Posted: Sun Aug 05, 2007 2:10 Post subject: Multiple external IP addresses / 1:1 NAT configuration
Hi all,
I have a problem with my network configuration that I could really use some assistance on. After spending 3 hours reading the various multi-NAT, 1:1 NAT, and multiple public IP address threads, I haven't found anyone who's tried to quite do the same thing that I'm trying to achieve. Everyone wants to isolate networks, I actually want to link them.
Before I get started, here is some background:
1) I want to ensure that all computers in my house route to each other to take advantage of full LAN (100mbit) speeds, while still having access to the Internet.
2) My ISP has a DHCP server; if I plug into any wall jack that's connected directly to them, I can get a DHCP address if I do not specify one of my 5 static IP addresses.
3) I have access to 5 static IP addresses, and an unlimited number of dynamic addresses.
I have a Linux server ("SERVER A") with 4 public IP addresses and a Linksys WRT54G ("LINKSYS") running DD-WRT v23 SP2 with the 5th public IP address. I also have another server ("SERVER B") which is plugged into that wall jack directly to the ISP, and it picks up a dynamic IP because I am out of static IPs.
The goal is to have SERVER A, SERVER B, and LINKSYS all externally facing with their respective static/dynamic IP addresses, but with the ability to transfer data amongst each other at LAN speeds since they will be on the same physical network.
The ideal solution would be to plug SERVER A and SERVER B into two of the LINKSYS ports, assign SERVER A its 4 static IPs, let SERVER B pick up a dynamic IP from the ISP, and let all other computers running behind the LINKSYS pick up internal 192.168.x.x IP addresses while appearing to be the 5th static IP address to the world. And then, the holy grail - having them route amongst each other at full 100mbit speeds.
Does anyone know how we can accomplish this? Many thanks in advance!
After some playing around, I'm still stuck probably because I don't really know how to use IPTABLES properly.
I've also decided to give up trying to obtain a dynamic IP for SERVER B. I haven't found any literature supporting the ability to do so, so I will -- for now -- assign one of my 5 statics to SERVER B.
Here's what I've got so far. First, alias the IP addresses.
# Allow established and related connections.
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # these are already present
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # these are already present
Finally, enter the NAT entries. This is where I got really confused. I am using the second static IP, xxx.xxx.xxx.67, as the test IP since that's will be assigned to the most accessible machine.
I see the entries when I run 'iptables -t nat -L -n' so I know that is making it in. When I type in 'iptables -L -n' I also see the forward entry, so that's making it in as well. However, where I'm getting stuck is that nothing is actually forwarding. When I try to connect from an external host to the public facing IP address, it's hitting the Linksys. I've tried a few variations of this as well but unless I explicitly forward a port (say, port 21) to the private IP, nothing will get to it. How can I get around this and forward all ports by default?
Also, do I need to do anything special for the other IP addresses, or can I just replicate this code but replace the IP addresses with the correct ones?
I PMd you with this already but here's how I did my network which I believe is similar to what you're trying to do:
Okay, the way my network is setup is as follows:
4 servers, each with their own external IP address.
9 workstations all sharing one external IP address.
All boxes, including the servers with their own external IP addresses can be reached by all machines by using their internal IP addresses.
The code below is what I have set up in the startup commands where ***.***.***.*** is an external IP address and XXX.XXX.XXX.XXX is an internal, each of the 4 in the script are numbered:
Code:
/usr/sbin/ip addr add ***.***.***.**1/29 dev vlan1
/usr/sbin/ip addr add ***.***.***.**2/29 dev vlan1
/usr/sbin/ip addr add ***.***.***.**3/29 dev vlan1
/usr/sbin/ip addr add ***.***.***.**4/29 dev vlan1
With the above code I have 4 external IP addresses forwarding to 4 internal IP addresses and an example of forwarding port 80 to each of them.
For all the rest of the machines on the network, they all take the settings that I have applied through the web interface. The 4 machines with their own external IP are set up with static internal IP addresses while the rest are setup to grab internal IPs from DHCP. Hopefully this helps. Not the clearest of explanations, sorry.
But is there anyway to make the public ip on any of the 4 machines that has public IP wide open?
i have my DDWRT doing the pppoe session , and i am getting my static ip from my Provider server.
then i want to assign 2 static IP to 1 server and 1 Router, all my DHCP will be connected to that router and the static has there IP's
bcz if i assign static ip for my second router where all my dhcp client will be connecting, i want that router to be exposed 100% on the WAN and each client connected will do his own routing, if i will use ur method here i will be double nating unless there is a way to tell the main ddwrt router to forward all port range to that specific external ip.
http://www.dd-wrt.com/wiki/index.php/One-to-one_NAT _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
on my computer that has static ip what do i put as gateway and dns? do they have to be the defaut one 192.168.1.1 as gateway and DHCP?
but my provider informed wan ip will 67.44.27.129 and you gateway ip for lan is 67.44.27.128
and on my computer it has to be 67.44.27.130 and gateway 67.44.27.128 which is my switch or lan bridge router .
With 1:1 NAT the router will have all of the public IP's assigned to it and it will NAT them to whatever private IP you want it to. You still need to have all your LAN hosts using private IP's and set to use the router's LAN IP as their gateway; DNS can be any working DNS server. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
If you want to do this with MAC-reservation from ISP,
How to config then ?
It's not possible using 1:1 NAT because the interface can only have one MAC address. You need to use VLAN's to put a port in the WAN VLAN so that it is switched directly to your ISP without any NAT/firewalling/routing by the router. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Firstly, very sorry to hijack this old thread - but it seemed to have the most relevant info for me.
I followed the above procedures for startup and firewall commands. I still cannot seem to get ddwrt to forward all ports and traffic when received for a specific public ip as above.
My setup is ATT Fiber to house, ATT modem set in IP-Passthrough --> DDWRT WAN port.
DDWRT I have pc and servers attached to the LAN ports all using static 10.0.x.x 255.255.0.0 addresses. (DHCP service on ddwrt is on serving up for 10.0.2.200-254 to lan dhcp client requests).
I have 5 public IP from ISP I am paying for I want to pass straight thru the DDWRT to LAN side servers and one for the DDWRT itself.
I have:
104.x.x.105 - 109 usable public IP
104.x.x.110 ISP said to use this for Gateway
Subnet Calculator online says to use 104.x.x.111 as broadcast
I set DDWRT to 104.X.X.105 for WAN IP both using STATIC assign on the DDWRT as well as on the ATT modem selecting the DDWRT WAN mac connected and assigning it via IP Allocation on that modem itself then setting the DDWRT to DHCP (WAN) and it always pulls the 104.X.X.105 IP. I did that to make sure I had netmask and everything correct.
I tried with ATT Modem in passthrough as well as set to gateway/router.
In passthrough the ATT modem picks up a seemingly random network IP from ATT - public - and the block I purchased 104.X.X.105-109 is usable and assignable through the ATT modem.
As I have only the DDWRT attached to the ATT Modem - I want all IP to be pushed thru the DDWRT to the correct LAN side device I want...
When I telnet or ssh to any of the public IP - it opens only the DDWRT interface. All IP 10.0.x.x and 104.x.x.105-109 all go to the DDWRT web gui or telnet.
What I wan is to be able to use DDWRT as a go-between for my private lan clients 10.0.x.x (xbox, kids game pc and my office pc on wired and wireless LAN but but also pass thru 104.x.106-109 to LAN side clients...
I assume we need a virtual bridge between the 104.x.x.x public ip subnet and 10.0.x.x private subnet.
I can definitely ping active 10.0.X.X ranges from behind the lan.
I can port forward from the IP for the DDWRT - in this case - 104.X.X.105
I can select LAN 10.0.X.X clients on LAN to take the port forward for specified ports.
What I want is to be able to pass through the public IP as well as private LAN IP to devices connected on LAN side of DDWRT..
Any advice? I can ping to host in most cases for any ip in range - but think it's only the DDWRT responding - not the actual connected server.