Multiple external IP addresses / 1:1 NAT configuration

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
Lore
DD-WRT Novice


Joined: 07 Jun 2006
Posts: 19

PostPosted: Sun Aug 05, 2007 2:10    Post subject: Multiple external IP addresses / 1:1 NAT configuration Reply with quote
Hi all,

I have a problem with my network configuration that I could really use some assistance on. After spending 3 hours reading the various multi-NAT, 1:1 NAT, and multiple public IP address threads, I haven't found anyone who's tried to quite do the same thing that I'm trying to achieve. Everyone wants to isolate networks, I actually want to link them.

Before I get started, here is some background:
1) I want to ensure that all computers in my house route to each other to take advantage of full LAN (100mbit) speeds, while still having access to the Internet.

2) My ISP has a DHCP server; if I plug into any wall jack that's connected directly to them, I can get a DHCP address if I do not specify one of my 5 static IP addresses.

3) I have access to 5 static IP addresses, and an unlimited number of dynamic addresses.

I have a Linux server ("SERVER A") with 4 public IP addresses and a Linksys WRT54G ("LINKSYS") running DD-WRT v23 SP2 with the 5th public IP address. I also have another server ("SERVER B") which is plugged into that wall jack directly to the ISP, and it picks up a dynamic IP because I am out of static IPs.

The goal is to have SERVER A, SERVER B, and LINKSYS all externally facing with their respective static/dynamic IP addresses, but with the ability to transfer data amongst each other at LAN speeds since they will be on the same physical network.

The ideal solution would be to plug SERVER A and SERVER B into two of the LINKSYS ports, assign SERVER A its 4 static IPs, let SERVER B pick up a dynamic IP from the ISP, and let all other computers running behind the LINKSYS pick up internal 192.168.x.x IP addresses while appearing to be the 5th static IP address to the world. And then, the holy grail - having them route amongst each other at full 100mbit speeds.

Does anyone know how we can accomplish this? Many thanks in advance!

In diagram form:



NetworkDiagram.png
 Description:
 Filesize:  37.15 KB
 Viewed:  24971 Time(s)

NetworkDiagram.png


Sponsor
Lore
DD-WRT Novice


Joined: 07 Jun 2006
Posts: 19

PostPosted: Mon Aug 06, 2007 1:59    Post subject: Reply with quote
After some playing around, I'm still stuck probably because I don't really know how to use IPTABLES properly.

I've also decided to give up trying to obtain a dynamic IP for SERVER B. I haven't found any literature supporting the ability to do so, so I will -- for now -- assign one of my 5 statics to SERVER B.

Here's what I've got so far. First, alias the IP addresses.

Quote:

# Alias IPs
ifconfig vlan1:1 xxx.xxx.xxx.66 netmask 255.255.255.248 broadcast xxx.xxx.xxx.71
ifconfig vlan1:2 xxx.xxx.xxx.67 netmask 255.255.255.248 broadcast xxx.xxx.xxx.71
ifconfig vlan1:3 xxx.xxx.xxx.68 netmask 255.255.255.248 broadcast xxx.xxx.xxx.71
ifconfig vlan1:4 xxx.xxx.xxx.69 netmask 255.255.255.248 broadcast xxx.xxx.xxx.71


Then, allow ESTABLISHED and RELATED connections.

Quote:

# Allow established and related connections.
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # these are already present
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # these are already present


Finally, enter the NAT entries. This is where I got really confused. I am using the second static IP, xxx.xxx.xxx.67, as the test IP since that's will be assigned to the most accessible machine.

Quote:

# int: 192.168.46.67 --> ext: xxx.xxx.xxx.67
/usr/sbin/iptables -t nat -I PREROUTING 1 -p all -d xxx.xxx.xxx.67 -j DNAT --to-destination 192.168.46.67
/usr/sbin/iptables -I FORWARD -s xxx.xxx.xxx.67 -d 192.168.46.67 -j ACCEPT
/usr/sbin/iptables -t nat -I POSTROUTING 1 -p all -s 192.168.46.67 -j SNAT --to-source xxx.xxx.xxx.67


I see the entries when I run 'iptables -t nat -L -n' so I know that is making it in. When I type in 'iptables -L -n' I also see the forward entry, so that's making it in as well. However, where I'm getting stuck is that nothing is actually forwarding. When I try to connect from an external host to the public facing IP address, it's hitting the Linksys. I've tried a few variations of this as well but unless I explicitly forward a port (say, port 21) to the private IP, nothing will get to it. How can I get around this and forward all ports by default?

Also, do I need to do anything special for the other IP addresses, or can I just replicate this code but replace the IP addresses with the correct ones?

Thanks for any help you may be able to provide!
Carbine
DD-WRT Novice


Joined: 13 Jun 2007
Posts: 4

PostPosted: Mon Aug 06, 2007 15:07    Post subject: Reply with quote
I PMd you with this already but here's how I did my network which I believe is similar to what you're trying to do:

Okay, the way my network is setup is as follows:

4 servers, each with their own external IP address.
9 workstations all sharing one external IP address.

All boxes, including the servers with their own external IP addresses can be reached by all machines by using their internal IP addresses.

The code below is what I have set up in the startup commands where ***.***.***.*** is an external IP address and XXX.XXX.XXX.XXX is an internal, each of the 4 in the script are numbered:

Code:

/usr/sbin/ip addr add ***.***.***.**1/29 dev vlan1
/usr/sbin/ip addr add ***.***.***.**2/29 dev vlan1
/usr/sbin/ip addr add ***.***.***.**3/29 dev vlan1
/usr/sbin/ip addr add ***.***.***.**4/29 dev vlan1


/usr/sbin/iptables -t nat -I POSTROUTING 1 -p all -s XXX.XXX.XXX.XX1 -j SNAT --to ***.***.***.**1
/usr/sbin/iptables -t nat -I POSTROUTING 1 -p all -s XXX.XXX.XXX.XX3 -j SNAT --to ***.***.***.**3
/usr/sbin/iptables -t nat -I POSTROUTING 1 -p all -s XXX.XXX.XXX.XX2 -j SNAT --to ***.***.***.**2
/usr/sbin/iptables -t nat -I POSTROUTING 1 -p all -s XXX.XXX.XXX.XX4 -j SNAT --to ***.***.***.**4

/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d ***.***.***.**1 --dport 80 -j DNAT --to-destination XXX.XXX.XXX.XX1:80
/usr/sbin/iptables -I FORWARD -p tcp -d XXX.XXX.XXX.XX1 --dport 80 -j ACCEPT

/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d ***.***.***.**2 --dport 80 -j DNAT --to-destination XXX.XXX.XXX.XX2:80
/usr/sbin/iptables -I FORWARD -p tcp -d XXX.XXX.XXX.XX2 --dport 80 -j ACCEPT

/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d ***.***.***.**3 --dport 80 -j DNAT --to-destination XXX.XXX.XXX.XX3:80
/usr/sbin/iptables -I FORWARD -p tcp -d XXX.XXX.XXX.XX3 --dport 80 -j ACCEPT

/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d ***.***.***.**4 --dport 80 -j DNAT --to-destination XXX.XXX.XXX.XX4:80
/usr/sbin/iptables -I FORWARD -p tcp -d XXX.XXX.XXX.XX4 --dport 80 -j ACCEPT


With the above code I have 4 external IP addresses forwarding to 4 internal IP addresses and an example of forwarding port 80 to each of them.

For all the rest of the machines on the network, they all take the settings that I have applied through the web interface. The 4 machines with their own external IP are set up with static internal IP addresses while the rest are setup to grab internal IPs from DHCP. Hopefully this helps. Not the clearest of explanations, sorry.
ziadsa
DD-WRT Novice


Joined: 20 Aug 2007
Posts: 7

PostPosted: Sun Jul 04, 2010 1:33    Post subject: Reply with quote
this script is perfect,

But is there anyway to make the public ip on any of the 4 machines that has public IP wide open?

i have my DDWRT doing the pppoe session , and i am getting my static ip from my Provider server.

then i want to assign 2 static IP to 1 server and 1 Router, all my DHCP will be connected to that router and the static has there IP's

bcz if i assign static ip for my second router where all my dhcp client will be connecting, i want that router to be exposed 100% on the WAN and each client connected will do his own routing, if i will use ur method here i will be double nating unless there is a way to tell the main ddwrt router to forward all port range to that specific external ip.

Any help is really appreciated.

Thanks.
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Sun Jul 04, 2010 2:28    Post subject: Reply with quote
The wiki guide explains what you want.

http://www.dd-wrt.com/wiki/index.php/One-to-one_NAT

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
ziadsa
DD-WRT Novice


Joined: 20 Aug 2007
Posts: 7

PostPosted: Sun Jul 04, 2010 7:38    Post subject: Reply with quote
Thanks for the reply,
i have few questions about that wiki

WANIF=`nvram get wan_iface`
WANMASK=`nvram get wan_netmask`
ifconfig $WANIF:1 [PUBLIC_IP1] netmask $WANMASK broadcast [BROADCAST]
ifconfig $WANIF:2 [PUBLIC_IP2] netmask $WANMASK broadcast [BROADCAST]
ifconfig $WANIF:3 [PUBLIC_IP3] netmask $WANMASK broadcast [BROADCAST]


on my computer that has static ip what do i put as gateway and dns? do they have to be the defaut one 192.168.1.1 as gateway and DHCP?

