Need help with multiple WAN IPs routed to internal IPs

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2, 3  Next
Author Message
delusion_
DD-WRT Novice


Joined: 18 Dec 2007
Posts: 2

PostPosted: Wed Dec 19, 2007 5:51    Post subject: Need help with multiple WAN IPs routed to internal IPs Reply with quote
I think this is pretty straightforward, but I've spent the past two nights trying to figure it out without success.

I have a total of four "public" IP addresses, ending with .19, .124, .171 and .195.

.124 is what the router is currently assigned to (static.) It's sharing the internet via NAT to the DHCP clients.

I want those other public IPs routed ENTIRELY (all ports) to internal IPs, such as 10.10.2.19, 10.10.2.171, and 10.10.2.195.

Reading the forum/wiki/etc., I found how to specify multiple external IPs on dd-wrt, as well as a good "starting point" for how the things should be set up via iptables. Here's what I have so far: (XX.XX.XX is masked for protection of my IP addresses.)

Code:
/usr/sbin/ip addr add XX.XX.XX.19/29 dev vlan1
/usr/sbin/ip addr add XX.XX.XX.171/29 dev vlan1
/usr/sbin/ip addr add XX.XX.XX.195/29 dev vlan1

/usr/sbin/iptables -t nat -I POSTROUTING 1 -p all -s 10.10.2.19 -j SNAT --to XX.XX.XX.19
/usr/sbin/iptables -t nat -I POSTROUTING 1 -p all -s 10.10.2.171 -j SNAT --to XX.XX.XX.171
/usr/sbin/iptables -t nat -I POSTROUTING 1 -p all -s 10.10.2.195 -j SNAT --to XX.XX.XX.195

/usr/sbin/iptables -t nat -A PREROUTING -p all -d XX.XX.XX.19 -j DNAT --to-destination 10.10.2.19
/usr/sbin/iptables -t nat -A PREROUTING -p all -d XX.XX.XX.171 -j DNAT --to-destination 10.10.2.171
/usr/sbin/iptables -t nat -A PREROUTING -p all -d XX.XX.XX.195 -j DNAT --to-destination 10.10.2.195

/usr/sbin/iptables -I FORWARD -p all -d 10.10.2.19 -j ACCEPT
/usr/sbin/iptables -I FORWARD -p all -d 10.10.2.171 -j ACCEPT
/usr/sbin/iptables -I FORWARD -p all -d 10.10.2.195 -j ACCEPT


I've put this in the "firewall" section of the administration screen, and saved/rebooted.. no luck. Any advice you could offer would be much appreciated. I might even throw some money your way via Paypal if you're willing to help me get this totally set up.

Thanks in advance.
Sponsor
joksi
DD-WRT Guru


Joined: 16 Jan 2007
Posts: 1238

PostPosted: Tue Jan 08, 2008 2:40    Post subject: Reply with quote
Im using just this type of setup, with three public IPs. WRT54GL v.1.1 with DD-WRT RC6 and it works just fine.

I have done following:

Startup

ifconfig vlan1:1 PUBLIC_IP netmask NETMASK broadcast BROADCAST
- setup new public static ip on dd-wrt wan interface vlan1

Firewall

SNAT/DNAT

iptables -t nat -I PREROUTING -i vlan1 -d PUBLIC_IP -j DNAT --to-destination LAN_IP
- route all packets for the new public ip, to a certain local ip

iptables -t nat -I POSTROUTING -o vlan1 -s LAN_IP-j SNAT --to-source PUBLIC_IP
- masquerade returned packets from the local ip to the public ip

PORT FORWARD

iptables -I FORWARD -p tcp -i vlan1 -d LAN_IP --dport X -j ACCEPT
- forward port X to above local IP

You could also replace above rule with the following

iptables -I FORWARD -p all -i vlan1 -d LAN_IP -j ACCEPT

which instead of forwarding just a single port, will let through all tcp/udp connections on ll ports to this public ip-->lan ip.

With other words, no firewalling what so ever.
Pendor
DD-WRT Novice


Joined: 11 Mar 2008
Posts: 2

PostPosted: Tue Mar 11, 2008 15:02    Post subject: Reply with quote
joksi,
That is helpful, thanks!
But, I have an interesting problem also. The configuration you posted helps my one-to-one NAT issues, but I also have a need to run a Scope-to-One NAT config as well. Example:

Internal IP Scope: 192.168.4.0/24
External IP Address: 200.200.200.2

All Internal Clients on the 192.168.4.XXX Network are connecting to an External Server, but must appear to be coming from the 200.200.200.2 address (for authentication and other purposes). All Clients on the 192.168.4.XXX Network will share this IP Address. I thought the MASQUERADE argument might do it, but I don't think I'm setting it right (or it's not valid in DD-WRT compile).
I could do this real easy on an OpenBSD box by just putting the following command into the pf.conf:
nat on $ext_if from 192.168.4.0/24 to any -> 200.200.200.2

Any ideas?
Thanks.
joksi
DD-WRT Guru


Joined: 16 Jan 2007
Posts: 1238

PostPosted: Tue Mar 11, 2008 16:12    Post subject: Reply with quote
iptables -t nat -I POSTROUTING -o vlan1 -s 192.168.4.0/24 -j SNAT --to-source PUBLIC_IP
Pendor
DD-WRT Novice


Joined: 11 Mar 2008
Posts: 2

PostPosted: Tue Mar 11, 2008 16:40    Post subject: Reply with quote
joksi wrote:
iptables -t nat -I POSTROUTING -o vlan1 -s 192.168.4.0/24 -j SNAT --to-source PUBLIC_IP


Yeah, just after I posted my reply I got it to work. I initially tried that config, but it didn't work at first. I used the same command with a -A instead of a -I argument and it worked. I must have fat-fingered the command the first time around, because the argument shouldn't have made a difference in it working or not-working, just the placement in the rule order.

Chalk me up to another moron who speaks before trying everything. Embarassed

But, thanks alot for the response.
Very Happy
joksi
DD-WRT Guru


Joined: 16 Jan 2007
Posts: 1238

PostPosted: Tue Mar 11, 2008 16:49    Post subject: Reply with quote
-A adds the rule at the end, -I at the beginning.
Depending on which active rules is existing, in some cases -A is the solution and in some -I. Smile
Bird333
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 809

PostPosted: Tue Mar 11, 2008 17:41    Post subject: Reply with quote
joksi Can you explain your settings above more thoroughly? I don't understand how this works. Did you have to make any other changes?

Thanks!
joksi
DD-WRT Guru


Joined: 16 Jan 2007
Posts: 1238

PostPosted: Tue Mar 11, 2008 18:19    Post subject: Reply with quote
Read the comments below each command, I think that is enough explained. No other changes were made.
maciekish
DD-WRT Novice


Joined: 13 Sep 2007
Posts: 11

PostPosted: Mon Mar 24, 2008 17:41    Post subject: Reply with quote
Is there any way to do this if you have DHCP?
I can lease up to 5 IP's and i'd like this kind of public-local IP mapping too. It doesnt matter to me which public IP i will get on each PC as they will run dyndns clients and keep their hostnames updated automatically.
As long as each PC will have an external IP mapped to its local ip!
joksi
DD-WRT Guru


Joined: 16 Jan 2007
Posts: 1238

PostPosted: Mon Mar 24, 2008 20:43    Post subject: Reply with quote
Well, maybe its possible by running a script which populates five variables with your five dynamic IPs. and maps those to local ips, and sleeps lets say 60 minutes then checks the variables against your actual IPs, and if changed re-map, if not keep the existing firewall mapping.
Just a thought, but it will require some scripting for it to work though.
maciekish
DD-WRT Novice


Joined: 13 Sep 2007
Posts: 11

PostPosted: Mon Mar 24, 2008 20:53    Post subject: Reply with quote
any ideas what that script might look like? i got the basic idea of scripting but havn't done very much in linux or using the utils inculded in dd-wrt so i cant write one ALL by myself =/
joksi
DD-WRT Guru


Joined: 16 Jan 2007
Posts: 1238

PostPosted: Mon Mar 24, 2008 21:12    Post subject: Reply with quote
Sorry, scripting in Linux isnt my strong side either.
But i guess the way to go is to initally setup the extra virtual interfaces on vlan1 (wan), lik vlan1:1,:2,:3 and so forth, with DHCP (dont ask me how) then go on and pick up each virtul interfaces DHCP assigned IP address, assign to unique variable then add the firewall NAT-mapping as mentioned above.

When done, sleep lets say 60 min, then check the variables against the IP addresses again, if any interface hve new IP make appropriate change to the firewall NAT-mapping, then sleep, if no changes sleep directly.
Mibz
DD-WRT Novice


Joined: 02 Jul 2008
Posts: 35

PostPosted: Wed Jul 02, 2008 17:19    Post subject: Reply with quote
Are these statements applied in order? Will the router get confused by overlap or just make the first translation that matches? This is my situation.
I get 2 public WAN IPs, I'd like a static 1 to 1 translation for one of my computers and then I want the rest to use the other public IP. All private IPs are in the same range (/24). Am I able to simply say:

Code:
SNAT/DNAT

iptables -t nat -I PREROUTING -i vlan1 -d PubIP1 -j DNAT --to-destination 192.168.1.2
iptables -t nat -I PREROUTING -i vlan1 -d PubIP2 -j DNAT --to-destination 192.168.1.0/24

iptables -t nat -I POSTROUTING -o vlan1 -s 192.168.1.2 -j SNAT --to-source PubIP1
iptables -t nat -I POSTROUTING -o vlan1 -s 192.168.1.0/24 -j SNAT --to-source PubIP2

or will I need to move my other IPs into a different range to avoid the overlap?

Thanks,
Matt

EDIT: The iptables command tutorial gave me my answer, sorry.
jungwirth-media
Donator


Joined: 25 Jul 2006
Posts: 51

PostPosted: Tue Sep 23, 2008 1:03    Post subject: Reply with quote
damn - message wasn't posted *argh*
than once again Sad

Hi @ all and thanks for reading !

I have following external ip's

Code:

193.10.xxx.216/29

193.10.xxx.216 (net)
193.10.xxx.217 (Zyxel Router / Modem P-660H-D1)
193.10.xxx.218 (Linksys WRT54GL DD-WRT Sponsored)
193.10.xxx.219 (Free)
193.10.xxx.220 (Free)
193.10.xxx.221 (Free)
193.10.xxx.222 (Free)
193.10.xxx.223 (Broadcast)

Subnet: 255.255.255.248


Internal i use 192.168.1.0/24
Now the main goal should be that some of my internal IP's get an external IP for outgoing connection to the Net.
The other should use the DD-WRT-IP (.218)

The incoming ports of thoose IP's should stay on the WRT54GL (i just need port 80 of 1 external IP to forward).

All external IP's are routed to the Zyxel where NAT and DHCP is turned off (configured by the Provider and should work).

As a really beginner without any knowledges with unix systems - could someone explain what to do please ?

My knowledges stops at "apt-get install" and "mc" Very Happy

_________________
Firmware: DD-WRT v24-sp2 (07/21/09) std-special
---------------------------
5 x Linksys WRT54GL - V1.1
Zyxel P-660H-D1
Netgear Switch 16 Port
FRITZ!Box Fon WLAN 7170
Linksys SPA-2102
Pirelli PRGAV4202N
Mac-User


Last edited by jungwirth-media on Tue Sep 23, 2008 1:04; edited 1 time in total
joksi
DD-WRT Guru


Joined: 16 Jan 2007
Posts: 1238

PostPosted: Tue Sep 23, 2008 2:13    Post subject: Reply with quote
Use above example, one-2-one nat.

map each free public up you want, to a internal ip. the finish with last rule, mapping the rest to the dd-wrt router ip.

dont know what you mean with ports, but when traffic translates to one public ip it must come back that way to. of course you can have closed ports from outside n all mapped public ips, if thats what you mean.

example for you

Code:


# Assign the wanted IPs to WAN interface on router (vlan1)
ifconfig vlan1:1 PubIP netmask 255.255.255.248 broadcast 193.10.xxx.223
ifconfig vlan1:2 PubIP1 netmask 255.255.255.248 broadcast 193.10.xxx.223
ifconfig vlan1:3 PubIP2 netmask 255.255.255.248 broadcast 193.10.xxx.223
ifconfig vlan1:4 PubIP3 netmask 255.255.255.248 broadcast 193.10.xxx.223

# Tell DD-WRT to map, and route all tcp 80 traffic o the following IP to the corresponding LAN IP
iptables -t nat -I PREROUTING -i vlan1 -d PubIP -j DNAT --to-destination PrivIP
iptables -I FORWARD -p tcp -i vlan1 -d PrivIP --dport 80 -j ACCEPT

# Tell DD-WRT to translate outgoing connectins frm the followin LAN IPs to corresponding WAN IPs
iptables -t nat -I POSTROUTING -o vlan1 -s PrivIP -j SNAT --to-source PubIP
iptables -t nat -I POSTROUTING -o vlan1 -s PrivIP1 -j SNAT --to-source PubIP1
iptables -t nat -I POSTROUTING -o vlan1 -s PrivIP2 -j SNAT --to-source PubIP2
iptables -t nat -I POSTROUTING -o vlan1 -s PRivIP3 -j SNAT --to-source PubIP3

# Transalte the rest to routers public IP
iptables -t nat -I POSTROUTING -o vlan1 -s 192.168.1.0/24 -j SNAT --to-source MainPubIP (193.10.xxx.218 )



Last edited by joksi on Tue Sep 23, 2008 2:31; edited 6 times in total
Goto page 1, 2, 3  Next Display posts from previous:    Page 1 of 3
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum