How to route traffic from vlan br1 to a different static IP?

Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions
Author Message
mbze430
DD-WRT User


Joined: 14 May 2012
Posts: 239

PostPosted: Tue Apr 23, 2019 16:02    Post subject: How to route traffic from vlan br1 to a different static IP? Reply with quote
I like to find out how to set up the DDWRT router so that my main LAN route through one specific assigned static IP xxx.xxx.221.99 while my second vlan 'br1' route through all traffic on assigned static IP xxx.xxx.221.100?

This is on a Broadcom SoC.

I currently have in startup

Code:
ip addr add xxx.xxx.221.100/29 dev vlan1


and this in the firewall

Code:
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -t nat -I PREROUTING 1 -p all -d xxx.xxx.221.100 -j DNAT --to br1
iptables -t nat -I POSTROUTING 1 -p all -s br1 -j SNAT --to xxx.xxx.221.100
###
iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -m state --state NEW -j DROP


If anyone can chime in, that would be great. Thanks

_________________
ASUS RT-AC3200 - Deployed Client's site
ASUS RT-AC5200 - Merlin
ASUS RT-AX88U - Merlin
Sponsor
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Tue Apr 23, 2019 16:41    Post subject: Reply with quote
Not sure what you trying to do and don't understand why you would create a br1 and want him on same subnet. Shocked
xxx.xxx.221.100/29
has IP range of:
xxx.xxx.221.96 - xxx.xxx.221.103
Total 8 addresses with 6 IPs for hosts.
The xxx.xxx.221.96 is the network and xxx.xxx.221.103 is broadcast.
mbze430
DD-WRT User


Joined: 14 May 2012
Posts: 239

PostPosted: Tue Apr 23, 2019 17:35    Post subject: Reply with quote
my br1 is just separated from the main network, but it's wired with one wire with a VLAN3 tag... regardless of HOW I use my vlan that isn't the question here.

I need to route my br1 with in/out traffic on xxx.xxx.221.100 while my main lan traffic, br0 on xxx.xxx.221.99

is it possible with the DDWRT router?

_________________
ASUS RT-AC3200 - Deployed Client's site
ASUS RT-AC5200 - Merlin
ASUS RT-AX88U - Merlin


Last edited by mbze430 on Tue Apr 23, 2019 17:38; edited 1 time in total
mbze430
DD-WRT User


Joined: 14 May 2012
Posts: 239

PostPosted: Tue Apr 23, 2019 17:43    Post subject: Reply with quote
Besides, main lan is on 192.168.1.0/24 and the "guest" lan 192.168.3.0/24

I am doing it for security reasons
also to monitor from WAN side traffic usage. As well as using OpenDNS to monitor and ban/block on xxx.xxx.221.100 with different sets of rules from our xxx.xxx.221.99.

_________________
ASUS RT-AC3200 - Deployed Client's site
ASUS RT-AC5200 - Merlin
ASUS RT-AX88U - Merlin
mbze430
DD-WRT User


Joined: 14 May 2012
Posts: 239

PostPosted: Wed Apr 24, 2019 15:41    Post subject: Reply with quote
Well the IPTABLES magic is where I am unable to work out. I AM able to say... direct a WAN STATIC IP that I have routed to a HOST machine within the LAN via this:

Code:

iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -t nat -I PREROUTING 1 -p all -d xxx.xxx.221.98 -j DNAT --to 192.168.1.30
iptables -t nat -I POSTROUTING 1 -p all -s 192.168.1.30 -j SNAT --to xxx.xxx.221.98
iptables -I FORWARD -d 192.168.1.30 -j ACCEPT


But getting to route to an entire VLAN, nope... maybe the DDWRT router isn't capable to do TWO separate individual NAT? .....

Technically speaking... I should be able to change those above entries instead of my 192.168.1.30 ip and change it to 'br1'.

My test shows it didn't work... actually it broke my br1 vlan.


**brain fart*
wait maybe -j SNAT and DNAT only accept IP address? let me try that....

***That didn't work. using the 192.168.3.1 didn't work... did a whatismyip on the br1 lan and still show up at xxx.xxx.221.99

_________________
ASUS RT-AC3200 - Deployed Client's site
ASUS RT-AC5200 - Merlin
ASUS RT-AX88U - Merlin
mbze430
DD-WRT User


Joined: 14 May 2012
Posts: 239

PostPosted: Wed Apr 24, 2019 17:13    Post subject: Reply with quote
I found this searching non-DDWRT specific... for a Mikrotik

https://serverfault.com/questions/839263/mikrotik-add-second-wan-ip-and-route-specific-traffic

None of those commands really help me to translate them to IPTABLES commands though....

