I want to route a reserved local IP address (say "192.168.88.8" ) on my wifi bridge (cAP) to a public web server IP address.

How do I do this? I have played around with NAT but so far unsuccessfully.

Maybe it sounds crazy but I am trying to force/restrict Android to using local wifi to access my public web server. I want to do this with minimal adjustments on the Android device --- just connect to the wifi and enter the local address in the browser is what I'm after. I am seeking to avoid/prevent use of mobile data networks and restrict access to known locations/broadband gateway addresses.

I control the web server so the server is not the problem. The problem is that Android will sometimes (but not always) use mobile broadband (which I have no knowledge or control of) instead of wifi. Using an address that is *only* reachable on wifi would solve the problem if I could handle the routing in the AP.

I could not understand what do you want here.
Do you want to block your local network to a certain web server?
so why would you need a NAT for that?

you want to route what? what do you mean?
can you explain more?

I could not understand what do you want here.
Do you want to block your local network to a certain web server?
so why would you need a NAT for that?

you want to route what? what do you mean?
can you explain more?

Thanks for the reply.

I added to my original post to try to clarify. NAT is needed in order to force Android to use local wifi instead of broadband. Forcing access through a known gateway IP lets me identify and restrict the locations where requests are allowed to come from. Most people try to use geo-fencing for this but geo-coordinates are easily spoofed.

192.168.88.8 ---> known broadband gateway IP ---> public web server

Using a list of known gateways, I can log the location of each request. If the gateway is some unknown mobile tower, I have no idea where the request came from.

what I don't understand is how your android device would know this.
If you are connected to let's say LTE and WIFI at the same time your device will use wifi over LTE. so why do you need to do anything?
so let's say you have a webserver with 1.1.1.1 IP how cloud you access it inside your local network of 192.168.88.0/24.
example.
if you browse 192.168.88.254 it would redirect you to 1.1.1.1 ? is that what you want? it doesn't make sense to me.

So you want some Android device to connect to your public server, but not directly to its public address, because it could send packets the wrong way. To prevent that, you'll tell it to connect to local 192.168.88.8 and you'll redirect it to server's public address. Correct?

It's simple, just do:
Only catch is that if Android is in same subnet as this 192.168.88.8, the address must respond to arp requests. Simplest way to achieve that is to add it to router. If you already have e.g. 192.168.88.1, then just add .8 as second one.

The problem is that Android will sometimes (but not always) use mobile broadband (which I have no knowledge or control of) instead of wifi. Using an address that is *only* reachable on wifi would solve the problem if I could handle the routing in the AP.

This indicates that you might have a problem with your wifi reception/quality.

As already stated, when the device is connected over wifi, it should prefer that over mobile. This should result in your local router enabling the connection to your public web-server just fine.
Only when wifi is not connected, the device would choose the mobile (default) route.
Giving your web-server a non-public IP, basically masquerading (hence your attempt on using NAT) it will not help as your device will not be connected to wifi at that time.
This is not a MT problem, as it seems.
You should try and find an app for your android, that does apply some kind of access-management/rules choosing/defining allowance to certain paths over wifi only.
...I actually do not know of any app, but I'd gather that there are many....first attempt on my google-fu reveals "NetGuard" as an option...maybe you will need to go for the PRO version, based on your usecase.

So you want some Android device to connect to your public server, but not directly to its public address, because it could send packets the wrong way. To prevent that, you'll tell it to connect to local 192.168.88.8 and you'll redirect it to server's public address. Correct?

It's simple, just do:

Code: Select all

/ip firewall nat
add chain=dstnat dst-address=192.168.88.8 protocol=tcp dst-port=80,443 action=dst-nat to-addresses=<server's public address>

Only catch is that if Android is in same subnet as this 192.168.88.8, the address must respond to arp requests. Simplest way to achieve that is to add it to router. If you already have e.g. 192.168.88.1, then just add .8 as second one.

I think ARP is the missing piece.

I tried adding 192.168.88.8 to the ARP table using the wifi MAC address of the cAP but no luck.

As already stated, when the device is connected over wifi, it should prefer that over mobile.

It should ... but it doesn't always do this ... even with an excellent wifi signal.

I think the problem is the wifi has restricted access and it fails the Android "internet access" test. When Android thinks there is no internet access across wifi, it (sometimes but not always) sends the data over the mobile access.

Only catch is that if Android is in same subnet as this 192.168.88.8, the address must respond to arp requests. Simplest way to achieve that is to add it to router. If you already have e.g. 192.168.88.1, then just add .8 as second one.

It got it. It took 3 things to make it work.

1) NAT rule
2) ARP entry
3) Address entry

CORRECTION: All for naught --- Android is brain dead! Even though the is address is only valid n the local wifi subnet, Android still tries to resolve it using the mobile connection. If internet access is not detected on wifi, the only way Android will use wifi is if mobile data is turned off.

don't forget to remove that local IP that you used out of your DHCP IP Pool.

With ARP it's about responses sent by router. Entries in IP->ARP are what router itself uses (unless it's published=yes for proxy ARP). If you assign address to router, it automatically responds to ARP requests and you don't need to do anything with IP->ARP.

I think the problem is the wifi has restricted access and it fails the Android "internet access" test. When Android thinks there is no internet access across wifi, it (sometimes but not always) sends the data over the mobile access.

Hmpf...so you are not in your own, managed wifi zone but rather at your employer's or such situation?
That actually could be the cause of your problem.
How about setting up a wireguard link and use that as default route, going through your own ISP from basically everywhere?
Your other solution is a bit too unconventional, I'd say