[objecttothis]

I have a TP-Link TL-WDR4300 v1 running DD-WRT v3.0-r48810 std (05/06/22) with port forwarding turned on for port "A" and sending that to a server on the network. In my various server logs I'm never getting the public IP address logged, just the IP address of the router. I suspect that this is the default functionality of port forwarding. Is there a way to do the forwarding without losing the public IP address of the computer making the request to that port which is being forwarded.

e.g., if ip address www.xxx.yyy.zzz makes a request to port 80 then I'd like to see www.xxx.yyy.zzz in the server log rather than 192.168.xxx.yyy as the one making the request.

NAT/QOS > Port Forwarding doesn't seem to have any settings that would allow me to pass this. Thanks for any help. I'm teaching myself this stuff as I go.

[ho1Aetoo]

No port forwarding does not work like that.
You might access your WAN address yourself from your LAN and this is then a WAN NAT redirection.

[objecttothis]

Sorry, can you clarify? When you say Port Forwarding doesn't work like that, I think you mean that there is no way with port forwarding to have the internal network server see anything besides the router's IP address as the requesting agent. Do I understand what you're saying correctly?

I'm not sure I understand what you mean when you say access my WAN address myself from my LAN. The whole issue is logging the public IP address of a request being made from outside the LAN and forwarded via port forwarding.

[objecttothis]

I did find this page https://web.synametrics.com/router-ip-in-logs.htm that describes the issue in another context. It explains the issue as the router masquerading, therefore the forwarded request appears to come from the router IP address. I guess that's what I'm wondering how I can turn off.

[egc]

Port forwarding consists of a FORWARD ACCEPT rule, accepting traffic and a DNAT rule which translates the *destination* address from the routers WAN address to the destination address of your server.
The *source* address is not changed, my server can see from which clients on the internet the query is coming from.

MASQUERADING/SNAT is changing the source address. This is a setting on VPN servers and often advised to use when the router is set up as a Wireless Access Point (WAP) but it has nothing to do with port forwarding.

[objecttothis]

@egc OK I think you're saying that my issue isn't caused by Port Forwarding. That's good to hear. On this router I have setup a guest network via VAP. I have the following firewall rules in place which I thought were forwarding the internet to wlan0.1 and preventing users connected to wlan0.1 to be able to access network devices or each other. Could one or both of the last two iptable rules be what's causing the public IP address to also be lost on incoming requests and instead have the local IP address be shown?

These were copied and pasted from tutorials on setting up the guest network and then modified to the correct name for the VAP, but I admit that I am not extremely well versed in how they work.

iptables -I FORWARD -i wlan0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
iptables -t nat -A POSTROUTING -o $(get_wanface) -j MASQUERADE

[egc]

Those last two rules, are the culprit and have no relation isolating a vap.

To isolate your vap from the main network and vice versa, just enable Net Isolation in the GUI and delete all your firewall rules.

This all assuming your router is in default gateway mode with an enabled WAN port.

If necessary I can send detailed instructions about a vap.

[objecttothis]

The guest network honestly was a bit of a PITA to setup. This was partially the case because I have two dd-wrt routers. The one in the OP here is the main router handling all the DHCP. Getting the same guest network setup on the Access Point was difficult because the dd-wrt tutorials were written for a more standard setup where the router was operating as a gateway. That said, I think you're saying that on this router, I should be able to get rid of the last two rules and not have ill effect on the VAP.

For reference I used https://wiki.dd-wrt.com/wiki/index.php/Guest_Network and the posts at the bottom which are referenced as a guide but all of them give conflicting information. The biggest problem I was having was that the guest network on the AP did not have WAN access. Now with the way it's setup it works, but the guest network occasionally goes down and I have to reboot the router, so I'm not sure what that's all about, but perhaps cause for a different thread.

[objecttothis]

@egc as soon as I remove those last two rules from the firewall rules and restart the router my openvpn connection into the router no longer has WAN access, so those firewall rules seem to be pertinent to passing WAN access to my OpenVPN connection. Is there a way for me to have both WAN access but not lose public IP address on incoming connections?

[egc]

Okay, I am beginning to understand where your confusing is coming from.

The second rule you have is meant for the WAP (the secondary router without a WAN) and not for the main router.
The third rule is not necessary (unless you do not have the second rule on the WAP but then you also have to have a static route)

The first rule you have is also meant for the WAP to isolate WLAN0.1 on the WAP from the main network.

Attached my personal notes how to setup a VAP also how to setup a VAP on a WAP, hope this clarifies some things

[objecttothis]

Thank you @egc. To clarify, I also have a VAP with the same SSID for guest network on the main router to provide fuller coverage to those on the guest network across the property.

When I comment out the second rule (iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`) I maintain WAN access from my OpenVPN connection and my server logs are now reporting the public IP address. I'm not onsite right now, so the only remaining question is whether the VAP on this router and the AP will still be forwarding WAN properly and remain isolated from other devices on the network. From your previous messages it sounds like it will. Thank you for posting your notes. I will review them and perhaps there will be some adjustments I can make that will improve the reliability problems I have been having with the AP and the guest network going down occasionally.

[egc]

OK and now you are saying you have an OpenVPN server running.

It really helps if you share all the details

In my earlier post I already mention that one of the reasons a MASQEARADE/SNAT rule can be in place is a VPN server, nowadays it is a GUI setting as is the setting to allow WAN /internet access for your VPN clients.

Have a look at the OpenVPN server setup guide for explanation and downsides.

[objecttothis]

Sorry, I thought that's what I said a few posts up (Sun Dec 04, 2022 19:44) when I wrote "as soon as I remove those last two rules from the firewall rules and restart the router my openvpn connection into the router no longer has WAN access"

Sorry, I didn't intend on complicating it, but it's rather difficult to know which details are pertinent and which muddy the water when I don't have a good understanding of iptable rules.

I'll take a look at the OpenVPN server setup guide. I think when I set it up, the instructions I followed had me doing stuff with the firewall rules, because I don't remember anything about client WAN access being a GUI setting.

Thanks again for the help.

[egc]

We are here to help

For OpenVPN almost everything can be done via the GUI

[objecttothis]

As a followup, I recently replaced the router I was working on and took the opportunity to use the OpenVPN Server Setup Guide you referred to, this time following it by the book. I did not need any Firewall rules for WAN access (getting it through the GUI) and the IP addresses are properly being forwarded.

Now my problem is trying to get the VAP on the WAP attached to this main router to properly give WAN access to clients but Net and AP isolate, but I've created another thread for that. I will say that the firewall rules for VAP on WAP in your guide do not play nice with this issue. For example, your guide says that I need to add the following rule to give WAN access to clients on the VAP:

iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)

That rule on the main router causes the problem where my server IP address replaces the public IP address in server logs. I'm not sure how to get around this.