_________________
ASUS RT-AC3200 - Deployed Client's site
ASUS RT-AC5200 - Merlin
ASUS RT-AX88U - Merlin
mbze430
DD-WRT User


Joined: 14 May 2012
Posts: 239

PostPosted: Wed Apr 24, 2019 18:04    Post subject: To MODs Reply with quote
Maybe the mods can move this to the Advanced Networking section? Get better help over there?
_________________
ASUS RT-AC3200 - Deployed Client's site
ASUS RT-AC5200 - Merlin
ASUS RT-AX88U - Merlin
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Wed Apr 24, 2019 18:42    Post subject: Reply with quote
https://superuser.com/questions/715662/linux-nat-with-a-secondary-ip-address

https://wiki.dd-wrt.com/wiki/index.php/Policy_Based_Routing
mbze430
DD-WRT User


Joined: 14 May 2012
Posts: 239

PostPosted: Wed Apr 24, 2019 19:49    Post subject: Reply with quote
Actually after reading more... I got it "sorta" working.... when I do a whatismyip from subnet 192.168.3.x it does show I am at xxx.xxx.221.100 now. just questioning the IPTABLES


Code:

### Setup additional WAN Static IP in to WAN (VLAN2)
ifconfig vlan2:2 xxx.xxx.221.98 netmask 255.255.255.248 broadcast xxx.xxx.221.103
ifconfig vlan2:3 xxx.xxx.221.100 netmask 255.255.255.248 broadcast xxx.xxx.221.103
ifconfig vlan2:4 xxx.xxx.221.101 netmask 255.255.255.248 broadcast xxx.xxx.221.103
### Routing the entire subnet of 192.168.3.0/24
iptables -t nat -I POSTROUTING -o vlan2 -p all -s 192.168.3.0/24 -j SNAT --to xxx.xxx.221.100
iptables -t nat -I PREROUTING -i vlan2 -d xxx.xxx.221.100 -p all -j DNAT --to 192.168.3.0/24
iptables -I FORWARD -i vlan2 -d 192.168.3.0/24 -p all -j ACCEPT



But! Now I have some conerns...


Code:
root@ddwrt-ac3200:~# iptables -t nat -nL --line-numbers -v
Chain PREROUTING (policy ACCEPT 3512 packets, 419K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DNAT       icmp --  *      *       0.0.0.0/0            xxx.xxx.221.99      to:192.168.1.1
2        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            xxx.xxx.221.99      tcp dpt:0 to:192.168.1.250:80
3        0     0 DNAT       udp  --  *      *       0.0.0.0/0            xxx.xxx.221.99      udp dpt:0 to:192.168.1.250:80
4        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            xxx.xxx.221.99      tcp dpt:0 to:192.168.1.251:443
5        0     0 DNAT       tcp  --  *      *       0.0.0.0/0            xxx.xxx.221.99      tcp dpt:0 to:192.168.1.98:443
6      116 18231 TRIGGER    0    --  *      *       0.0.0.0/0            xxx.xxx.221.99      TRIGGER type:dnat match:0 relate:0

Chain INPUT (policy ACCEPT 59 packets, 12748 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 204 packets, 16957 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 204 packets, 16957 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      502 31534 SNAT       0    --  *      vlan2   192.168.3.0/24       0.0.0.0/0           to:xxx.xxx.221.100
2      603  104K SNAT       0    --  *      vlan2   192.168.1.0/24       0.0.0.0/0           to:xxx.xxx.221.99
3      150  9429 SNAT       0    --  *      vlan2   10.0.0.0/8           0.0.0.0/0           to:xxx.xxx.221.99
4        0     0 SNAT       0    --  *      vlan2   192.168.3.0/24       0.0.0.0/0           to:xxx.xxx.221.99
5        0     0 MASQUERADE  0    --  *      *       0.0.0.0/0            0.0.0.0/0           mark match 0x80000000/0x80000000


PREROUTING is missing a destination xxx.xxx.221.100 to:192.168.3.0/24

and for some reason POSTROUTING line 4 is there, which shouldn't be because my "script" never put that there.

_________________
ASUS RT-AC3200 - Deployed Client's site
ASUS RT-AC5200 - Merlin
ASUS RT-AX88U - Merlin
Dr_K
DD-WRT User


Joined: 23 Mar 2018
Posts: 445

PostPosted: Thu Apr 25, 2019 2:22    Post subject: Reply with quote
d0ug wrote:
Side note, I do use the above command in my own setup, but instead of having more than one WAN IP, I use this so that I can access my cable modem's admin page on 192.168.100.1 The following in my firewall rules commands allows for that.

#####Allow access to modem admin page
#Set Additional IP address on WAN to access modem admin page
ifconfig eth0:0 192.168.100.2 netmask 255.255.255.0

#Setup NAT to access modem admin page
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
iptables -I FORWARD -s 10.10.0.0/16 -d 192.168.100.1 -o eth0 -j ACCEPT


Strange.....I've never added anything like that & I can connect to the admin page of my Arris sb6183 just fine by entering 192.168.100.1 in any browser, Windows or android...even while connected over a VPN
Though it does take 3-4 seconds to come up..
& no, none of my networks are on that subnet.

