Posted: Sun Aug 05, 2007 2:10 Post subject: Multiple external IP addresses / 1:1 NAT configuration
Hi all,
I have a problem with my network configuration that I could really use some assistance on. After spending 3 hours reading the various multi-NAT, 1:1 NAT, and multiple public IP address threads, I haven't found anyone who's tried to quite do the same thing that I'm trying to achieve. Everyone wants to isolate networks, I actually want to link them.
Before I get started, here is some background:
1) I want to ensure that all computers in my house route to each other to take advantage of full LAN (100mbit) speeds, while still having access to the Internet.
2) My ISP has a DHCP server; if I plug into any wall jack that's connected directly to them, I can get a DHCP address if I do not specify one of my 5 static IP addresses.
3) I have access to 5 static IP addresses, and an unlimited number of dynamic addresses.
I have a Linux server ("SERVER A") with 4 public IP addresses and a Linksys WRT54G ("LINKSYS") running DD-WRT v23 SP2 with the 5th public IP address. I also have another server ("SERVER B") which is plugged into that wall jack directly to the ISP, and it picks up a dynamic IP because I am out of static IPs.
The goal is to have SERVER A, SERVER B, and LINKSYS all externally facing with their respective static/dynamic IP addresses, but with the ability to transfer data amongst each other at LAN speeds since they will be on the same physical network.
The ideal solution would be to plug SERVER A and SERVER B into two of the LINKSYS ports, assign SERVER A its 4 static IPs, let SERVER B pick up a dynamic IP from the ISP, and let all other computers running behind the LINKSYS pick up internal 192.168.x.x IP addresses while appearing to be the 5th static IP address to the world. And then, the holy grail - having them route amongst each other at full 100mbit speeds.
Does anyone know how we can accomplish this? Many thanks in advance!
After some playing around, I'm still stuck probably because I don't really know how to use IPTABLES properly.
I've also decided to give up trying to obtain a dynamic IP for SERVER B. I haven't found any literature supporting the ability to do so, so I will -- for now -- assign one of my 5 statics to SERVER B.
Here's what I've got so far. First, alias the IP addresses.
# Allow established and related connections.
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # these are already present
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # these are already present
Finally, enter the NAT entries. This is where I got really confused. I am using the second static IP, xxx.xxx.xxx.67, as the test IP since that's will be assigned to the most accessible machine.
I see the entries when I run 'iptables -t nat -L -n' so I know that is making it in. When I type in 'iptables -L -n' I also see the forward entry, so that's making it in as well. However, where I'm getting stuck is that nothing is actually forwarding. When I try to connect from an external host to the public facing IP address, it's hitting the Linksys. I've tried a few variations of this as well but unless I explicitly forward a port (say, port 21) to the private IP, nothing will get to it. How can I get around this and forward all ports by default?
Also, do I need to do anything special for the other IP addresses, or can I just replicate this code but replace the IP addresses with the correct ones?
I PMd you with this already but here's how I did my network which I believe is similar to what you're trying to do:
Okay, the way my network is setup is as follows:
4 servers, each with their own external IP address.
9 workstations all sharing one external IP address.
All boxes, including the servers with their own external IP addresses can be reached by all machines by using their internal IP addresses.
The code below is what I have set up in the startup commands where ***.***.***.*** is an external IP address and XXX.XXX.XXX.XXX is an internal, each of the 4 in the script are numbered:
Code:
/usr/sbin/ip addr add ***.***.***.**1/29 dev vlan1
/usr/sbin/ip addr add ***.***.***.**2/29 dev vlan1
/usr/sbin/ip addr add ***.***.***.**3/29 dev vlan1
/usr/sbin/ip addr add ***.***.***.**4/29 dev vlan1
With the above code I have 4 external IP addresses forwarding to 4 internal IP addresses and an example of forwarding port 80 to each of them.
For all the rest of the machines on the network, they all take the settings that I have applied through the web interface. The 4 machines with their own external IP are set up with static internal IP addresses while the rest are setup to grab internal IPs from DHCP. Hopefully this helps. Not the clearest of explanations, sorry.
But is there anyway to make the public ip on any of the 4 machines that has public IP wide open?
i have my DDWRT doing the pppoe session , and i am getting my static ip from my Provider server.
then i want to assign 2 static IP to 1 server and 1 Router, all my DHCP will be connected to that router and the static has there IP's
bcz if i assign static ip for my second router where all my dhcp client will be connecting, i want that router to be exposed 100% on the WAN and each client connected will do his own routing, if i will use ur method here i will be double nating unless there is a way to tell the main ddwrt router to forward all port range to that specific external ip.
http://www.dd-wrt.com/wiki/index.php/One-to-one_NAT _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting.
Looking for bricks and spare routers to expand my collection.
on my computer that has static ip what do i put as gateway and dns? do they have to be the defaut one 192.168.1.1 as gateway and DHCP?
but my provider informed wan ip will 67.44.27.129 and you gateway ip for lan is 67.44.27.128
and on my computer it has to be 67.44.27.130 and gateway 67.44.27.128 which is my switch or lan bridge router .
With 1:1 NAT the router will have all of the public IP's assigned to it and it will NAT them to whatever private IP you want it to. You still need to have all your LAN hosts using private IP's and set to use the router's LAN IP as their gateway; DNS can be any working DNS server. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting.
Looking for bricks and spare routers to expand my collection.
If you want to do this with MAC-reservation from ISP,
How to config then ? _________________ | ASUS 2x RT-N16 | .-. | @ |
[I prefer answere in whole sentence]
If you want to do this with MAC-reservation from ISP,
How to config then ?
It's not possible using 1:1 NAT because the interface can only have one MAC address. You need to use VLAN's to put a port in the WAN VLAN so that it is switched directly to your ISP without any NAT/firewalling/routing by the router. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting.
Looking for bricks and spare routers to expand my collection.
