Multi-net NAT configuration

Hi all, just bought myself a lovely new Turris Omnia. This is my first time with a OpenWRT router (though I am not a Linix newbie) so please bear with me - the configuration options are massive. I hope this is quite an easy question for the community…

I previously had a TP-Link load-balancing router which had a option for Mutli-net NAT (used together with a static route). This simply means that the router will perform NAT (masquerading) for subnet in addition to the primary subnet of the LAN that the router in on.

For example, the LAN side of the router is 192.168.0.1 and I have other computers on 192.168.0.0/24. However I also run QEMU/KVM VMs on one of my PCs (192.168.0.32) and these are connected to each other and the host using an software bridge on a network 192.168.100.0/24. The host is visible to the VMs and it will forward packets unchanged (no NAT) to the router (default GW for the host), so the router receives packet with source address 192.168.100.x (I don’t know what it will do with these packets by default). I would simply like the router to masquerade these packets also before sending out to the WAN, in addition to doing the same for those on the primary subnet 192.168.0.0/24. Obviously I need to set a static route with packets received from the WAN destined for 192.168.100.0/24 (after NATing) for the next hop to be 192.168.0.32 (that’s no problem and it works).

On my old TP-Link router it was easy, just set 192.168.100.0/24 in the Mutli-net NAT config page (and a static route) and it was done. How do I do it on Turris Omnia?

Thanks

this should be the default. have you tried it and it does not work?

Thanks for taking time to respond.

Hmm, interesting. No I didn’t try it, since I didn’t think it would work by default, because:
a) it didn’t work on other routers without special config (specifically the TP-Link router I mentioned), and
b) the traffic doesn’t originate in the “lan” firewall zone (covering by default interface “br_lan” consisting of devices “lan0-4”, on a different subnet, 192.168.0.0/24). However, perhaps since the default input policy for this zone is “accept”, it might work anyway.

So… I’ll try it and write back :wink:

Thank again.

Amazing, you were right! It just works by default. Thanks for your advice.