Or am I on another page as to why you did this?

_________________
Location 1
R7800- DD-WRT v3.0-r53562 (10/03/23) Gateway
WNDR3400v1 DD-WRT v3.0-r35531_mega-nv64k (03/26/18 ) Access Point
WRT160Nv3 DD-WRT ?v3?.0-r35531 mini (03/26/18 ) Access Point
WRT54GSv5 DD-WRT v24-r33555_micro_generic (10/20/17) Repeater
Location 2
R7800- DD-WRT v3.0-r51855 (02/25/23) Gateway
R6300v2- DD-WRT v3.0-r50671 (10-26-22) Access Point
WNDR3700v2 DD-WRT v3.0-r35531 std (03/26/18 ) Access Point
E1200 v2 DD-WRT v3.0-r35531 mega-nv64k (03/26/18 ) Gateway(for trivial reasons)
RBWAPG-5HACT2HND-BE RouterOS-v6.46.4 (2/21/20) Outdoor Access Point
2x RBSXTG-5HPACD RouterOS-v6.46.4 (2/21/20) PTP Bridge 866.6Mbps-1GbpsLAN
Location 3
2x R7000- DD-WRT v3.0-r50671 (10/26/22) Access Points
2x RBWAPG-60AD RouterOS-v6.45.9 (04/30/20) PTP Bridge 2.3Gbps-1GbpsLAN
2x RBSXTsqG-5acD RouterOS-v6.49.7 (10/14/22) PTP Bridge 866.6Mbps-1GbpsLAN

Thank You BrainSlayer for ALL that you do & have done, also to "most" everyone here that shares their knowledge
mbze430
DD-WRT User


Joined: 14 May 2012
Posts: 239

PostPosted: Thu Apr 25, 2019 3:54    Post subject: Reply with quote
Dr_K wrote:
d0ug wrote:
Side note, I do use the above command in my own setup, but instead of having more than one WAN IP, I use this so that I can access my cable modem's admin page on 192.168.100.1 The following in my firewall rules commands allows for that.

#####Allow access to modem admin page
#Set Additional IP address on WAN to access modem admin page
ifconfig eth0:0 192.168.100.2 netmask 255.255.255.0

#Setup NAT to access modem admin page
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
iptables -I FORWARD -s 10.10.0.0/16 -d 192.168.100.1 -o eth0 -j ACCEPT


Strange.....I've never added anything like that & I can connect to the admin page of my Arris sb6183 just fine by entering 192.168.100.1 in any browser, Windows or android...even while connected over a VPN
Though it does take 3-4 seconds to come up..
& no, none of my networks are on that subnet.

Or am I on another page as to why you did this?



I am not sure why 1:1 NAT is so hard to understand?.....

Imagine a world you have actual Static IPv4 /29 (6 Usable IPs).

Now imagine 1 Pulibc IP route in & out traffic to your LAN via NAT say... 192.168.1.0/24

Now imagine using another one of 4 Public IPs to route different part of your VLAN network. 10.0.0.0/8

Or use the protection of the router's firewall filter, you can NAT through to a specific node in your network. Instead of assign a public ip to that node/host

You might ask why you need this... here is an example.

Let say you have an office space that only has one WAN connection to this space. You are leasing/renting part of that office space to another tenant or multiple tenants. You already separated their LAN at Layer 2 level. But you DON'T want their traffic to come out of your Public IP used by your LAN. Let just say for security and easy identification if your tenant decided to run torrent servers.

With each VLAN traffic being separated. When a Seize Order comes in you can easily identify which Public IP those torrent traffic is coming from

Also you can monitor traffic easier when one VLAN is specifically going in & out of a specific Public IP

_________________
ASUS RT-AC3200 - Deployed Client's site
ASUS RT-AC5200 - Merlin
ASUS RT-AX88U - Merlin
Dr_K
DD-WRT User


Joined: 23 Mar 2018
Posts: 445

PostPosted: Fri Apr 26, 2019 3:51    Post subject: Reply with quote
d0ug wrote:
I really would have to suspect you do not have your modem in bridged mode, cause otherwise without entries like I have configured there is no way for DD-WRT to know that a 192.168.100.x subnet exists beyond the WAN port

I guess that's where the confusion lies..

From the accurasy of other posts of yours that I've fallowed, I took your statement of modem to mean....modem...

You are using a provided router and trying to use it as a modem...

My modem is just that.....a modem....nothing more...
Only one cable line in.....& only one avalible LAN port out...a modem..

There is no bridges, no NAT no wifi, no firewall & no extra available LAN ports....a modem

I'm not saying I know how dd-wrt knows how to rout to it's subnet without any other input besides the address, Im just saying that it does it.

Sorry if I've caused you any confusions.

_________________
Location 1
R7800- DD-WRT v3.0-r53562 (10/03/23) Gateway
WNDR3400v1 DD-WRT v3.0-r35531_mega-nv64k (03/26/18 ) Access Point
WRT160Nv3 DD-WRT ?v3?.0-r35531 mini (03/26/18 ) Access Point
WRT54GSv5 DD-WRT v24-r33555_micro_generic (10/20/17) Repeater
Location 2
R7800- DD-WRT v3.0-r51855 (02/25/23) Gateway
R6300v2- DD-WRT v3.0-r50671 (10-26-22) Access Point
WNDR3700v2 DD-WRT v3.0-r35531 std (03/26/18 ) Access Point
E1200 v2 DD-WRT v3.0-r35531 mega-nv64k (03/26/18 ) Gateway(for trivial reasons)
RBWAPG-5HACT2HND-BE RouterOS-v6.46.4 (2/21/20) Outdoor Access Point
2x RBSXTG-5HPACD RouterOS-v6.46.4 (2/21/20) PTP Bridge 866.6Mbps-1GbpsLAN
Location 3
2x R7000- DD-WRT v3.0-r50671 (10/26/22) Access Points
2x RBWAPG-60AD RouterOS-v6.45.9 (04/30/20) PTP Bridge 2.3Gbps-1GbpsLAN
2x RBSXTsqG-5acD RouterOS-v6.49.7 (10/14/22) PTP Bridge 866.6Mbps-1GbpsLAN

Thank You BrainSlayer for ALL that you do & have done, also to "most" everyone here that shares their knowledge
Dr_K
DD-WRT User


Joined: 23 Mar 2018
Posts: 445

PostPosted: Sat Apr 27, 2019 6:02    Post subject: Reply with quote
d0ug wrote:
Lol yeah mine is a combined cablemodem, route, ap. Only option the provider had. So it has been put into bridged mode to basically just use it as a modem. I do all the routing and wifi on my own hardware.

Still a little curious how you are able to reach 192.169.100.1 though the wan with no extra route/iptables entries. Since that is in private ip space it shouldn't route out the wan port by default. Maybe ddwrt now has some default routes setup to allow accessing common modem admin page ip spaces?

Maybe If i get some time later i'll take one of my WRT1200AC that is just being used as an AP on my network and factory default it, plug it into the modem and see what happens. Don't really want to chance screwing up the config on my primary router.

I bought my own years ago when my provider started charging me $10-12/month rent for their substandard crap one that I needeed to power cycle at least a couple times a month... Paid for itself in less than one year, not to mention the solid/dependable performance since day one.

I'm curious too, that's why I originally commented on your post.

I've never had an issue accessing its webif from any type web browser from within the network (wireless or wired) since I originally started using it.
I occasionally access it to verify all is well with the all the Up Down channel's power/SNR/corrected/uncorrectables & the log. Can also access the Spectrum Analyzer @ 192.168.100.1:8080/
Also do the same on another (mostly dd-wrt) network that I maintain remotely over OpenVPN....from the inside once connected....not directly to the modem from the internet obviously/thankfully.

_________________
Location 1
R7800- DD-WRT v3.0-r53562 (10/03/23) Gateway
WNDR3400v1 DD-WRT v3.0-r35531_mega-nv64k (03/26/18 ) Access Point
WRT160Nv3 DD-WRT ?v3?.0-r35531 mini (03/26/18 ) Access Point
WRT54GSv5 DD-WRT v24-r33555_micro_generic (10/20/17) Repeater
Location 2
R7800- DD-WRT v3.0-r51855 (02/25/23) Gateway
R6300v2- DD-WRT v3.0-r50671 (10-26-22) Access Point
WNDR3700v2 DD-WRT v3.0-r35531 std (03/26/18 ) Access Point
E1200 v2 DD-WRT v3.0-r35531 mega-nv64k (03/26/18 ) Gateway(for trivial reasons)
RBWAPG-5HACT2HND-BE RouterOS-v6.46.4 (2/21/20) Outdoor Access Point
2x RBSXTG-5HPACD RouterOS-v6.46.4 (2/21/20) PTP Bridge 866.6Mbps-1GbpsLAN
Location 3
2x R7000- DD-WRT v3.0-r50671 (10/26/22) Access Points
2x RBWAPG-60AD RouterOS-v6.45.9 (04/30/20) PTP Bridge 2.3Gbps-1GbpsLAN
2x RBSXTsqG-5acD RouterOS-v6.49.7 (10/14/22) PTP Bridge 866.6Mbps-1GbpsLAN

Thank You BrainSlayer for ALL that you do & have done, also to "most" everyone here that shares their knowledge
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum