DMZ and 1:1 NAT configuration

From Bondix Wiki

DMZ and 1:1 NAT configuration with additional static, public IPv4 addresses on the Bondix server

This page describes how to forward traffic from a public IP on the Bondix server to a LAN host behind an Bondix client router using iptables and port forwarding.

Assumptions

  • You are operating your own Bondix server with the option to get additional public IPv4 addresses.
  • You have an additional IP address on the Bondix server (example: 14.15.16.1).
  • The LAN client behind the OpenWRT router has a private IP address like 192.168.5.213.

Step 1: Configure additional IP address on the server

Configure the additional IP address (e.g. 14.15.16.1) on the Bondix server based on the instructions of your server provider.

Step 2: Create a new environment in the Bondix Server GUI

1. Log in to the Bondix server GUI.

2. Create a **new environment**.

Addenv1.png


3. In this environment, set:

  • Outgoing NAT IP = 14.15.16.1
Add nat ip.png

Step 3: Add iptables rules on the Bondix server

Determine the Bondix client interface IP in the tunnel (e.g. from the tunnel status page when the client is connected). It will look like: 169.254.xxx.xxx (example here: 169.254.20.4).

Stats.png


Then add the following iptables rules on the Bondix server shell:


iptables -A PREROUTING -t nat -d 14.15.16.1 -j DNAT --to 169.254.xxx.xxx

iptables -A FORWARD -d 169.254.xxx.xxx -j ACCEPT


Replace:

  • 14.15.16.1 with your actual additional IP on the server (if different).
  • 169.254.xxx.xxx with the actual tunnel client IP of the Bondix client.

Step 4: Configure port forwarding on the OpenWRT router

In the firewall of the Bondix client router:

1. Open the **Port Forwarding / Firewall** configuration. 2. Create a rule forwarding **all traffic from the Bondix zone** to the LAN client IP address:

  • From zone: **Bondix**
  • To IP: **192.168.5.213** (LAN host)

Set protocol to all as needed for your use case.

Example screenshot from Teltonika:

Dmz teltonika.png


Step 5: Make iptables rules persistent

By default, iptables rules are **not persistent** and will be lost after a reboot.

To ensure the rules are always applied:

  • Use a tool like iptables-persistent, **or**
  • Create a Linux service / script that runs these iptables commands on boot.

Step 6: Reserve a fixed tunnel client IP (optional but recommended)

Once everything works, it is recommended to reserve the tunnel client IP for this specific Bondix tunnel client.

On the Bondix server:

1. Open the tunnel configuration for this client. 2. Set the desired fixed tunnel IP in the **Tunnel Client IP mask**, e.g.:

  • Tunnel Client IP mask = 169.254.19.4

Fixedip.png


This ensures the tunnel client always receives the IP address 169.254.19.4.

Step 7: Final iptables rules with fixed tunnel IP

If you reserve the tunnel client IP (e.g. 169.254.19.4), update your iptables rules accordingly:

iptables -A PREROUTING -t nat -d 14.15.16.1 -j DNAT --to 169.254.19.4

iptables -A FORWARD -d 169.254.19.4 -j ACCEPT

With these settings:

  • Traffic to 14.15.16.1 on the Bondix server is DNATed to 169.254.19.4 (tunnel client).
  • The OpenWRT client forwards this traffic from the Bondix zone to the LAN client 192.168.5.213.

If you have further questions or special requirements, please contact support.

Retrieved from "https://wiki.bondix.dev/index.php?title=DMZ_and_1:1_NAT_configuration&oldid=894"