How to route traffic from vlan br1 to a different static IP?

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> General Questions
Goto page 1, 2  Next
Author Message
mbze430
DD-WRT User


Joined: 14 May 2012
Posts: 234

PostPosted: Tue Apr 23, 2019 16:02    Post subject: How to route traffic from vlan br1 to a different static IP? Reply with quote
I like to find out how to set up the DDWRT router so that my main LAN route through one specific assigned static IP xxx.xxx.221.99 while my second vlan 'br1' route through all traffic on assigned static IP xxx.xxx.221.100?

This is on a Broadcom SoC.

I currently have in startup

Code:
ip addr add xxx.xxx.221.100/29 dev vlan1


and this in the firewall

Code:
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -t nat -I PREROUTING 1 -p all -d xxx.xxx.221.100 -j DNAT --to br1
iptables -t nat -I POSTROUTING 1 -p all -s br1 -j SNAT --to xxx.xxx.221.100
###
iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -m state --state NEW -j DROP


If anyone can chime in, that would be great. Thanks

_________________
ASUS RT-AC3200 - Deployed Client's site
ASUS RT-AC5200 - Merlin
ASUS RT-AX88U - Merlin
Sponsor
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 4558
Location: Texas

PostPosted: Tue Apr 23, 2019 16:41    Post subject: Reply with quote
Not sure what you trying to do and don't understand why you would create a br1 and want him on same subnet. Shocked
xxx.xxx.221.100/29
has IP range of:
xxx.xxx.221.96 - xxx.xxx.221.103
Total 8 addresses with 6 IPs for hosts.
The xxx.xxx.221.96 is the network and xxx.xxx.221.103 is broadcast.
mbze430
DD-WRT User


Joined: 14 May 2012
Posts: 234

PostPosted: Tue Apr 23, 2019 17:35    Post subject: Reply with quote
my br1 is just separated from the main network, but it's wired with one wire with a VLAN3 tag... regardless of HOW I use my vlan that isn't the question here.

I need to route my br1 with in/out traffic on xxx.xxx.221.100 while my main lan traffic, br0 on xxx.xxx.221.99

is it possible with the DDWRT router?

_________________
ASUS RT-AC3200 - Deployed Client's site
ASUS RT-AC5200 - Merlin
ASUS RT-AX88U - Merlin


Last edited by mbze430 on Tue Apr 23, 2019 17:38; edited 1 time in total
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8021

PostPosted: Tue Apr 23, 2019 17:35    Post subject: Reply with quote
mbze430 wrote:
regardless of HOW I use my vlan that isn't the question here.


Maybe, maybe not.

If often helps if we understand the bigger picture, why you're doing this, to what ends, etc. It's one thing to reconfigure all the plumbing in your house, but why are you doing this? What motivated these changes? Is the hot water heater not producing enough heat? Did you install a third bathroom? Get the point? For all we know, you're taking the wrong approach. At the very least, it gives us at least a clue as to what's the issue here.
mbze430
DD-WRT User


Joined: 14 May 2012
Posts: 234

PostPosted: Tue Apr 23, 2019 17:43    Post subject: Reply with quote
Besides, main lan is on 192.168.1.0/24 and the "guest" lan 192.168.3.0/24

I am doing it for security reasons
also to monitor from WAN side traffic usage. As well as using OpenDNS to monitor and ban/block on xxx.xxx.221.100 with different sets of rules from our xxx.xxx.221.99.

_________________
ASUS RT-AC3200 - Deployed Client's site
ASUS RT-AC5200 - Merlin
ASUS RT-AX88U - Merlin
d0ug
DD-WRT Guru


Joined: 31 Jul 2015
Posts: 722

PostPosted: Wed Apr 24, 2019 6:39    Post subject: Reply with quote
It sounds like he has at least two WAN IPs available to him, wants route all LAN traffic though one WAN IP and route all the guest traffic to the other WAN IP?

