firewall4 icon indicating copy to clipboard operation
firewall4 copied to clipboard
verified publisher icon openwrt

SNAT rewrite ip Pooling support

Open lrizzi opened this issue 6 months ago • 4 comments

A config like this

config nat
        option name 'SNAT'
        option family 'ipv4'
        option src 'vpn'
        option src_ip '192.168.106.0/24'
        option dest_ip '10.66.0.0/16'
        option target 'SNAT'
        option snat_ip '10.254.1.0/24'
        list proto 'all'

Create this rule:

	chain srcnat_vpn {
		ip saddr 192.168.106.0/24 ip daddr 10.66.0.0/16 counter snat ip to 10.254.1.0 comment "!fw4: SNAT"
	}

But it should create something like this:

	chain srcnat_vpn {
		ip saddr 192.168.106.0/24 ip daddr 10.66.0.0/16 counter snat ip to 10.254.1.0/24 comment "!fw4: SNAT"
	}

NFT Tables support NAT pooling using a prefix or a range this is the link of the documentation NFT NAT pooling

I saw in the code the rip variable used for adding the snat rule is used as rip[0] so the prefix is been removed (this is correct only if a port rewrite is done, look at the example below) otherwise is supported.

You can also rewrite both an ip range + a port range and is defined like this:

	chain srcnat_vpn {
		ip saddr 192.168.106.0/24 ip daddr 10.0.0.0/24 tcp sport 19 tcp dport 12 counter snat ip to 10.254.1.1-10.254.1.2:100-200 comment "!fw4: TCP"
	}

lrizzi avatar Sep 08 '25 01:09 lrizzi

Workaround: Create file /etc/nftabled.d/srcnat-wan.nft

chain srcnat_vpn {
  ip saddr 192.168.106.0/24 counter snat ip to 10.254.1.0/24 persistent comment "!fw4: SNAT"
  return
  // original rule just creates chain + jump but gets skipped past
}

brada4 avatar Sep 08 '25 05:09 brada4

actually one could implement almost-mwan this way ;-)

brada4 avatar Sep 08 '25 12:09 brada4

actually one could implement almost-mwan this way ;-)

Maybe is not a really good idea, the randomization it's a bit fuzzy ^_^

Anyway, I figured out I wanted to do a different thing with a linear address mapping and not a pool, it's similar though:

        chain srcnat_vpn {
                meta nftrace set 1
                ip saddr 192.168.106.0/24 ip daddr 10.66.0.0/16 counter snat ip prefix to ip saddr map { 192.168.106.0/24 : 10.254.1.0/24 }
        }

For reference in either case using the manual configuration from /etc/nftabled.d/ also need the interface handler:

        chain srcnat {
                oifname { "xxxx" } jump srcnat_vpn comment "!fw4: Handle vpn IPv4/IPv6 srcnat traffic"
        }

I'm not sure if it worth implementing something like this (the mapping) in firewall4

lrizzi avatar Sep 09 '25 15:09 lrizzi

You did not understand the trick involved. You make a snat rule which adds ifname filtering extra chain, then prepend that chain with

{
your rule
return
# unreachable from here
generated rule
}

persistent is intended to bind lan users to public addresses - i really dont know how it works

brada4 avatar Sep 09 '25 17:09 brada4