I have an OpenWRT router with 1 WAN port and many LAN ports.
I have assigned a second IP to the WAN port by adding a command to the startup scripts like that:
ip addr add X.Y.Z.G/24 dev eth0.2
Before that I have removed the bridge that is added to the WAN port so br-wan is gone.
I also added the following commands to forward connections coming to this second IP and port 80 to a machine on LAN.
iptables -t nat -I POSTROUTING 1 -p all -s 192.168.3.87 -j SNAT --to X.Y.Z.G
iptables -t nat -A PREROUTING -p tcp -d X.Y.Z.G --dport 80 -j DNAT --to-destination 192.168.3.87:80
iptables -I FORWARD -p tcp -d 192.168.3.87 --dport 80 -j ACCEPT
This way I have 2 web servers each one mapped to a separate public IP.
The problem I have is that with this setup the clients inside the LAN cannot access IP X.Y.Z.G:80 for some reason. Everybody else on the web is able to. So far my knowledge around iptables tells me that the last rule should allow forwarding connections to the internal IP from everywhere.
Best Answer
After looking at what else OpenWRT does to forward normally ports and looking at the firewall status (Status->Firewall from the menu) which included the current iptables rules, I replicated some of the rules and it turned out that the magic happened :).
Turned out I have to explicitly add an SNAT rule from the internal network in order to get everything to work.