DD-WRT – Allow Port Forwarding for LAN Requests

DD-WRT is likely not configured for hairpin routing. Connecting to the Public IP from the LAN is usually a bad idea, and you will not be able to identify the connection source. The best option is to connect directly to the desired server from inside the network.

The Shorewall FAQ 2 covers doing configuring the router so that it will work. Shorewall builds an iptables firewall from a set of specification file, so the steps are not the required iptables commands, but map fairly easily to iptables. I believe you should be able to run shorewall-lite on DD-WRT, in which case you will need to build all your firewall in Shorewall rather than the DD-WRT tool.

Using split DNS is far easier and I would recommend that approach. A tool like dnsmasq can provide the necessary internal DNS from a /etc/hosts file. It acts as a caching server for addresses on the Internet. It also provides DHCP, do if you don't run it on your DD-WRT router, you will want to decide which DHCP server to enable. If you have the memory you can install in on DD-WRT as a replacement for the default DHCP server.

EDIT: If you choose to use dnsmasq it is best to set it up as the active DHCP server. If you don't run it on your router, disable DCHP on the routers. Alternatively, use fixed addresses outside the DHCP address range for the servers your want to route to. Using fixed addresses is a good idea for servers anyway. Add the addresses of the servers to the /etc/hosts file on the host running dnsmasq, and restart dnsmasq. If you configure dnsmasq with a domain, you can also lookup DHCP clients by name.

Determine the address of the dnsmasq host. (This should be a private network address like 192.168.0.10.) Configure your DHCP server to list this address as the first DNS nameserver. For linux hosts and others with a /etc/resolve.conf file use this address for the first nameserver entry. For other servers with static nameserver entries make this address the first specified address.

DHCP clients will need to have their DNS data updated. Triggering a DHCP renewal should update the data. Many systems have internal DNS caches, so the changes may not be visible immediately. Rebooting clients after all the server configuration has been done should clear all caches and reload DHCP specified configuration.