OpenWrt/LEDE Project

  • Status Closed
  • Percent Complete
  • Task Type Feature Request
  • Category Base system
  • Assigned To
    Jo-Philipp Wich
  • Operating System All
  • Severity Low
  • Priority Very Low
  • Reported Version lede-17.01
  • Due in Version Undecided
  • Due Date Undecided
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by TexasDex - 09.07.2018
Last edited by Adrian Schmutzler - 19.06.2020

FS#1645 - NAT reflection/loopback fails with multiple zones

I have multiple internal VLANs, and multiple firewall zones (e.g. a guest network, a DMZ LAN) with separate IP ranges and locked-down routing in between. I’ve found that if I forward a port to a web server in my DMZ zone the ‘NAT Loopback’ option has no effect on hosts outside of that zone (e.g. in my LAN or GuestLAN zones).


# curl curl: (7) Failed to connect to port 443: Connection refused


$ curl <html>

The port forward works fine on hosts outside my network.

I’ve looked into adding custom rules to fix this, since a Linux sysadmin with a little bit of iptables experience, but I’m not having much luck figuring out the LEDE firewall.

Using LEDE Reboot (17.01.4, r3560-79f57e422d) on x86 (QOTOM J1900 embedded PC).

Closed by  Adrian Schmutzler
19.06.2020 11:21
Reason for closing:  Won't fix
Additional comments about closing:  

LEDE-17.01 has reached EOL (end of life). This bug has been closed automatically. If the problem persists with a newer version, please file an appropriate new bug report for that version.

TexasDex commented on 09.07.2018 20:20

Note: This was reported as a bug in LuCI, but closed because the issue was not just with UI:

Jo-Philipp Wich commented on 10.07.2018 07:58

This is by design. The setup of NAT loopback rules is currently tied to the zone of the target host.

I might look into introducing a new option "reflection zones" or similar to change set but I can't promise that it'll happen anytime soon.

TexasDex commented on 10.07.2018 13:22

It took a lot of figuring out, but adding the following rule to the 'Firewall - Custom Rules' pane in LuCI seems to have fixed it for now:

network_get_ipaddr wan wan
network_get_ipaddr lan lan
webserver=(add your web server IP address here)
iptables -t nat -A prerouting_lan_rule -s $lan/24 -d $wan/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination $webserver:80
iptables -t nat -A prerouting_lan_rule -s $lan/24 -d $wan/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination $webserver:443

Making this an official feature would be appreciated, though.

Dan Berger commented on 26.11.2018 16:21

I found this report while investigating the same problem - I fixed it in a similar way and would also appreciate it being more directly supported.

in my case I have a plex media server in the lan zone, accessible from the internet, and a set of devices in an untrusted zone that I want to be able to stream from it.

I ended up doing this on OpenWrt 18.06.1, r7258-5eb055306f:

. /lib/
. /lib/functions/

network_get_subnet iot iot
network_get_ipaddr wan wan
network_get_ipaddr lan lan

iptables -t nat -A prerouting_iot_rule -s $iot -d $wan/32 -p tcp -m tcp --dport 8443 -j DNAT --to-destination $plexserver:$plexport -m comment --comment "firewall.user: plex iot to lan rule"
iptables -t nat -A postrouting_iot_rule -s $iot -d $plexserver/32 -p tcp -m tcp --dport $plexport -j SNAT --to-source $lan -m comment --comment "firewall.user: plex iot to lan rule"

(as an aside for anyone trying to replicate my results, I found that these rules don't appear after reboot until I do a firewall restart, but I haven't yet figured out why.)

neon commented on 03.05.2020 15:10


I experienced the same problem. Thank you, Dan and Dex, for posting your solutions here.

It seems like a pretty common situation for people to have a DMZ'd zone hosting a webserver that they would want to access via a zone-to-zone nat loopback.

edit: @Dan, I think your problem where you need to do the firewall restart is related to this: . When the firewall reloads (instead of restarts) your custom firewall.user rules are not also reloaded, but they depend on a chain that is created in /etc/config/firewall so I think your rules get flushed too. That article explains that you can set a variable in your firewall config to also execute your firewall.user script on reloads as well.

I realize that this thread is super old, but I thought I would post this for anyone else who came across it.

phqzgunsfjror commented on 13.06.2021 10:49

I also vote for the feature.

I opened a new ticket since it was closed:


Available keyboard shortcuts


Task Details

Task Editing