I have an issue with OpenWRT with port forwarding. T'm doing port- forwarding from WAN to DMZ on port 443. It works fine. Also, when I access from internal LAN to DMZ with private IP it works fine (no port-forwaring involved). But, with my public IP from internal LAN it doesn't work. I got a connection refused.
Is there a way to make it works ? (Initially I did port-forwarding only from WAN to DMZ but sometimes I'm at home)
You need to rewrite the destination address in nat-prerouting chain before forwarding. Further, you need to masquerade the port forwarded LAN traffic before sending to DMZ.
Without masquerade, the, packets from DMZ host will be directly sent to LAN client(s). The LAN client(s) will drop these unknown packets as LAN client(s) are expecting the replies come back from Public IP and not DMZ IP.
The easiest way is to masquerade all the LAN traffic to DMZ network like below
# Public IP = 208.67.220.220
# Local LAN IP Pool = 192.168.1.0/24
# LAN Interface = 'eth0'
# DMZ Interface = 'eth2'
# DMZ Server IP = 172.16.20.20
iptables -t nat -d 208.67.220.220 -A PREROUTING -i eth0 -j DNAT --to 172.16.20.20
iptables -t nat -s 192.168.1.0/24 -A POSTROUTING -o eth2 -j MASQUERADE
One can improvise this to masquerade only port forwarded traffic. I will leave it to the original poster.