How to rewrite the destination IP address in OpenWRT?

Question

I'm using OpenWRT 23.05 and I have following situation:

• Local server in network lan, accessible via port 80, 443 on IP 10.150.42.7
• My PC, on the same network
• My Phone, on the same network
• My sister's phone, lives somewhere else

I gave my sister access to the server mentioned above using Tailscale. I have set up a public DNS record which points to the Tailscale IP 100.76.72.54. I have also configured HTTPs using Caddy on the server. This way my sister can access the server via Tailscale and just has to enter the public domain name which works fine.

The domain name I use locally and in the public internet is the same and I wish that to stay that way. I am not going to configure a second domain, otherwise I have to keep changing the configuration on my portable devices.

On my OpenWRT router I have configured that the DNS name should be resolved internally to the internal IP 10.150.42.7, which works fine (I tested it with dig).

However, the problem is due to DNSSEC being enabled in the browser on my PC, it does not use the internal resolver and rather forcefully uses the public DNS resolver and thus gets the Tailscale IP. Since my PC is not connected to Tailscale at all times (and I don't want to change this) and I also don't want to disable DNSSEC on all devices in my network, I want to rewrite the IP in OpenWRT.

How do I configure OpenWRT (LuCI preferred) so that the destination IP address 100.76.72.54 is rewritten to 10.150.42.7 in the network lan?

I have tried following things:

Port Forward But here I can only specify where to route the traffic to but not what the "original" IP is, so this would just redirect everything.

Traffic Rules I can't specify "forward" in "Action" so this is not the right place.

NAT Rules Here I can specify a "Rewrite IP address" but there is no "DNAT" choice in "Action".

Static route I can specify the IP address (using /32) and the Gateway but it won't actually rewrite the destination IP address but rather just route it to the Gateway which has no idea what to do with it (which is already the case since the 100.* addresses would have no destination in the first place)

Answer 1

Rewriting the destination address is DNAT, and DNAT is the Port Forwarding section in OpenWrt. You can specify additional criteria, including "External IP address", in the Advanced tab. I've just tried it on a RutOS device and it did not work, unfortunately, but it might work on plain OpenWrt.

(Since you're setting up a lan→lan NAT rule, you will probably want "NAT Loopback" to be enabled as well.)

But if the frontend doesn't let you configure it, then you will need to write the rules by hand (older versions with iptables have a "Custom Rules" tab; newer versions apparently use nftables).

I'm not able to finish the rules since I don't know the table and chain names that OpenWrt uses, but it would look somewhat like this for iptables (Fw3):

# Translate destination
iptables -t nat -I [TODO: chain name] -d 100.76.72.54 -j DNAT --dnat-to 10.150.42.7
Translate source (NAT hairpinning)
iptables -t nat -I [TODO: chain name] -s 10.150.42.0/24 -d 10.150.42.7 -j MASQUERADE

(Standard chains would be PREROUTING for DNAT rules and POSTROUTING for SNAT rules, but OpenWrt has a ton of custom ones as can be seen in iptables-save. I would first add "partial" rules via GUI, then dump them via SSH to see which chain they went into.)

...and for nftables (Fw4), which it seems needs to be injected like this:

table [TODO: table name (probably "inet nat")] {
    chain [TODO: chain name] {
        ip daddr 100.76.72.54 dnat to 10.150.42.7
    }
    chain [TODO: chain name] {
        ip saddr 10.150.42.0/24 ip daddr 10.150.42.7 masquerade
    }
}

(Nftables has no standard chain names so you pretty much have to look through nft list ruleset.)

I can't specify "forward" in "Action" so this is not the right place.

Even if it were the right place, "forward" would not be the action. Despite it somehow getting named "Port Forwarding", the rules don't forward anything – they rewrite (translate) packets, while the actual forwarding decision is done elsewhere – so the action would be something like "DNAT - Rewrite to specific destination IP or port".