Subnet routing

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
robinjames
DD-WRT Novice


Joined: 31 Dec 2007
Posts: 29

PostPosted: Tue Jul 20, 2010 5:26    Post subject: Subnet routing Reply with quote
I currently have a /28 and a /30 assigned to my by my ISP.

I am not sure if this is possible with DD-WRT but I will explain what i'm trying to do..

I have the following:

-WRT54GL w/ TomatoMLPPP - WAN connected to internet

-WRT300N w/DDWRTstd generic - WAN connected to port 1 on 54gl

lets say for example that my /28 is 206.148.145.32 and my /30 is 69.164.174.45

I need to use Tomato to bond 2 DSL lines together, therefore i'm stuck having another router between DDWRT and the internet.

I would like to have the /30 to consist of the 54gl and the 300n. In this example i have them configured with:
54gl - LAN ip 69.164.174.46/255.255.255.252
300n - WAN ip 69.164.174.47/255.255.255.252 (gateway 69.164.174.46)

Now when I do this, the router works great and I have dhcp going fine, with a LAN ip (on the 300n) of 192.168.1.1

Now I would like to route my /28 through ddwrt, and be able to have servers behind ddwrt using the subnet. I would like to do this so the servers can have ddwrt as a firewall.

I know I have to set a static route in tomato (the 54gl). It would be DESTINATION 206.148.145.32/.240, GATEWAY 69.164.174.47. This would tell Tomato to route any traffic intended for the /28 subnet to ddwrt (WAN side).

Now my question is. How do I set up the subnet in DDWRT? I have tried everything I cab think of and exhausted the wiki, to no avail. I would like items like laptops and phones to be able to use DHCP from ddwrt, and also have servers connected to the same router and use the /28. I have 2 switches so I can have the servers and regular pcs separated if needed (if vlans are needed and assigned to a port).


As info: I know tomato is set to be a router and not a gateway, as I have used my /28 with it (only) and it has worked fine.

Any help would be greatly appreciated. If this is possible and something other would use, I will write a wiki article based on my experience

Thanks,
Robin

P.S. I will have wireless disabled on both routers. Once this is working I will add another router as an access point (I have a spare).



map.png
 Description:
 Filesize:  30.55 KB
 Viewed:  12536 Time(s)

map.png


Sponsor
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Tue Jul 20, 2010 6:58    Post subject: Reply with quote
It actually is in the wiki.

http://www.dd-wrt.com/wiki/index.php/Public_Sub-Net_Over_Dynamic_WAN

On my wrt300n v1.1 I have to set the nvram variable vlan#hwname=et0 to get new VLAN interfaces to work.

http://www.dd-wrt.com/wiki/index.php/Switched_Ports

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
robinjames
DD-WRT Novice


Joined: 31 Dec 2007
Posts: 29

PostPosted: Tue Jul 20, 2010 13:05    Post subject: Reply with quote
http://www.dd-wrt.com/phpBB2/viewtopic.php?p=195870

I don't think I can do this, I was wondering why I didnt have the VLAN tab!!!


NOOOOOOO
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Wed Jul 21, 2010 0:46    Post subject: Reply with quote
You can still do most of it but it'll be more messy. You won't be able to use DHCP for the public subnet but you probably didn't want to anyways. Both the public and private subnet will be in the same broadcast domain and so there won't be anything to stop one of the private machines from setting one of the public IP's if security is a concern.

That said, you would assign one of the public IP's to a virtual interface for br0 in the startup script like this.

ifconfig br0:1 206.148.145.33 netmask 255.255.255.240

Then in your firewall script disable NAT and allow incoming connections.

PUB="206.148.145.32/28"
iptables -t nat -I POSTROUTING -s $PUB -j ACCEPT
iptables -I FORWARD -d $PUB -j ACCEPT

Then statically assign public IP's to the devices you want to and make sure to set their gateway as 206.148.145.33.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Dark_Shadow
DD-WRT Guru


Joined: 31 Aug 2009
Posts: 2448
Location: Third Rock from the Sun

PostPosted: Wed Jul 21, 2010 2:56    Post subject: Reply with quote
phuzi0n wrote:
On my wrt300n v1.1 I have to set the nvram variable vlan#hwname=et0 to get new VLAN interfaces to work.
Is there a reference page in the wiki or a thread that tells which routers don't support vlans or partually support vlans? I that thread eko says that if it doesn't support vlan's the page isn't shown. I have observed that the page is shown on my WRT300N v1.1, but you say you have to run extra commands for vlans to work?

EDIT: found the thread

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=62838

but it's a messy read, still looking for a wiki page.

_________________
Peacock Thread-FAQ -- dd-wrt Wiki

Testing Multiple Routers -- Bootloader Collection Project -- My Wiki
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Wed Jul 21, 2010 7:41    Post subject: Reply with quote
Dark_Shadow wrote:
phuzi0n wrote:
On my wrt300n v1.1 I have to set the nvram variable vlan#hwname=et0 to get new VLAN interfaces to work.
Is there a reference page in the wiki or a thread that tells which routers don't support vlans or partually support vlans? I that thread eko says that if it doesn't support vlan's the page isn't shown. I have observed that the page is shown on my WRT300N v1.1, but you say you have to run extra commands for vlans to work?

EDIT: found the thread

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=62838

but it's a messy read, still looking for a wiki page.

It's a messy read because VLAN support is a messy topic. Lately I've come to the conclusion that gigabit models do have functional VLAN's but they have to set the nvram variable for the hardware name like I do on my wrt300n v1.1. So to summarize it, I think if you see a VLAN page then you do indeed have full VLAN support but you may have to get your hands dirty with the nvram variables to get it to do what you want. Most Broadcom hardware does have VLAN's but the BCM4704 is one notable chip that doesn't and is included in a lot of the cheap/old N spec models.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
robinjames
DD-WRT Novice


Joined: 31 Dec 2007
Posts: 29

PostPosted: Wed Jul 21, 2010 12:26    Post subject: Reply with quote
phuzi0n wrote:
You can still do most of it but it'll be more messy. You won't be able to use DHCP for the public subnet but you probably didn't want to anyways. Both the public and private subnet will be in the same broadcast domain and so there won't be anything to stop one of the private machines from setting one of the public IP's if security is a concern.

That said, you would assign one of the public IP's to a virtual interface for br0 in the startup script like this.

ifconfig br0:1 206.148.145.33 netmask 255.255.255.240

Then in your firewall script disable NAT and allow incoming connections.

PUB="206.148.145.32/28"
iptables -t nat -I POSTROUTING -s $PUB -j ACCEPT
iptables -I FORWARD -d $PUB -j ACCEPT

Then statically assign public IP's to the devices you want to and make sure to set their gateway as 206.148.145.33.

Great! I'll try this when I get home. I dont want DHCP on the public IP side anyways, and I don't care if the private machines can set a public IP, thats actually my preferred setup. In the picture I showed 2 separate switches for the pcs/servers, but in reality its one nice switch with vlan capabilities. This just saves me a step from having to separate the pc's on the switch.

Thanks dude, I'll let you know how it goes
robinjames
DD-WRT Novice


Joined: 31 Dec 2007
Posts: 29

PostPosted: Thu Jul 22, 2010 1:33    Post subject: Reply with quote
It worked! Just one question for you phuzi0n...


When I enter in a static IP it works great (I enabled remote desktop and was able to access it remotely) but I just have one concern. I am not sure if it is normal or even a problem, but when I use one of the public IPs and I go to a site like whatismyv6.com to check the IP address, it shows the IP of the WAN side of dd-wrt. If I subnetted without it, it would show the proper IP.

I'm not super concerned as I know i can access those IPs, but i have an exchange server and am not sure if that would be an issue with it. If it's because it's passing through the firewall thats cool, because thats what i want anyways.

Thanks for your help!!!
cheers,
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Thu Jul 22, 2010 1:43    Post subject: Reply with quote
It sounds like you didn't set the firewall correctly to disable NAT, but if that were the case then I wouldn't expect incoming traffic to work either because it would be blocked if the SPI firewall is enabled. Run this command and make sure that the first rule has your public subnet for the DD-WRT LAN side set to ACCEPT so that it doesn't get NAT'd by the SNAT rule that should be below it.

iptables -t nat -vnL POSTROUTING

Chain POSTROUTING (policy ACCEPT 682 packets, 130K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 206.148.145.32/28 0.0.0.0/0

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
robinjames
DD-WRT Novice


Joined: 31 Dec 2007
Posts: 29

PostPosted: Thu Jul 22, 2010 2:48    Post subject: Reply with quote
I lied :s I tried remote desktop from one of the DHCP ips and assumed because it was able to connect to one of the public IPs that it was working. It's not..

im going to read the iptables wiki and try and absorb some of it
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Thu Jul 22, 2010 3:19    Post subject: Reply with quote
robinjames wrote:
maybe i need an iptables prerouting rule?

root@DD-WRT:~# iptables -t nat -vnL POSTROUTING
Chain POSTROUTING (policy ACCEPT 7 packets, 2660 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * x.x.x.32/28 0.0.0.0/0
2095 126K SNAT 0 -- * eth1 0.0.0.0/0 0.0.0.0/0 to:x.x.x.230
0 0 RETURN 0 -- * br0 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
2 376 MASQUERADE 0 -- * br0 10.0.0.0/24 10.0.0.0/24

No, the PREROUTING chain in the nat table is used for DNAT rules that change the destination IP/port. POSTROUTING is where the source IP/port can be changed.

The ACCEPT rule is there but it hasn't been matched at all (left side is packet/byte counters) so either you set the address wrong or you may have not properly hard reset the router which can cause unexplainable behavior.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
robinjames
DD-WRT Novice


Joined: 31 Dec 2007
Posts: 29

PostPosted: Thu Jul 22, 2010 3:31    Post subject: Reply with quote
LOL my god i'm an idiot tonight, it was wrong...

rebooting now with correct ip
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum