Multiple external IP addresses / 1:1 NAT configuration

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Author Message
Lore
DD-WRT Novice


Joined: 07 Jun 2006
Posts: 19

PostPosted: Sun Aug 05, 2007 2:10    Post subject: Multiple external IP addresses / 1:1 NAT configuration Reply with quote
Hi all,

I have a problem with my network configuration that I could really use some assistance on. After spending 3 hours reading the various multi-NAT, 1:1 NAT, and multiple public IP address threads, I haven't found anyone who's tried to quite do the same thing that I'm trying to achieve. Everyone wants to isolate networks, I actually want to link them.

Before I get started, here is some background:
1) I want to ensure that all computers in my house route to each other to take advantage of full LAN (100mbit) speeds, while still having access to the Internet.

2) My ISP has a DHCP server; if I plug into any wall jack that's connected directly to them, I can get a DHCP address if I do not specify one of my 5 static IP addresses.

3) I have access to 5 static IP addresses, and an unlimited number of dynamic addresses.

I have a Linux server ("SERVER A") with 4 public IP addresses and a Linksys WRT54G ("LINKSYS") running DD-WRT v23 SP2 with the 5th public IP address. I also have another server ("SERVER B") which is plugged into that wall jack directly to the ISP, and it picks up a dynamic IP because I am out of static IPs.

The goal is to have SERVER A, SERVER B, and LINKSYS all externally facing with their respective static/dynamic IP addresses, but with the ability to transfer data amongst each other at LAN speeds since they will be on the same physical network.

The ideal solution would be to plug SERVER A and SERVER B into two of the LINKSYS ports, assign SERVER A its 4 static IPs, let SERVER B pick up a dynamic IP from the ISP, and let all other computers running behind the LINKSYS pick up internal 192.168.x.x IP addresses while appearing to be the 5th static IP address to the world. And then, the holy grail - having them route amongst each other at full 100mbit speeds.

Does anyone know how we can accomplish this? Many thanks in advance!

In diagram form:



NetworkDiagram.png
 Description:
 Filesize:  37.15 KB
 Viewed:  11115 Time(s)

NetworkDiagram.png


Sponsor
Lore
DD-WRT Novice


Joined: 07 Jun 2006
Posts: 19

PostPosted: Mon Aug 06, 2007 1:59    Post subject: Reply with quote
After some playing around, I'm still stuck probably because I don't really know how to use IPTABLES properly.

I've also decided to give up trying to obtain a dynamic IP for SERVER B. I haven't found any literature supporting the ability to do so, so I will -- for now -- assign one of my 5 statics to SERVER B.

Here's what I've got so far. First, alias the IP addresses.

Quote:

# Alias IPs
ifconfig vlan1:1 xxx.xxx.xxx.66 netmask 255.255.255.248 broadcast xxx.xxx.xxx.71
ifconfig vlan1:2 xxx.xxx.xxx.67 netmask 255.255.255.248 broadcast xxx.xxx.xxx.71
ifconfig vlan1:3 xxx.xxx.xxx.68 netmask 255.255.255.248 broadcast xxx.xxx.xxx.71
ifconfig vlan1:4 xxx.xxx.xxx.69 netmask 255.255.255.248 broadcast xxx.xxx.xxx.71


Then, allow ESTABLISHED and RELATED connections.

Quote:

# Allow established and related connections.
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # these are already present
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # these are already present


Finally, enter the NAT entries. This is where I got really confused. I am using the second static IP, xxx.xxx.xxx.67, as the test IP since that's will be assigned to the most accessible machine.

Quote:

# int: 192.168.46.67 --> ext: xxx.xxx.xxx.67
/usr/sbin/iptables -t nat -I PREROUTING 1 -p all -d xxx.xxx.xxx.67 -j DNAT --to-destination 192.168.46.67
/usr/sbin/iptables -I FORWARD -s xxx.xxx.xxx.67 -d 192.168.46.67 -j ACCEPT
/usr/sbin/iptables -t nat -I POSTROUTING 1 -p all -s 192.168.46.67 -j SNAT --to-source xxx.xxx.xxx.67


I see the entries when I run 'iptables -t nat -L -n' so I know that is making it in. When I type in 'iptables -L -n' I also see the forward entry, so that's making it in as well. However, where I'm getting stuck is that nothing is actually forwarding. When I try to connect from an external host to the public facing IP address, it's hitting the Linksys. I've tried a few variations of this as well but unless I explicitly forward a port (say, port 21) to the private IP, nothing will get to it. How can I get around this and forward all ports by default?

Also, do I need to do anything special for the other IP addresses, or can I just replicate this code but replace the IP addresses with the correct ones?

Thanks for any help you may be able to provide!
Carbine
DD-WRT Novice


Joined: 13 Jun 2007
Posts: 4

PostPosted: Mon Aug 06, 2007 15:07    Post subject: Reply with quote
I PMd you with this already but here's how I did my network which I believe is similar to what you're trying to do:

Okay, the way my network is setup is as follows:

4 servers, each with their own external IP address.
9 workstations all sharing one external IP address.

All boxes, including the servers with their own external IP addresses can be reached by all machines by using their internal IP addresses.

The code below is what I have set up in the startup commands where ***.***.***.*** is an external IP address and XXX.XXX.XXX.XXX is an internal, each of the 4 in the script are numbered:

Code:

/usr/sbin/ip addr add ***.***.***.**1/29 dev vlan1
/usr/sbin/ip addr add ***.***.***.**2/29 dev vlan1
/usr/sbin/ip addr add ***.***.***.**3/29 dev vlan1
/usr/sbin/ip addr add ***.***.***.**4/29 dev vlan1


/usr/sbin/iptables -t nat -I POSTROUTING 1 -p all -s XXX.XXX.XXX.XX1 -j SNAT --to ***.***.***.**1
/usr/sbin/iptables -t nat -I POSTROUTING 1 -p all -s XXX.XXX.XXX.XX3 -j SNAT --to ***.***.***.**3
/usr/sbin/iptables -t nat -I POSTROUTING 1 -p all -s XXX.XXX.XXX.XX2 -j SNAT --to ***.***.***.**2
/usr/sbin/iptables -t nat -I POSTROUTING 1 -p all -s XXX.XXX.XXX.XX4 -j SNAT --to ***.***.***.**4

/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d ***.***.***.**1 --dport 80 -j DNAT --to-destination XXX.XXX.XXX.XX1:80
/usr/sbin/iptables -I FORWARD -p tcp -d XXX.XXX.XXX.XX1 --dport 80 -j ACCEPT

/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d ***.***.***.**2 --dport 80 -j DNAT --to-destination XXX.XXX.XXX.XX2:80
/usr/sbin/iptables -I FORWARD -p tcp -d XXX.XXX.XXX.XX2 --dport 80 -j ACCEPT

/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d ***.***.***.**3 --dport 80 -j DNAT --to-destination XXX.XXX.XXX.XX3:80
/usr/sbin/iptables -I FORWARD -p tcp -d XXX.XXX.XXX.XX3 --dport 80 -j ACCEPT

/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d ***.***.***.**4 --dport 80 -j DNAT --to-destination XXX.XXX.XXX.XX4:80
/usr/sbin/iptables -I FORWARD -p tcp -d XXX.XXX.XXX.XX4 --dport 80 -j ACCEPT


With the above code I have 4 external IP addresses forwarding to 4 internal IP addresses and an example of forwarding port 80 to each of them.

For all the rest of the machines on the network, they all take the settings that I have applied through the web interface. The 4 machines with their own external IP are set up with static internal IP addresses while the rest are setup to grab internal IPs from DHCP. Hopefully this helps. Not the clearest of explanations, sorry.
ziadsa
DD-WRT Novice


Joined: 20 Aug 2007
Posts: 7

PostPosted: Sun Jul 04, 2010 1:33    Post subject: Reply with quote
this script is perfect,

But is there anyway to make the public ip on any of the 4 machines that has public IP wide open?

i have my DDWRT doing the pppoe session , and i am getting my static ip from my Provider server.

then i want to assign 2 static IP to 1 server and 1 Router, all my DHCP will be connected to that router and the static has there IP's

bcz if i assign static ip for my second router where all my dhcp client will be connecting, i want that router to be exposed 100% on the WAN and each client connected will do his own routing, if i will use ur method here i will be double nating unless there is a way to tell the main ddwrt router to forward all port range to that specific external ip.

Any help is really appreciated.

Thanks.
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Sun Jul 04, 2010 2:28    Post subject: Reply with quote
The wiki guide explains what you want.

http://www.dd-wrt.com/wiki/index.php/One-to-one_NAT

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
ziadsa
DD-WRT Novice


Joined: 20 Aug 2007
Posts: 7

PostPosted: Sun Jul 04, 2010 7:38    Post subject: Reply with quote
Thanks for the reply,
i have few questions about that wiki

WANIF=`nvram get wan_iface`
WANMASK=`nvram get wan_netmask`
ifconfig $WANIF:1 [PUBLIC_IP1] netmask $WANMASK broadcast [BROADCAST]
ifconfig $WANIF:2 [PUBLIC_IP2] netmask $WANMASK broadcast [BROADCAST]
ifconfig $WANIF:3 [PUBLIC_IP3] netmask $WANMASK broadcast [BROADCAST]


on my computer that has static ip what do i put as gateway and dns? do they have to be the defaut one 192.168.1.1 as gateway and DHCP?

but my provider informed wan ip will 67.44.27.129 and you gateway ip for lan is 67.44.27.128
and on my computer it has to be 67.44.27.130 and gateway 67.44.27.128 which is my switch or lan bridge router .

thanks.
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Sun Jul 04, 2010 9:30    Post subject: Reply with quote
With 1:1 NAT the router will have all of the public IP's assigned to it and it will NAT them to whatever private IP you want it to. You still need to have all your LAN hosts using private IP's and set to use the router's LAN IP as their gateway; DNS can be any working DNS server.
_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
ziadsa
DD-WRT Novice


Joined: 20 Aug 2007
Posts: 7

PostPosted: Wed Sep 01, 2010 2:08    Post subject: Reply with quote
i am sharing my success story.
i am using this setup in my ddwrt for over 3 month and its working A+

in command i put this as startup script:

WANIF=`nvram get wan_iface`
WANMASK=`nvram get wan_netmask`
ifconfig $WANIF:1 67.55.33.120 netmask $WANMASK broadcast 67.55.33.125
ifconfig $WANIF:2 67.55.33.121 netmask $WANMASK broadcast 67.55.33.125
ifconfig $WANIF:3 67.55.33.122 netmask $WANMASK broadcast 67.55.33.125
ifconfig $WANIF:4 67.55.33.123 netmask $WANMASK broadcast 67.55.33.125
ifconfig $WANIF:5 67.55.33.124 netmask $WANMASK broadcast 67.55.33.125

i got my broadcast ip by using IP claculator , i know nothing about these stuff i kept reading for over a week :)

http://www.subnet-calculator.com/


now in my firewall rules i created the following:

# WAN .120 -> LAN .2
iptables -t nat -I PREROUTING -d 67.55.33.120 -j DNAT --to 192.168.1.2
iptables -t nat -I POSTROUTING -s 192.168.1.2 -j SNAT --to 67.55.33.120
iptables -I FORWARD -d 192.168.1.2 -j ACCEPT

# WAN .121 -> LAN .3
iptables -t nat -I PREROUTING -d 67.55.33.121 -j DNAT --to 192.168.1.3
iptables -t nat -I POSTROUTING -s 192.168.1.3 -j SNAT --to 67.55.33.121
iptables -I FORWARD -d 192.168.1.3 -j ACCEPT

# WAN .122 -> LAN .4
iptables -t nat -I PREROUTING -d 67.55.33.122 -j DNAT --to 192.168.1.4
iptables -t nat -I POSTROUTING -s 192.168.1.4 -j SNAT --to 67.55.33.122
iptables -I FORWARD -d 192.168.1.4 -j ACCEPT

# WAN .123 -> LAN .5
iptables -t nat -I PREROUTING -d 67.55.33.123 -j DNAT --to 192.168.1.5
iptables -t nat -I POSTROUTING -s 192.168.1.5 -j SNAT --to 67.55.33.123
iptables -I FORWARD -d 192.168.1.5 -j ACCEPT

# WAN .124 -> LAN .6
iptables -t nat -I PREROUTING -d 67.55.33.124 -j DNAT --to 192.168.1.6
iptables -t nat -I POSTROUTING -s 192.168.1.6 -j SNAT --to 67.55.33.124
iptables -I FORWARD -d 192.168.1.6 -j ACCEPT


and i have my dd-wrt set to assign dhcp from 100 to 255
and i dedicated 192.1688.1.2 till 6 for my static ip.

All is working A+
no problem at all.
kt_haddock
DD-WRT Guru


Joined: 25 Dec 2009
Posts: 629

PostPosted: Wed Sep 01, 2010 10:43    Post subject: Reply with quote
If you want to do this with MAC-reservation from ISP,
How to config then ?

_________________
KONG BUILDS

[I prefer answere in whole sentence]
ziadsa
DD-WRT Novice


Joined: 20 Aug 2007
Posts: 7

PostPosted: Wed Sep 01, 2010 14:04    Post subject: Reply with quote
kt_haddock wrote:
If you want to do this with MAC-reservation from ISP,
How to config then ?


i have no idea.

i am sure some experts will help here Smile
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Wed Sep 01, 2010 22:25    Post subject: Reply with quote
kt_haddock wrote:
If you want to do this with MAC-reservation from ISP,
How to config then ?

It's not possible using 1:1 NAT because the interface can only have one MAC address. You need to use VLAN's to put a port in the WAN VLAN so that it is switched directly to your ISP without any NAT/firewalling/routing by the router.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
kt_haddock
DD-WRT Guru


Joined: 25 Dec 2009
Posts: 629

PostPosted: Thu Sep 02, 2010 14:11    Post subject: Reply with quote
okey thanks !
_________________
KONG BUILDS

[I prefer answere in whole sentence]
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum