Posted: Tue Jul 20, 2010 5:26 Post subject: Subnet routing
I currently have a /28 and a /30 assigned to my by my ISP.
I am not sure if this is possible with DD-WRT but I will explain what i'm trying to do..
I have the following:
-WRT54GL w/ TomatoMLPPP - WAN connected to internet
-WRT300N w/DDWRTstd generic - WAN connected to port 1 on 54gl
lets say for example that my /28 is 206.148.145.32 and my /30 is 69.164.174.45
I need to use Tomato to bond 2 DSL lines together, therefore i'm stuck having another router between DDWRT and the internet.
I would like to have the /30 to consist of the 54gl and the 300n. In this example i have them configured with:
54gl - LAN ip 69.164.174.46/255.255.255.252
300n - WAN ip 69.164.174.47/255.255.255.252 (gateway 69.164.174.46)
Now when I do this, the router works great and I have dhcp going fine, with a LAN ip (on the 300n) of 192.168.1.1
Now I would like to route my /28 through ddwrt, and be able to have servers behind ddwrt using the subnet. I would like to do this so the servers can have ddwrt as a firewall.
I know I have to set a static route in tomato (the 54gl). It would be DESTINATION 206.148.145.32/.240, GATEWAY 69.164.174.47. This would tell Tomato to route any traffic intended for the /28 subnet to ddwrt (WAN side).
Now my question is. How do I set up the subnet in DDWRT? I have tried everything I cab think of and exhausted the wiki, to no avail. I would like items like laptops and phones to be able to use DHCP from ddwrt, and also have servers connected to the same router and use the /28. I have 2 switches so I can have the servers and regular pcs separated if needed (if vlans are needed and assigned to a port).
As info: I know tomato is set to be a router and not a gateway, as I have used my /28 with it (only) and it has worked fine.
Any help would be greatly appreciated. If this is possible and something other would use, I will write a wiki article based on my experience
Thanks,
Robin
P.S. I will have wireless disabled on both routers. Once this is working I will add another router as an access point (I have a spare).
On my wrt300n v1.1 I have to set the nvram variable vlan#hwname=et0 to get new VLAN interfaces to work.
http://www.dd-wrt.com/wiki/index.php/Switched_Ports _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
You can still do most of it but it'll be more messy. You won't be able to use DHCP for the public subnet but you probably didn't want to anyways. Both the public and private subnet will be in the same broadcast domain and so there won't be anything to stop one of the private machines from setting one of the public IP's if security is a concern.
That said, you would assign one of the public IP's to a virtual interface for br0 in the startup script like this.
Then statically assign public IP's to the devices you want to and make sure to set their gateway as 206.148.145.33. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Joined: 31 Aug 2009 Posts: 2448 Location: Third Rock from the Sun
Posted: Wed Jul 21, 2010 2:56 Post subject:
phuzi0n wrote:
On my wrt300n v1.1 I have to set the nvram variable vlan#hwname=et0 to get new VLAN interfaces to work.
Is there a reference page in the wiki or a thread that tells which routers don't support vlans or partually support vlans? I that thread eko says that if it doesn't support vlan's the page isn't shown. I have observed that the page is shown on my WRT300N v1.1, but you say you have to run extra commands for vlans to work?
On my wrt300n v1.1 I have to set the nvram variable vlan#hwname=et0 to get new VLAN interfaces to work.
Is there a reference page in the wiki or a thread that tells which routers don't support vlans or partually support vlans? I that thread eko says that if it doesn't support vlan's the page isn't shown. I have observed that the page is shown on my WRT300N v1.1, but you say you have to run extra commands for vlans to work?
but it's a messy read, still looking for a wiki page.
It's a messy read because VLAN support is a messy topic. Lately I've come to the conclusion that gigabit models do have functional VLAN's but they have to set the nvram variable for the hardware name like I do on my wrt300n v1.1. So to summarize it, I think if you see a VLAN page then you do indeed have full VLAN support but you may have to get your hands dirty with the nvram variables to get it to do what you want. Most Broadcom hardware does have VLAN's but the BCM4704 is one notable chip that doesn't and is included in a lot of the cheap/old N spec models. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
You can still do most of it but it'll be more messy. You won't be able to use DHCP for the public subnet but you probably didn't want to anyways. Both the public and private subnet will be in the same broadcast domain and so there won't be anything to stop one of the private machines from setting one of the public IP's if security is a concern.
That said, you would assign one of the public IP's to a virtual interface for br0 in the startup script like this.
Then statically assign public IP's to the devices you want to and make sure to set their gateway as 206.148.145.33.
Great! I'll try this when I get home. I dont want DHCP on the public IP side anyways, and I don't care if the private machines can set a public IP, thats actually my preferred setup. In the picture I showed 2 separate switches for the pcs/servers, but in reality its one nice switch with vlan capabilities. This just saves me a step from having to separate the pc's on the switch.
When I enter in a static IP it works great (I enabled remote desktop and was able to access it remotely) but I just have one concern. I am not sure if it is normal or even a problem, but when I use one of the public IPs and I go to a site like whatismyv6.com to check the IP address, it shows the IP of the WAN side of dd-wrt. If I subnetted without it, it would show the proper IP.
I'm not super concerned as I know i can access those IPs, but i have an exchange server and am not sure if that would be an issue with it. If it's because it's passing through the firewall thats cool, because thats what i want anyways.
It sounds like you didn't set the firewall correctly to disable NAT, but if that were the case then I wouldn't expect incoming traffic to work either because it would be blocked if the SPI firewall is enabled. Run this command and make sure that the first rule has your public subnet for the DD-WRT LAN side set to ACCEPT so that it doesn't get NAT'd by the SNAT rule that should be below it.
iptables -t nat -vnL POSTROUTING
Chain POSTROUTING (policy ACCEPT 682 packets, 130K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 206.148.145.32/28 0.0.0.0/0 _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
I lied :s I tried remote desktop from one of the DHCP ips and assumed because it was able to connect to one of the public IPs that it was working. It's not..
im going to read the iptables wiki and try and absorb some of it
No, the PREROUTING chain in the nat table is used for DNAT rules that change the destination IP/port. POSTROUTING is where the source IP/port can be changed.
The ACCEPT rule is there but it hasn't been matched at all (left side is packet/byte counters) so either you set the address wrong or you may have not properly hard reset the router which can cause unexplainable behavior. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)