I guess you would have to 1st start by getting both of those IPs assigned to your router's WAN port. The following added to your firewall rules commands would add another IP to the WAN interface. adjust the ip and netmask as appropriate.

ifconfig eth0:0 192.168.100.2 netmask 255.255.255.0

From there probably some iptables magic to route the traffic appropriately. I am not an IP tables wizard, so can't really help there.

Side note, I do use the above command in my own setup, but instead of having more than one WAN IP, I use this so that I can access my cable modem's admin page on 192.168.100.1 The following in my firewall rules commands allows for that.

#####Allow access to modem admin page
#Set Additional IP address on WAN to access modem admin page
ifconfig eth0:0 192.168.100.2 netmask 255.255.255.0

#Setup NAT to access modem admin page
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
iptables -I FORWARD -s 10.10.0.0/16 -d 192.168.100.1 -o eth0 -j ACCEPT

With that setup you will see the following if you ssh into the router and run an ifconfig

eth0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
inet addr:XXX.XXX.XXX.XXX Bcast:XXX.XXX.XXX.XXX Mask:255.255.224.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7441457 errors:0 dropped:42292 overruns:0 frame:0
TX packets:3912904 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:10521043895 (9.7 GiB) TX bytes:896646671 (855.1 MiB)
Interrupt:36

eth0:0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX
inet addr:192.168.100.2 Bcast:192.168.100.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:36
mbze430
DD-WRT User


Joined: 14 May 2012
Posts: 234

PostPosted: Wed Apr 24, 2019 15:41    Post subject: Reply with quote
Well the IPTABLES magic is where I am unable to work out. I AM able to say... direct a WAN STATIC IP that I have routed to a HOST machine within the LAN via this:

Code:

iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -t nat -I PREROUTING 1 -p all -d xxx.xxx.221.98 -j DNAT --to 192.168.1.30
iptables -t nat -I POSTROUTING 1 -p all -s 192.168.1.30 -j SNAT --to xxx.xxx.221.98
iptables -I FORWARD -d 192.168.1.30 -j ACCEPT


But getting to route to an entire VLAN, nope... maybe the DDWRT router isn't capable to do TWO separate individual NAT? .....

Technically speaking... I should be able to change those above entries instead of my 192.168.1.30 ip and change it to 'br1'.

My test shows it didn't work... actually it broke my br1 vlan.


**brain fart*
wait maybe -j SNAT and DNAT only accept IP address? let me try that....

***That didn't work. using the 192.168.3.1 didn't work... did a whatismyip on the br1 lan and still show up at xxx.xxx.221.99

_________________
ASUS RT-AC3200 - Deployed Client's site
ASUS RT-AC5200 - Merlin
ASUS RT-AX88U - Merlin
mbze430
DD-WRT User


Joined: 14 May 2012
Posts: 234

PostPosted: Wed Apr 24, 2019 17:13    Post subject: Reply with quote
I found this searching non-DDWRT specific... for a Mikrotik

https://serverfault.com/questions/839263/mikrotik-add-second-wan-ip-and-route-specific-traffic

None of those commands really help me to translate them to IPTABLES commands though....

_________________
ASUS RT-AC3200 - Deployed Client's site
ASUS RT-AC5200 - Merlin
ASUS RT-AX88U - Merlin
mbze430
DD-WRT User


Joined: 14 May 2012
Posts: 234

PostPosted: Wed Apr 24, 2019 18:04    Post subject: To MODs Reply with quote
Maybe the mods can move this to the Advanced Networking section? Get better help over there?
_________________
ASUS RT-AC3200 - Deployed Client's site
ASUS RT-AC5200 - Merlin
ASUS RT-AX88U - Merlin
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 5003
Location: Akershus, Norway

PostPosted: Wed Apr 24, 2019 18:42    Post subject: Reply with quote
https://superuser.com/questions/715662/linux-nat-with-a-secondary-ip-address

https://wiki.dd-wrt.com/wiki/index.php/Policy_Based_Routing
mbze430
DD-WRT User


Joined: 14 May 2012
Posts: 234

PostPosted: Wed Apr 24, 2019 19:49    Post subject: Reply with quote
Actually after reading more... I got it "sorta" working.... when I do a whatismyip from subnet 192.168.3.x it does show I am at xxx.xxx.221.100 now. just questioning the IPTABLES


Code:

### Setup additional WAN Static IP in to WAN (VLAN2)
ifconfig vlan2:2 xxx.xxx.221.98 netmask 255.255.255.248 broadcast xxx.xxx.221.103
ifconfig vlan2:3 xxx.xxx.221.100 netmask 255.255.255.248 broadcast xxx.xxx.221.103
ifconfig vlan2:4 xxx.xxx.221.101 netmask 255.255.255.248 broadcast xxx.xxx.221.103
### Routing the entire subnet of 192.168.3.0/24
iptables -t nat -I POSTROUTING -o vlan2 -p all -s 192.168.3.0/24 -j SNAT --to xxx.xxx.221.100
iptables -t nat -I PREROUTING -i vlan2 -d xxx.xxx.221.100 -p all -j DNAT --to 192.168.3.0/24
iptables -I FORWARD -i vlan2 -d 192.168.3.0/24 -p all -j ACCEPT



But! Now I have some conerns...


Code:
root@ddwrt-ac3200:~# iptables -t nat -nL --line-numbers -v
Chain PREROUTING (policy ACCEPT 3512 packets, 419K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DNAT       icmp --  *      *       0.0.0.0/0            xxx.xxx.221.99      to:192.168.1.1
2        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            xxx.xxx.221.99      tcp dpt:0 to:192.168.1.250:80
3        0     0 DNAT       udp  --  *      *       0.0.0.0/0            xxx.xxx.221.99      udp dpt:0 to:192.168.1.250:80
4        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            xxx.xxx.221.99      tcp dpt:0 to:192.168.1.251:443
5        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            xxx.xxx.221.99      tcp dpt:0 to:192.168.1.98:443
6      116 18231 TRIGGER    0    --  *      *       0.0.0.0/0            xxx.xxx.221.99      TRIGGER type:dnat match:0 relate:0

Chain INPUT (policy ACCEPT 59 packets, 12748 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 204 packets, 16957 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 204 packets, 16957 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      502 31534 SNAT       0    --  *      vlan2   192.168.3.0/24       0.0.0.0/0           to:xxx.xxx.221.100
2      603  104K SNAT       0    --  *      vlan2   192.168.1.0/24       0.0.0.0/0           to:xxx.xxx.221.99
3      150  9429 SNAT       0    --  *      vlan2   10.0.0.0/8           0.0.0.0/0           to:xxx.xxx.221.99
4        0     0 SNAT       0    --  *      vlan2   192.168.3.0/24       0.0.0.0/0           to:xxx.xxx.221.99
5        0     0 MASQUERADE  0    --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0x80000000/0x80000000


PREROUTING is missing a destination xxx.xxx.221.100 to:192.168.3.0/24

and for some reason POSTROUTING line 4 is there, which shouldn't be because my "script" never put that there.

_________________
ASUS RT-AC3200 - Deployed Client's site
ASUS RT-AC5200 - Merlin
ASUS RT-AX88U - Merlin
Dr_K
DD-WRT User


Joined: 23 Mar 2018
Posts: 417

PostPosted: Thu Apr 25, 2019 2:22    Post subject: Reply with quote
d0ug wrote:
Side note, I do use the above command in my own setup, but instead of having more than one WAN IP, I use this so that I can access my cable modem's admin page on 192.168.100.1 The following in my firewall rules commands allows for that.

#####Allow access to modem admin page
#Set Additional IP address on WAN to access modem admin page
ifconfig eth0:0 192.168.100.2 netmask 255.255.255.0

#Setup NAT to access modem admin page
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
iptables -I FORWARD -s 10.10.0.0/16 -d 192.168.100.1 -o eth0 -j ACCEPT


Strange.....I've never added anything like that & I can connect to the admin page of my Arris sb6183 just fine by entering 192.168.100.1 in any browser, Windows or android...even while connected over a VPN
Though it does take 3-4 seconds to come up..
& no, none of my networks are on that subnet.

Or am I on another page as to why you did this?

_________________
Location 1
R6300V2- DD-WRT v3.0-r39345M kongac (04-03-19) Gateway
WNDR3400v1 DD-WRT.v3.0-r35531_mega-nv64k (03/26/18 ) Access Point
WRT160Nv3 DD-WRT ?v3?.0-r35531 mini (03/26/18 ) Access Point
WRT54GSv5 DD-WRT v24-r33555_micro_generic (10/20/17) Repeater
Location 2
R6300V2- DD-WRT v3.0-r39345M kongac (04/03/19) Gateway
R6300V2- DD-WRT v3.0-r39345M kongac (04/03/19) Access Point
WNDR3700v2 DD-WRT v3.0-r35531 std (03/26/18 ) Access Point
E1200 v2 DD-WRT v3.0-r35531 mega-nv64k (03/26/18 ) Gateway(for trivial reasons)
2 devices: SXT 5 ac (mipsbe) RB 6.44.3 (06/23/19) PTP Bridge (0.8km/0.5mi)tx/rx866.6Mbps-1GbpsLAN

Thank You <Kong> & BrainSlayer for ALL that you do also to everyone here that shares their knowledge
mbze430
DD-WRT User


Joined: 14 May 2012
Posts: 234

PostPosted: Thu Apr 25, 2019 3:54    Post subject: Reply with quote
Dr_K wrote:
d0ug wrote:
Side note, I do use the above command in my own setup, but instead of having more than one WAN IP, I use this so that I can access my cable modem's admin page on 192.168.100.1 The following in my firewall rules commands allows for that.

#####Allow access to modem admin page
#Set Additional IP address on WAN to access modem admin page
ifconfig eth0:0 192.168.100.2 netmask 255.255.255.0

#Setup NAT to access modem admin page
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
iptables -I FORWARD -s 10.10.0.0/16 -d 192.168.100.1 -o eth0 -j ACCEPT


Strange.....I've never added anything like that & I can connect to the admin page of my Arris sb6183 just fine by entering 192.168.100.1 in any browser, Windows or android...even while connected over a VPN
Though it does take 3-4 seconds to come up..
& no, none of my networks are on that subnet.

Or am I on another page as to why you did this?



I am not sure why 1:1 NAT is so hard to understand?.....

Imagine a world you have actual Static IPv4 /29 (6 Usable IPs).

Now imagine 1 Pulibc IP route in & out traffic to your LAN via NAT say... 192.168.1.0/24

Now imagine using another one of 4 Public IPs to route different part of your VLAN network. 10.0.0.0/8

Or use the protection of the router's firewall filter, you can NAT through to a specific node in your network. Instead of assign a public ip to that node/host

You might ask why you need this... here is an example.

Let say you have an office space that only has one WAN connection to this space. You are leasing/renting part of that office space to another tenant or multiple tenants. You already separated their LAN at Layer 2 level. But you DON'T want their traffic to come out of your Public IP used by your LAN. Let just say for security and easy identification if your tenant decided to run torrent servers.

With each VLAN traffic being separated. When a Seize Order comes in you can easily identify which Public IP those torrent traffic is coming from

Also you can monitor traffic easier when one VLAN is specifically going in & out of a specific Public IP

_________________
ASUS RT-AC3200 - Deployed Client's site
ASUS RT-AC5200 - Merlin
ASUS RT-AX88U - Merlin
d0ug
DD-WRT Guru


Joined: 31 Jul 2015
Posts: 722

PostPosted: Thu Apr 25, 2019 5:07    Post subject: Reply with quote
Dr_K wrote:
d0ug wrote:
Side note, I do use the above command in my own setup, but instead of having more than one WAN IP, I use this so that I can access my cable modem's admin page on 192.168.100.1 The following in my firewall rules commands allows for that.

#####Allow access to modem admin page
#Set Additional IP address on WAN to access modem admin page
ifconfig eth0:0 192.168.100.2 netmask 255.255.255.0

#Setup NAT to access modem admin page
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
iptables -I FORWARD -s 10.10.0.0/16 -d 192.168.100.1 -o eth0 -j ACCEPT


Strange.....I've never added anything like that & I can connect to the admin page of my Arris sb6183 just fine by entering 192.168.100.1 in any browser, Windows or android...even while connected over a VPN
Though it does take 3-4 seconds to come up..
& no, none of my networks are on that subnet.

Or am I on another page as to why you did this?


Maybe things have changed with DDWRT since long ago, however back when I implemented this, it would not automatically work. If I had just rebooted my modem and router I could reach the 192.168.100.1 admin page for a few minutes until the modem acquired a lock on the cable network then the cable network would provide the DD-WRT router a DHCP lease of my actual WAN IP and I would loose connectivity to the admin page.

I do have my cable modem in bridged mode, so the modem performs no routing functions and passes my actual WAN IP to my DD-WRT router which handles all the routing/firewalling for my LAN. This basically makes it like an old school cablemodem (media bridge) before they started building routers and wifi into them.

I suspect if you don't have your modem in bridged mode,then obviously the modem is actually performing the routing. and passing your own router an IP in the 192.168.x.x range. Since the modem handles the routing, there is probably a predefined entry in the modem to allow whatever 192.168.x.x subnet it leases out to access the 192.168.100.1 address/subnet the admin page sits on.

I really would have to suspect you do not have your modem in bridged mode, cause otherwise without entries like I have configured there is no way for DD-WRT to know that a 192.168.100.x subnet exists beyond the WAN port to be able to route traffic to it. 192.168.x.x is private IP space and should normally not exist beyond the WAN port on a router.

You will probably find this bridged mode under the LAN -> NAT settings in an Arris modem. That is where it is located on mine.

FYI bridged mode will break you being able to plug in more than one device into the modem's built in switch and will also likely break the modem's built in wifi. If you only pay for a single WAN IP, then no other device that connects to the built in switch or wifi will be able to acquire a DHCP lease from the cable network. Or it might get a lease, but then invalidate the lease on your router causing the entire network behind your DD-WRT router to loose internet connectivity.

Dr_K
DD-WRT User


Joined: 23 Mar 2018
Posts: 417

PostPosted: Fri Apr 26, 2019 3:51    Post subject: Reply with quote
d0ug wrote:
I really would have to suspect you do not have your modem in bridged mode, cause otherwise without entries like I have configured there is no way for DD-WRT to know that a 192.168.100.x subnet exists beyond the WAN port

I guess that's where the confusion lies..

From the accurasy of other posts of yours that I've fallowed, I took your statement of modem to mean....modem...

You are using a provided router and trying to use it as a modem...

My modem is just that.....a modem....nothing more...
Only one cable line in.....& only one avalible LAN port out...a modem..

There is no bridges, no NAT no wifi, no firewall & no extra available LAN ports....a modem

I'm not saying I know how dd-wrt knows how to rout to it's subnet without any other input besides the address, Im just saying that it does it.

Sorry if I've caused you any confusions.

_________________
Location 1
R6300V2- DD-WRT v3.0-r39345M kongac (04-03-19) Gateway
WNDR3400v1 DD-WRT.v3.0-r35531_mega-nv64k (03/26/18 ) Access Point
WRT160Nv3 DD-WRT ?v3?.0-r35531 mini (03/26/18 ) Access Point
WRT54GSv5 DD-WRT v24-r33555_micro_generic (10/20/17) Repeater
Location 2
R6300V2- DD-WRT v3.0-r39345M kongac (04/03/19) Gateway
R6300V2- DD-WRT v3.0-r39345M kongac (04/03/19) Access Point
WNDR3700v2 DD-WRT v3.0-r35531 std (03/26/18 ) Access Point
E1200 v2 DD-WRT v3.0-r35531 mega-nv64k (03/26/18 ) Gateway(for trivial reasons)
2 devices: SXT 5 ac (mipsbe) RB 6.44.3 (06/23/19) PTP Bridge (0.8km/0.5mi)tx/rx866.6Mbps-1GbpsLAN

Thank You <Kong> & BrainSlayer for ALL that you do also to everyone here that shares their knowledge
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum