Posted: Wed Dec 19, 2007 5:51 Post subject: Need help with multiple WAN IPs routed to internal IPs
I think this is pretty straightforward, but I've spent the past two nights trying to figure it out without success.
I have a total of four "public" IP addresses, ending with .19, .124, .171 and .195.
.124 is what the router is currently assigned to (static.) It's sharing the internet via NAT to the DHCP clients.
I want those other public IPs routed ENTIRELY (all ports) to internal IPs, such as 10.10.2.19, 10.10.2.171, and 10.10.2.195.
Reading the forum/wiki/etc., I found how to specify multiple external IPs on dd-wrt, as well as a good "starting point" for how the things should be set up via iptables. Here's what I have so far: (XX.XX.XX is masked for protection of my IP addresses.)
/usr/sbin/ip addr add XX.XX.XX.19/29 dev vlan1
/usr/sbin/ip addr add XX.XX.XX.171/29 dev vlan1
/usr/sbin/ip addr add XX.XX.XX.195/29 dev vlan1
/usr/sbin/iptables -t nat -A PREROUTING -p all -d XX.XX.XX.19 -j DNAT --to-destination 10.10.2.19
/usr/sbin/iptables -t nat -A PREROUTING -p all -d XX.XX.XX.171 -j DNAT --to-destination 10.10.2.171
/usr/sbin/iptables -t nat -A PREROUTING -p all -d XX.XX.XX.195 -j DNAT --to-destination 10.10.2.195
/usr/sbin/iptables -I FORWARD -p all -d 10.10.2.19 -j ACCEPT
/usr/sbin/iptables -I FORWARD -p all -d 10.10.2.171 -j ACCEPT
/usr/sbin/iptables -I FORWARD -p all -d 10.10.2.195 -j ACCEPT
I've put this in the "firewall" section of the administration screen, and saved/rebooted.. no luck. Any advice you could offer would be much appreciated. I might even throw some money your way via Paypal if you're willing to help me get this totally set up.
That is helpful, thanks!
But, I have an interesting problem also. The configuration you posted helps my one-to-one NAT issues, but I also have a need to run a Scope-to-One NAT config as well. Example:
Internal IP Scope: 192.168.4.0/24
External IP Address: 22.214.171.124
All Internal Clients on the 192.168.4.XXX Network are connecting to an External Server, but must appear to be coming from the 126.96.36.199 address (for authentication and other purposes). All Clients on the 192.168.4.XXX Network will share this IP Address. I thought the MASQUERADE argument might do it, but I don't think I'm setting it right (or it's not valid in DD-WRT compile).
I could do this real easy on an OpenBSD box by just putting the following command into the pf.conf:
nat on $ext_if from 192.168.4.0/24 to any -> 188.8.131.52
Yeah, just after I posted my reply I got it to work. I initially tried that config, but it didn't work at first. I used the same command with a -A instead of a -I argument and it worked. I must have fat-fingered the command the first time around, because the argument shouldn't have made a difference in it working or not-working, just the placement in the rule order.
Chalk me up to another moron who speaks before trying everything.
Is there any way to do this if you have DHCP?
I can lease up to 5 IP's and i'd like this kind of public-local IP mapping too. It doesnt matter to me which public IP i will get on each PC as they will run dyndns clients and keep their hostnames updated automatically.
As long as each PC will have an external IP mapped to its local ip!
Well, maybe its possible by running a script which populates five variables with your five dynamic IPs. and maps those to local ips, and sleeps lets say 60 minutes then checks the variables against your actual IPs, and if changed re-map, if not keep the existing firewall mapping.
Just a thought, but it will require some scripting for it to work though.
Sorry, scripting in Linux isnt my strong side either.
But i guess the way to go is to initally setup the extra virtual interfaces on vlan1 (wan), lik vlan1:1,:2,:3 and so forth, with DHCP (dont ask me how) then go on and pick up each virtul interfaces DHCP assigned IP address, assign to unique variable then add the firewall NAT-mapping as mentioned above.
When done, sleep lets say 60 min, then check the variables against the IP addresses again, if any interface hve new IP make appropriate change to the firewall NAT-mapping, then sleep, if no changes sleep directly.
Are these statements applied in order? Will the router get confused by overlap or just make the first translation that matches? This is my situation.
I get 2 public WAN IPs, I'd like a static 1 to 1 translation for one of my computers and then I want the rest to use the other public IP. All private IPs are in the same range (/24). Am I able to simply say:
map each free public up you want, to a internal ip. the finish with last rule, mapping the rest to the dd-wrt router ip.
dont know what you mean with ports, but when traffic translates to one public ip it must come back that way to. of course you can have closed ports from outside n all mapped public ips, if thats what you mean.
example for you
# Assign the wanted IPs to WAN interface on router (vlan1)
ifconfig vlan1:1 PubIP netmask 255.255.255.248 broadcast 193.10.xxx.223
ifconfig vlan1:2 PubIP1 netmask 255.255.255.248 broadcast 193.10.xxx.223
ifconfig vlan1:3 PubIP2 netmask 255.255.255.248 broadcast 193.10.xxx.223
ifconfig vlan1:4 PubIP3 netmask 255.255.255.248 broadcast 193.10.xxx.223
# Tell DD-WRT to map, and route all tcp 80 traffic o the following IP to the corresponding LAN IP
iptables -t nat -I PREROUTING -i vlan1 -d PubIP -j DNAT --to-destination PrivIP
iptables -I FORWARD -p tcp -i vlan1 -d PrivIP --dport 80 -j ACCEPT