach this page looking for the way how to set up port forwarding in OpenWRT without iptables magic, here it is:

/etc/config/firewall:

config redirect
    option  src       $source_interface
    option  src_dport $original_destination_port
    option  dest      $destination_interface
    option  dest_ip   $destination_ip
    option  dest_port $destination_port
    option  proto     $protocol

You can find more examples in default /etc/config/firewall, but here’s how I have set up my SIP forwarding:

# incoming SIP
config redirect
    option  src       internet
    option  src_dport 5060
    option  dest      lan
    option  dest_ip   192.168.1.4
    option  dest_port 5060

One note, you need to run firewall script after corresponding interface initialization. In case underlying device for $source_interface` is down (say ppp link) the rules related to this interface will be skipped. That’s why there is /etc/hotplug.d/iface/20-firewall.