I never received notifications for your posts so I just saw them, thanks for pitching in!
I went ahead and cleaned up my original posts, added more accurate and useful info and replaced the diagram with a cleaner one.
WAN NAT redirection on DD-WRT has always worked fine for me when both LAN and WLAN were on br0 and there were no rules separating them. The issue is only when the two are isolated to prevent guest devices from accessing the LAN.
While firewall rules effectively isolate br1 from br0, they also prevent br1 from accessing the WAN interface which is problematic because I still want guest wireless devices to be able to hit my WAN IP and access port-forwarded services.
Here are the FW rules isolating br1 from br0 (from wiki):
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP (breaks hairppinning)
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP (allows hairpinning but breaks isolation)
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP (breaks hairppinning)
iptables -I INPUT -i br1 -m state --state NEW -j DROP (allows hairpinning but breaks isolation)
All of these rules are necessary to isolate the bridges while allowing wireless devices access to the internet. However, all of these rules either break hairpinning or allow communication between bridges which is problematic.
It appears that the latest builds include a "Hairpin Mode" option for bridges. This sounds exactly like what I'm looking for however the feature appears to be broken as when it's applied, WiFi no longer works (see attached images). Wondering if anyone has gotten this to work.
Perhaps my pathological perfectionist tendencies?!
Why not block access between br1 and br0 in general, but make exceptions based on the port forward(s) required internal IP, protocol, and internal port?
That's actually a great suggestion, since the ports are going to be exposed to the outside anyway. Would still love to see that "Hairpin Mode" option working though. _________________ Hardware: RT-AC68U - Firmware: DD-WRT v3.0-r35898 std - Kernel: 4.4.131