but my provider informed wan ip will 67.44.27.129 and you gateway ip for lan is 67.44.27.128
and on my computer it has to be 67.44.27.130 and gateway 67.44.27.128 which is my switch or lan bridge router .

thanks.
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Sun Jul 04, 2010 9:30    Post subject: Reply with quote
With 1:1 NAT the router will have all of the public IP's assigned to it and it will NAT them to whatever private IP you want it to. You still need to have all your LAN hosts using private IP's and set to use the router's LAN IP as their gateway; DNS can be any working DNS server.
_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
ziadsa
DD-WRT Novice


Joined: 20 Aug 2007
Posts: 7

PostPosted: Wed Sep 01, 2010 2:08    Post subject: Reply with quote
i am sharing my success story.
i am using this setup in my ddwrt for over 3 month and its working A+

in command i put this as startup script:

WANIF=`nvram get wan_iface`
WANMASK=`nvram get wan_netmask`
ifconfig $WANIF:1 67.55.33.120 netmask $WANMASK broadcast 67.55.33.125
ifconfig $WANIF:2 67.55.33.121 netmask $WANMASK broadcast 67.55.33.125
ifconfig $WANIF:3 67.55.33.122 netmask $WANMASK broadcast 67.55.33.125
ifconfig $WANIF:4 67.55.33.123 netmask $WANMASK broadcast 67.55.33.125
ifconfig $WANIF:5 67.55.33.124 netmask $WANMASK broadcast 67.55.33.125

i got my broadcast ip by using IP claculator , i know nothing about these stuff i kept reading for over a week :)

http://www.subnet-calculator.com/


now in my firewall rules i created the following:

# WAN .120 -> LAN .2
iptables -t nat -I PREROUTING -d 67.55.33.120 -j DNAT --to 192.168.1.2
iptables -t nat -I POSTROUTING -s 192.168.1.2 -j SNAT --to 67.55.33.120
iptables -I FORWARD -d 192.168.1.2 -j ACCEPT

# WAN .121 -> LAN .3
iptables -t nat -I PREROUTING -d 67.55.33.121 -j DNAT --to 192.168.1.3
iptables -t nat -I POSTROUTING -s 192.168.1.3 -j SNAT --to 67.55.33.121
iptables -I FORWARD -d 192.168.1.3 -j ACCEPT

# WAN .122 -> LAN .4
iptables -t nat -I PREROUTING -d 67.55.33.122 -j DNAT --to 192.168.1.4
iptables -t nat -I POSTROUTING -s 192.168.1.4 -j SNAT --to 67.55.33.122
iptables -I FORWARD -d 192.168.1.4 -j ACCEPT

# WAN .123 -> LAN .5
iptables -t nat -I PREROUTING -d 67.55.33.123 -j DNAT --to 192.168.1.5
iptables -t nat -I POSTROUTING -s 192.168.1.5 -j SNAT --to 67.55.33.123
iptables -I FORWARD -d 192.168.1.5 -j ACCEPT

# WAN .124 -> LAN .6
iptables -t nat -I PREROUTING -d 67.55.33.124 -j DNAT --to 192.168.1.6
iptables -t nat -I POSTROUTING -s 192.168.1.6 -j SNAT --to 67.55.33.124
iptables -I FORWARD -d 192.168.1.6 -j ACCEPT


and i have my dd-wrt set to assign dhcp from 100 to 255
and i dedicated 192.1688.1.2 till 6 for my static ip.

All is working A+
no problem at all.
kt_haddock
DD-WRT Guru


Joined: 25 Dec 2009
Posts: 710

PostPosted: Wed Sep 01, 2010 10:43    Post subject: Reply with quote
If you want to do this with MAC-reservation from ISP,
How to config then ?

_________________
[I prefer answere in whole sentence]
ziadsa
DD-WRT Novice


Joined: 20 Aug 2007
Posts: 7

PostPosted: Wed Sep 01, 2010 14:04    Post subject: Reply with quote
kt_haddock wrote:
If you want to do this with MAC-reservation from ISP,
How to config then ?


i have no idea.

i am sure some experts will help here Smile
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Wed Sep 01, 2010 22:25    Post subject: Reply with quote
kt_haddock wrote:
If you want to do this with MAC-reservation from ISP,
How to config then ?

It's not possible using 1:1 NAT because the interface can only have one MAC address. You need to use VLAN's to put a port in the WAN VLAN so that it is switched directly to your ISP without any NAT/firewalling/routing by the router.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
kt_haddock
DD-WRT Guru


Joined: 25 Dec 2009
Posts: 710

PostPosted: Thu Sep 02, 2010 14:11    Post subject: Reply with quote
okey thanks !
_________________
[I prefer answere in whole sentence]
gozippy
DD-WRT Novice


Joined: 19 Sep 2020
Posts: 25

PostPosted: Tue Dec 29, 2020 1:35    Post subject: Reply with quote
Firstly, very sorry to hijack this old thread - but it seemed to have the most relevant info for me.

I followed the above procedures for startup and firewall commands. I still cannot seem to get ddwrt to forward all ports and traffic when received for a specific public ip as above.

My setup is ATT Fiber to house, ATT modem set in IP-Passthrough --> DDWRT WAN port.

DDWRT I have pc and servers attached to the LAN ports all using static 10.0.x.x 255.255.0.0 addresses. (DHCP service on ddwrt is on serving up for 10.0.2.200-254 to lan dhcp client requests).

I have 5 public IP from ISP I am paying for I want to pass straight thru the DDWRT to LAN side servers and one for the DDWRT itself.

I have:

104.x.x.105 - 109 usable public IP
104.x.x.110 ISP said to use this for Gateway
Subnet Calculator online says to use 104.x.x.111 as broadcast

I set DDWRT to 104.X.X.105 for WAN IP both using STATIC assign on the DDWRT as well as on the ATT modem selecting the DDWRT WAN mac connected and assigning it via IP Allocation on that modem itself then setting the DDWRT to DHCP (WAN) and it always pulls the 104.X.X.105 IP. I did that to make sure I had netmask and everything correct.

I tried with ATT Modem in passthrough as well as set to gateway/router.

In passthrough the ATT modem picks up a seemingly random network IP from ATT - public - and the block I purchased 104.X.X.105-109 is usable and assignable through the ATT modem.

As I have only the DDWRT attached to the ATT Modem - I want all IP to be pushed thru the DDWRT to the correct LAN side device I want...

I have this in startup and firewall:
Code:

Startup
WANIF=`nvram get wan_iface`
WANMASK=`nvram get wan_netmask`
ifconfig $WANIF:1 104.X.X.106 netmask $WANMASK broadcast 104.X.X.111
ifconfig $WANIF:2 104.X.X.107 netmask $WANMASK broadcast 104.X.X.111
ifconfig $WANIF:3 104.X.X.108 netmask $WANMASK broadcast 104.X.X.111
ifconfig $WANIF:4 104.X.X.109 netmask $WANMASK broadcast 104.X.X.111


Firewall
# WAN .106 -> LAN .6
iptables -t nat -I PREROUTING -d 104.X.X.106 -j DNAT --to 10.0.1.6
iptables -t nat -I POSTROUTING -s 10.0.1.6 -j SNAT --to 104.X.X.106
iptables -I FORWARD -d 10.0.1.6 -j ACCEPT

# WAN .107 -> LAN .7
iptables -t nat -I PREROUTING -d 104.X.X.107 -j DNAT --to 10.0.1.7
iptables -t nat -I POSTROUTING -s 10.0.1.7 -j SNAT --to 104.X.X.107
iptables -I FORWARD -d 10.0.1.7 -j ACCEPT

# WAN .108 -> LAN .8
iptables -t nat -I PREROUTING -d 104.X.X.108 -j DNAT --to 10.0.1.8
iptables -t nat -I POSTROUTING -s 10.0.1.8 -j SNAT --to 104.X.X.108
iptables -I FORWARD -d 10.0.1.8 -j ACCEPT

# WAN .109 -> LAN .9
iptables -t nat -I PREROUTING -d 104.X.X9 -j DNAT --to 10.0.1.9
iptables -t nat -I POSTROUTING -s 10.0.1.9 -j SNAT --to 104.X.X.109
iptables -I FORWARD -d 10.0.1.9 -j ACCEPT


When I telnet or ssh to any of the public IP - it opens only the DDWRT interface. All IP 10.0.x.x and 104.x.x.105-109 all go to the DDWRT web gui or telnet.

What I wan is to be able to use DDWRT as a go-between for my private lan clients 10.0.x.x (xbox, kids game pc and my office pc on wired and wireless LAN but but also pass thru 104.x.106-109 to LAN side clients...

I assume we need a virtual bridge between the 104.x.x.x public ip subnet and 10.0.x.x private subnet.

I can definitely ping active 10.0.X.X ranges from behind the lan.

I can port forward from the IP for the DDWRT - in this case - 104.X.X.105

I can select LAN 10.0.X.X clients on LAN to take the port forward for specified ports.

What I want is to be able to pass through the public IP as well as private LAN IP to devices connected on LAN side of DDWRT..

Any advice? I can ping to host in most cases for any ip in range - but think it's only the DDWRT responding - not the actual connected server.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum