Dual / Triple WAN HowTo | DHCP scripts on Page 5!!!!

Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3 ... 34, 35, 36 ... 66, 67, 68  Next
Author Message
skEwb
DD-WRT Novice


Joined: 28 Jul 2008
Posts: 9

PostPosted: Thu Jul 31, 2008 23:51    Post subject: Reply with quote
jbarbieri wrote:
What IM clients?

If you know the port number they connect to, you can mimick the part under the AIM and put the correct port in there....as well as the IRC ports....what that does is makes sure those ports always go out the same interface, so the connections wouldnt get interrupted.

EG:

for IRC


Code:

## Allow IRC to always go out vlan1 (causes connection/login issues).
iptables -t nat -I POSTROUTING -p tcp --dport 6666:6669 -j SPOOF_ETH1
iptables -t mangle -I PREROUTING -p tcp --dport 6666:6669 -j ETH1
iptables -t mangle -I OUTPUT -p tcp --dport 6666:6669 -j ETH1



Just add that block of code underneath the AIM one...and your IRC should be better.


I actually did this and replicated the ports, but all the clients kept disconnecting anyway. I use Pidgin and I'm on aim/msn/yahoo/gtalk and they would all cycle disconnecting and also all my irc servers I'm connected to. The irc servers I connect to are on 6660 and 9999.

Code:
iptables -t nat -I POSTROUTING -p tcp -m multiport --destination-ports 5190 -j SPOOF_ETH1
iptables -t mangle -I PREROUTING -p tcp -m multiport --destination-ports 5190 -j ETH1
iptables -t mangle -I OUTPUT -p tcp -m multiport --destination-ports 5190 -j ETH1

iptables -t nat -I POSTROUTING -p tcp -m multiport --destination-ports 6660 -j SPOOF_ETH1
iptables -t mangle -I PREROUTING -p tcp -m multiport --destination-ports 6660 -j ETH1
iptables -t mangle -I OUTPUT -p tcp -m multiport --destination-ports 6660 -j ETH1

iptables -t nat -I POSTROUTING -p tcp -m multiport --destination-ports 9999 -j SPOOF_ETH1
iptables -t mangle -I PREROUTING -p tcp -m multiport --destination-ports 9999 -j ETH1
iptables -t mangle -I OUTPUT -p tcp -m multiport --destination-ports 9999 -j ETH1

iptables -t nat -I POSTROUTING -p tcp -m multiport --destination-ports 1863 -j SPOOF_ETH1
iptables -t mangle -I PREROUTING -p tcp -m multiport --destination-ports 1863 -j ETH1
iptables -t mangle -I OUTPUT -p tcp -m multiport --destination-ports 1863 -j ETH1

iptables -t nat -I POSTROUTING -p tcp -m multiport --destination-ports 5222 -j SPOOF_ETH1
iptables -t mangle -I PREROUTING -p tcp -m multiport --destination-ports 5222 -j ETH1
iptables -t mangle -I OUTPUT -p tcp -m multiport --destination-ports 5222 -j ETH1

iptables -t nat -I POSTROUTING -p tcp -m multiport --destination-ports 5050 -j SPOOF_ETH1
iptables -t mangle -I PREROUTING -p tcp -m multiport --destination-ports 5050 -j ETH1
iptables -t mangle -I OUTPUT -p tcp -m multiport --destination-ports 5050 -j ETH1
Sponsor
DisposableHero
DD-WRT Novice


Joined: 31 Jul 2008
Posts: 1

PostPosted: Fri Aug 01, 2008 4:08    Post subject: Reply with quote
skEwb wrote:
This works! I used it on my v24 sp1. Nothing else I have tried using through jffs has worked, but following the guide below did it! I have 13.9mb of space so fitting the below code was easy.

I now get 2.4mb/sec down and 250K/sec up. One thing though is that my IM clients disconnect all the time and my IRC client too.

jbarbieri wrote:
Well, I think I got it figured out for people who do not have any JFFS space.

First, log into the router and do a

nvram show


and look for a line like the following:

size: 24756 bytes (8012 left)


You have to have at least 6300 left in order for this to work.



Under admin>commnads, put this in the box:

Code:

#!/bin/sh

echo '#!/bin/sh
# udhcpc script edited by Tim Riker <Tim@Rikers.org>
[ -z "$1" ] && echo "Error: should be called from udhcpc" && exit 1

ifconfig $interface up

RESOLV_CONF="/etc/resolv.conf"
[ -n "$broadcast" ] && BROADCAST="broadcast $broadcast"
[ -n "$subnet" ] && NETMASK="netmask $subnet"

case "$1" in
   deconfig)
     # /sbin/ifconfig $interface 0.0.0.0
     ;;

  renew|bound)
    # /sbin/ifconfig $interface $ip $BROADCAST $NETMASK
    echo "$ip $BROADCAST $NETMASK"

  if [ -n "$router" ] ; then
    echo "deleting routers"
    # while route del default gw 0.0.0.0 dev $interface ; do
    #  :
    # done

    # for i in $router ; do
    #   route add default gw $i dev $interface
    # done
    echo "$router"
  fi

  echo -n > $RESOLV_CONF
  [ -n "$domain" ] && echo search $domain >> $RESOLV_CONF
  for i in $dns ; do
    echo adding dns $i
    echo nameserver $i >> $RESOLV_CONF
  done
  nvram set wan2_ifname=$interface
  nvram set wan2_gateway=$router
  nvram set wan2_ipaddr=$ip
  nvram set wan2_netmask=$subnet
  nvram set wan2_broadcast=$broadcast
  nvram commit
  ifconfig $(nvram get wan2_ifname) $(nvram get wan2_ipaddr) netmask $(nvram get wan2_netmask) up
  ;;
esac

exit 0' > /tmp/udhcpc-wan2.script
chmod a+x /tmp/udhcpc-wan2.script
udhcpc -s /tmp/udhcpc-wan2.script  -i vlan2
sleep 5
nvram commit

ip rule flush

ip rule add lookup main prio 32766
ip rule add lookup default prio 32767

ip rule add from $(nvram get wan_ipaddr) table 100 prio 100
ip rule add fwmark 0x100 table 100 prio 101

ip rule add from $(nvram get wan2_ipaddr) table 200 prio 200
ip rule add fwmark 0x200 table 200 prio 201

ip route flush table 100
ip route flush table 200

for TABLE in 100 200
do
   ip route | grep link | while read ROUTE
   do
     ip route add table $TABLE to $ROUTE
   done
done

ip route add table 100 default via $(nvram get wan_gateway)
ip route add table 200 default via $(nvram get wan2_gateway)
ip route delete default
ip route add default scope global equalize nexthop via $(nvram get wan_gateway) dev  $(nvram get wan_ifname) nexthop via $(nvram get wan2_gateway) dev $(nvram get wan2_ifname)


and click save as startup.

Then, in the blank box again, type in:

Code:

#!/bin/sh

ip rule flush

ip rule add lookup main prio 32766
ip rule add lookup default prio 32767

ip rule add from $(nvram get wan_ipaddr) table 100 prio 100
ip rule add fwmark 0x100 table 100 prio 101

ip rule add from $(nvram get wan2_ipaddr) table 200 prio 200
ip rule add fwmark 0x200 table 200 prio 201

ip route flush table 100
ip route flush table 200

for TABLE in 100 200
do
   ip route | grep link | while read ROUTE
   do
     ip route add table $TABLE to $ROUTE
   done
done

ip route add table 100 default via $(nvram get wan_gateway)
ip route add table 200 default via $(nvram get wan2_gateway)
ip route delete default
ip route add default scope global equalize nexthop via $(nvram get wan_gateway) dev  $(nvram get wan_ifname) nexthop via $(nvram get wan2_gateway) dev $(nvram get wan2_ifname)


insmod ipt_CONNMARK
IPTABLES="/usr/sbin/iptables"

#DD-WRT firewall rules #BEGIN

#apply simple forward rules

for RULE in $(nvram get forward_spec)
do
   FROM=`echo $RULE | cut -d '>' -f 1`
   TO=`echo $RULE | cut -d '>' -f 2`
   STATE=`echo $FROM | cut -d ':' -f 2`
   PROTO=`echo $FROM | cut -d ':' -f 3`
   SPORT=`echo $FROM | cut -d ':' -f 4`
   DEST=`echo $TO | cut -d ':' -f 1`
   DPORT=`echo $TO | cut -d ':' -f 2`

   if [ "$STATE" = "on" ]; then
      if [ "$PROTO" = "both" ]; then
        iptables -A PREROUTING -t nat -p udp -d $(nvram get wan2_ipaddr) --dport $SPORT -j DNAT --to $DEST:$DPORT
        iptables -A PREROUTING -t nat -p tcp -d $(nvram get wan2_ipaddr) --dport $SPORT -j DNAT --to $DEST:$DPORT
      else
        iptables -A PREROUTING -t nat -p $PROTO -d $(nvram get wan2_ipaddr) --dport $SPORT -j DNAT --to $DEST:$DPORT
      fi
   fi
done

#apply range forward rules
for RULE in $(nvram get forward_port)
do
  FROM=`echo $RULE | cut -d '>' -f 1`
  TO=`echo $RULE | cut -d '>' -f 2`
  STATE=`echo $FROM | cut -d ':' -f 2`
  PROTO=`echo $FROM | cut -d ':' -f 3`
  SPORT=`echo $FROM | cut -d ':' -f 4`
  EPORT=`echo $FROM | cut -d ':' -f 5`

  if [ "$STATE" = "on" ]; then
    if [ "$PROTO" = "both" ]; then
      iptables -A PREROUTING -t nat -p udp -d $(nvram get wan2_ipaddr) --dport $SPORT:$EPORT -j DNAT --to $TO
      iptables -A PREROUTING -t nat -p tcp -d $(nvram get wan2_ipaddr) --dport $SPORT:$EPORT -j DNAT --to $TO
    else
      iptables -A PREROUTING -t nat -p $PROTO -d $(nvram get wan2_ipaddr) --dport $SPORT:$EPORT -j DNAT --to $TO
    fi
  fi
done

iptables -A PREROUTING -t nat -p icmp -d $(nvram get wan2_ipaddr) -j DNAT --to $(nvram get lan_ipaddr)

if [ $(nvram get remote_management) -eq 1 ]; then
        iptables -A PREROUTING -t nat -p tcp -d $(nvram get wan2_ipaddr) --dport $(nvram get http_wanport) -j DNAT --to $(nvram get lan_ipaddr):$(nvram get http_lanport)
fi

if [ $(nvram get dmz_enable) -eq 1 ]; then
        DMZ_IP=$(nvram get lan_ipaddr | sed -r 's/[0-9]+$//')$(nvram get dmz_ipaddr)
        iptables -A PREROUTING -t nat -d $(nvram get wan2_ipaddr) -j DNAT --to $DMZ_IP
fi

iptables -A PREROUTING -t nat --dest $(nvram get wan2_ipaddr) -j TRIGGER --trigger-type dnat
iptables -A FORWARD -i $(nvram get wan2_ifname) -o $(nvram get lan_ifname) -j TRIGGER --trigger-type in

#DD-WRT END

$IPTABLES -F POSTROUTING -t nat
$IPTABLES -t mangle -N ETH1
$IPTABLES -t mangle -F ETH1
$IPTABLES -t mangle -A ETH1 -j MARK --set-mark 0x100
$IPTABLES -t mangle -N ETH2
$IPTABLES -t mangle -F ETH2
$IPTABLES -t mangle -A ETH2 -j MARK --set-mark 0x200
$IPTABLES -t nat -N SPOOF_ETH1
$IPTABLES -t nat -F SPOOF_ETH1
$IPTABLES -t nat -A SPOOF_ETH1 -j LOG --log-prefix " SPOOF_ETH1 "
$IPTABLES -t nat -A SPOOF_ETH1 -j SNAT --to $(nvram get wan_ipaddr)
$IPTABLES -t nat -N SPOOF_ETH2
$IPTABLES -t nat -F SPOOF_ETH2
$IPTABLES -t nat -A SPOOF_ETH2 -j LOG --log-prefix " SPOOF_ETH2 "
$IPTABLES -t nat -A SPOOF_ETH2 -j SNAT --to $(nvram get wan2_ipaddr)
$IPTABLES -A INPUT -p icmp -s 192.168.1.0/24 -d 192.168.1.1 -j ACCEPT
#Save the gateway in the connection mark for new incoming connections
$IPTABLES -t mangle -A PREROUTING -i $(nvram get wan_ifname) -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x100
$IPTABLES -t mangle -A PREROUTING -i $(nvram get wan2_ifname) -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x200
$IPTABLES -A POSTROUTING -t mangle -o $(nvram get wan_ifname) -j MARK --set-mark 0x100
$IPTABLES -A POSTROUTING -t mangle -o $(nvram get wan2_ifname) -j MARK --set-mark 0x200
$IPTABLES -t nat -A POSTROUTING -o $(nvram get wan_ifname) -j SPOOF_ETH1
$IPTABLES -t nat -A POSTROUTING -o $(nvram get wan2_ifname) -j SPOOF_ETH2
$IPTABLES -t mangle -A POSTROUTING -j CONNMARK --save-mark
$IPTABLES -t mangle -A PREROUTING -i br0 -m state --state RELATED,ESTABLISHED -j CONNMARK --restore-mark
# Use the correct gateway for reply packets from local connections
$IPTABLES -t mangle -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark

## Allow AIM to always go out vlan1 (causes connection/login issues).
iptables -t nat -I POSTROUTING -p tcp -m multiport --destination-ports 5190 -j SPOOF_ETH1
iptables -t mangle -I PREROUTING -p tcp -m multiport --destination-ports 5190 -j ETH1
iptables -t mangle -I OUTPUT -p tcp -m multiport --destination-ports 5190 -j ETH1

RP_PATH=/proc/sys/net/ipv4/conf
for IFACE in `ls $RP_PATH`; do
    echo 0 > $RP_PATH/$IFACE/rp_filter
done


and click save as firewall.



That should be it, reboot, and give it a shot....i am running my WRT on stuff in NVRAM now, no longer in JFFS.


how do you setup the vlan page? thanks
skEwb
DD-WRT Novice


Joined: 28 Jul 2008
Posts: 9

PostPosted: Fri Aug 01, 2008 8:33    Post subject: Reply with quote
DisposableHero wrote:

how do you setup the vlan page? thanks


Router page go to setup > vlan and put port 4 on vlan 2.

Then administration > commands and put the startup script in the startup and save and firewall in the firewall and save.

I then telnet in and do ifconfig vlan2 up to make sure the vlan2 goes up and it all works and then cycle the router 1 more time.

I still can't get my IM/irc clients to stop disconnecting over and over though. So it's only good when you don't want to chat with friends until there is a better fix. Maybe it's just my issue.
skEwb
DD-WRT Novice


Joined: 28 Jul 2008
Posts: 9

PostPosted: Sat Aug 02, 2008 0:30    Post subject: Reply with quote
Bricked the router copying the scripts in startup/firewall nvram. Had to open it up and short out pin 15+16 with power from left antenna.

After successful recovery of the router jffs script mode or copying/pasting the whole scripts into nvram does not work anymore.

vlan1 and vlan2 both get external ip's from the cable modems, but it just simply does not work. Websites stall out and whatismyip sites show only 1 ip not 2 anymore.

I guess it worked once and never again Smile
jbarbieri
DD-WRT Guru


Joined: 06 Apr 2007
Posts: 545
Location: New Hampshire

PostPosted: Sat Aug 02, 2008 16:44    Post subject: Reply with quote
Bricked the router?

How the......

_________________


Linksys EA6500v2 | 5GHz 1st Floor AP | Advanced Tomato 1.28.0000 -2.9-131 K26ARM USB AIO-64K
Netgear WNR2000v3 | 2nd Floor AP | DD-WRT v3.0-r27805 std

Behind a Raspberry Pi Dual WAN router
skEwb
DD-WRT Novice


Joined: 28 Jul 2008
Posts: 9

PostPosted: Sat Aug 02, 2008 19:08    Post subject: Reply with quote
jbarbieri wrote:
Bricked the router?

How the......


Yeah I just pasted 1 script in startup 1 in firewall and it started rebooting. Then all the ethernet leds and wlan led went solid and the power led was blinking non stop. The tftp revival methods were useless, I had to open it up and short out pin 15+16 with juice from the left antenna to revive it.

Nvram show reveals:

size: 19321 bytes (13447 left)
carsten0815
DD-WRT Novice


Joined: 15 May 2008
Posts: 5

PostPosted: Sat Aug 02, 2008 23:47    Post subject: Reply with quote
thank you fpr the great tuts! everyone!

dual wan works nice!

what can i do for triple wan only set lanport 3 to vlan 3?
danish14
DD-WRT Novice


Joined: 23 Apr 2008
Posts: 25

PostPosted: Sun Aug 03, 2008 16:13    Post subject: Reply with quote
Just want to know ..
is this will work for tomato firmawre
i also have wrt54g with tomato firmware
jbarbieri
DD-WRT Guru


Joined: 06 Apr 2007
Posts: 545
Location: New Hampshire

PostPosted: Mon Aug 04, 2008 12:13    Post subject: Reply with quote
danish14 wrote:
Just want to know ..
is this will work for tomato firmawre
i also have wrt54g with tomato firmware


I have tried on tomato a couple times. The problem is their IP binary....it does not do the routing tables or the equal cost routing like DD-WRT does.

In other words, I could not get it to work.

_________________


Linksys EA6500v2 | 5GHz 1st Floor AP | Advanced Tomato 1.28.0000 -2.9-131 K26ARM USB AIO-64K
Netgear WNR2000v3 | 2nd Floor AP | DD-WRT v3.0-r27805 std

Behind a Raspberry Pi Dual WAN router
jbarbieri
DD-WRT Guru


Joined: 06 Apr 2007
Posts: 545
Location: New Hampshire

PostPosted: Mon Aug 04, 2008 12:18    Post subject: Reply with quote
carsten0815 wrote:
thank you fpr the great tuts! everyone!

dual wan works nice!

what can i do for triple wan only set lanport 3 to vlan 3?


No, you have to also get another routes.firewall and firewall.firewall

I have both of them posted, but the firewall.firewall does NOT work with V24....only V23

_________________


Linksys EA6500v2 | 5GHz 1st Floor AP | Advanced Tomato 1.28.0000 -2.9-131 K26ARM USB AIO-64K
Netgear WNR2000v3 | 2nd Floor AP | DD-WRT v3.0-r27805 std

Behind a Raspberry Pi Dual WAN router
jbarbieri
DD-WRT Guru


Joined: 06 Apr 2007
Posts: 545
Location: New Hampshire

PostPosted: Tue Aug 05, 2008 12:16    Post subject: Reply with quote
Update to the firewall.firewall for V23 version.

See the update on the first page, or you can download it here:

http://www.jbarbieri.net/dd-wrt/scripts/firewall.firewall


This actually does a little bit of connection tracking, so any inbound connections get marked, and it has helped me out with HTTPS sessions, as well as AIM and ICQ logins. It has allowed me to shorten the firewall.firewall file a little bit, since I don't need entries for each IM client and for HTTPS.

--John

_________________


Linksys EA6500v2 | 5GHz 1st Floor AP | Advanced Tomato 1.28.0000 -2.9-131 K26ARM USB AIO-64K
Netgear WNR2000v3 | 2nd Floor AP | DD-WRT v3.0-r27805 std

Behind a Raspberry Pi Dual WAN router
bluescript
DD-WRT Novice


Joined: 07 Jun 2006
Posts: 7

PostPosted: Thu Aug 07, 2008 22:36    Post subject: Reply with quote
I've been trying to set up load-balancing with the following setup:

- WRT54GS 1.0 with PPPoE on WAN1 (load-balancer, 10.0.1.1/24)
- WRT54G 2.0 also with PPPoE and hooked up to the WRT54GS on port 4 (10.0.0.1/24)

The GS is running v23sp2 std and is configured as laid out in Stalonges setup with PPPoE as main and DHCP on WAN2 behind the G unit. It's using jbarbieri's latest firewall script.

The problem now is that apparently the PPPoE link on WAN1 isn't used at all - a few thousand outbound packets but hardly any inbound. Everything is piped through WAN2. Torrents are working without apparent problems and at full speed (single link that is) but websurfing is not always reliable and tends to time out to about 50%.

I would be extremely grateful if anyone could point me to the problem in my configuration. I have spent hours on it and can't find the flaw.

Code:

IP ROUTE OUTPUT:

213.191.76.92 dev ppp0  proto kernel  scope link  src 85.179.59.252
10.0.0.0/24 dev vlan2  proto kernel  scope link  src 10.0.0.90
10.0.1.0/24 dev br0  proto kernel  scope link  src 10.0.1.1
127.0.0.0/8 dev lo  scope link
default equalize
        nexthop via 213.191.76.92  dev ppp0 weight 1
        nexthop via 10.0.0.1  dev vlan2 weight 2


This is what I have done:

Code:

NVRAM SETTINGS:

nvram set vlan0ports="1 2 3 5*"
nvram set vlan2ports="4 5"
nvram set vlan2hwname=et0
nvram set wan_ifname2=ppp0


Code:

STARTUP

/jffs/scripts/wan2.firewall


Code:

FIREWALL

/jffs/scripts/routes.firewall
/jffs/scripts/firewall.firewall


Code:

WAN2.FIREWALL

#!/bin/sh
echo "Setting up WAN2" >> /var/log/messages

WAN2_IFNAME=vlan2
WAN2_IPADDR=10.0.0.90
WAN2_BROADCAST=10.0.0.255
WAN2_GATEWAY=10.0.0.1
WAN2_NETMASK=255.255.255.0

if [ "$(nvram get wan2_ipaddr)" != "$WAN2_IPADDR" ]; then
        nvram set wan2_ifname=$WAN2_IFNAME
        nvram set wan2_ipaddr=$WAN2_IPADDR
        nvram set wan2_gateway=$WAN2_GATEWAY
        nvram set wan2_netmask=$WAN2_NETMASK
        nvram set wan2_broadcast=$WAN2_BROADCAST
        nvram commit
fi

ifconfig $(nvram get wan2_ifname) down hw ether  00:12:17:D4:2D:C9
ifconfig $(nvram get wan2_ifname) $(nvram get wan2_ipaddr) netmask $(nvram get wan2_netmask) broadcast $(nvram get wan2_broadcast) up

echo "Sleeping 3 minutes 30 seconds before continuing" >> /var/log/messages
sleep 210

echo "Running routes.firewall now" >> /var/log/messages
/jffs/scripts/routes.firewall


Code:

ROUTES.FIREWALL

#!/bin/sh

echo "Flushing rules" >> /var/log/messages

ip rule flush

echo "Rebuilding rules and tables" >> /var/log/messages

ip rule add lookup main prio 32766
ip rule add lookup default prio 32767

ip rule add from $(nvram get wan_ipaddr) table 100 prio 100
ip rule add fwmark 0x100 table 100 prio 101

ip rule add from $(nvram get wan2_ipaddr) table 200 prio 200
ip rule add fwmark 0x200 table 200 prio 201

ip route flush table 100
ip route flush table 200

for TABLE in 100 200
do
   ip route | grep link | while read ROUTE
   do
     ip route add table $TABLE to $ROUTE
   done
done

ip route add table 100 default via $(nvram get wan_gateway)
ip route add table 200 default via $(nvram get wan2_gateway)
echo "Deleting default route" >> /var/log/messages
ip route delete default
echo "Adding in equalized route" >> /var/log/messages
ip route add default scope global equalize nexthop via $(nvram get wan_gateway) dev  $(nvram get wan_ifname2) weight 1 nexthop via $(nvram get wan2_gateway) dev $(nvram get wan2_ifname) weight 2
echo "routes.firewall completed" >> /var/log/messages


Code:

FIREWALL.FIREWALL

#!/bin/sh
echo "`date` Flushing and adding new firewall rules" >> /var/log/messages
IPTABLES="/usr/sbin/iptables"
#IPTABLES="/jffs/iptables"

#DD-WRT firewall rules #BEGIN
#apply simple forward rules

for RULE in $(nvram get forward_spec)
do
   FROM=`echo $RULE | cut -d '>' -f 1`
   TO=`echo $RULE | cut -d '>' -f 2`
   STATE=`echo $FROM | cut -d ':' -f 2`
   PROTO=`echo $FROM | cut -d ':' -f 3`
   SPORT=`echo $FROM | cut -d ':' -f 4`
   DEST=`echo $TO | cut -d ':' -f 1`
   DPORT=`echo $TO | cut -d ':' -f 2`
   
   if [ "$STATE" = "on" ]; then
      if [ "$PROTO" = "both" ]; then
        #udp
        iptables -A PREROUTING -t nat -p udp -d $(nvram get wan2_ipaddr) --dport $SPORT -j DNAT --to $DEST:$DPORT
        #tcp
        iptables -A PREROUTING -t nat -p tcp -d $(nvram get wan2_ipaddr) --dport $SPORT -j DNAT --to $DEST:$DPORT
      else
        iptables -A PREROUTING -t nat -p $PROTO -d $(nvram get wan2_ipaddr) --dport $SPORT -j DNAT --to $DEST:$DPORT
      fi
   fi
done

#apply range forward rules
for RULE in $(nvram get forward_port)
do
  FROM=`echo $RULE | cut -d '>' -f 1`
  TO=`echo $RULE | cut -d '>' -f 2`
  STATE=`echo $FROM | cut -d ':' -f 2`
  PROTO=`echo $FROM | cut -d ':' -f 3`
  SPORT=`echo $FROM | cut -d ':' -f 4`
  EPORT=`echo $FROM | cut -d ':' -f 5`

  if [ "$STATE" = "on" ]; then
    if [ "$PROTO" = "both" ]; then
      #udp
      iptables -A PREROUTING -t nat -p udp -d $(nvram get wan2_ipaddr) --dport $SPORT:$EPORT -j DNAT --to $TO
      #tcp
      iptables -A PREROUTING -t nat -p tcp -d $(nvram get wan2_ipaddr) --dport $SPORT:$EPORT -j DNAT --to $TO
    else
      iptables -A PREROUTING -t nat -p $PROTO -d $(nvram get wan2_ipaddr) --dport $SPORT:$EPORT -j DNAT --to $TO
    fi
  fi
done

iptables -A PREROUTING -t nat -p icmp -d $(nvram get wan2_ipaddr) -j DNAT --to $(nvram get lan_ipaddr)

if [ $(nvram get remote_management) -eq 1 ]; then
   iptables -A PREROUTING -t nat -p tcp -d $(nvram get wan2_ipaddr) --dport $(nvram get http_wanport) -j DNAT --to $(nvram get lan_ipaddr):$(nvram get http_lanport)
fi

if [ $(nvram get dmz_enable) -eq 1 ]; then
   DMZ_IP=$(nvram get lan_ipaddr | sed -r 's/[0-9]+$//')$(nvram get dmz_ipaddr)
   iptables -A PREROUTING -t nat -d $(nvram get wan2_ipaddr) -j DNAT --to $DMZ_IP
fi

iptables -A PREROUTING -t nat --dest $(nvram get wan2_ipaddr) -j TRIGGER --trigger-type dnat
iptables -A FORWARD -i $(nvram get wan2_ifname) -o $(nvram get lan_ifname) -j TRIGGER --trigger-type in

#DD-WRT END

$IPTABLES -t mangle -F PREROUTING
$IPTABLES -t mangle -F OUTPUT

$IPTABLES -F POSTROUTING -t nat

$IPTABLES -t mangle -N ETH1
$IPTABLES -t mangle -F ETH1
$IPTABLES -t mangle -A ETH1 -j MARK --set-mark 0x100
$IPTABLES -t mangle -A ETH1 -j CONNMARK --save-mark

$IPTABLES -t mangle -N ETH2
$IPTABLES -t mangle -F ETH2
$IPTABLES -t mangle -A ETH2 -j MARK --set-mark 0x200
$IPTABLES -t mangle -A ETH2 -j CONNMARK --save-mark

$IPTABLES -t mangle -N RANDOM
$IPTABLES -t mangle -F RANDOM
$IPTABLES -t mangle -A RANDOM -m random --average 50 -j ETH1
$IPTABLES -t mangle -A RANDOM -m random --average 50 -j ETH2

$IPTABLES -t nat -N SPOOF_ETH1
$IPTABLES -t nat -F SPOOF_ETH1
$IPTABLES -t nat -A SPOOF_ETH1 -j SNAT --to $(nvram get wan_ipaddr)

$IPTABLES -t nat -N SPOOF_ETH2
$IPTABLES -t nat -F SPOOF_ETH2
$IPTABLES -t nat -A SPOOF_ETH2 -j SNAT --to $(nvram get wan2_ipaddr)

$IPTABLES -t nat -A POSTROUTING -o $(nvram get wan_ifname) -j SPOOF_ETH1
$IPTABLES -t nat -A POSTROUTING -o $(nvram get wan2_ifname) -j SPOOF_ETH2

$IPTABLES -t mangle -A OUTPUT -o ! br0 -m state --state NEW -j RANDOM
$IPTABLES -t mangle -A OUTPUT -j CONNMARK --restore-mark
$IPTABLES -t mangle -A OUTPUT --match mark --mark 0x100 -j ACCEPT
$IPTABLES -t mangle -A OUTPUT --match mark --mark 0x200 -j ACCEPT

$IPTABLES -t mangle -A PREROUTING -i br0 -m state --state NEW -j RANDOM
$IPTABLES -t mangle -A PREROUTING -j CONNMARK --restore-mark
$IPTABLES -t mangle -A PREROUTING --match mark --mark 0x100 -j ACCEPT
$IPTABLES -t mangle -A PREROUTING --match mark --mark 0x200 -j ACCEPT
$IPTABLES -t mangle -A PREROUTING -i vlan1 -j ETH1
$IPTABLES -t mangle -A PREROUTING -i vlan2 -j ETH2

RP_PATH=/proc/sys/net/ipv4/conf
for IFACE in `ls $RP_PATH`; do
    echo 0 > $RP_PATH/$IFACE/rp_filter
done
iptables -I INPUT -p icmp -j ACCEPT

echo "`date` firewall.firewall is now completed" >> /var/log/messages
mpetern
DD-WRT Novice


Joined: 31 Jul 2008
Posts: 5

PostPosted: Tue Aug 12, 2008 11:35    Post subject: Reply with quote
I have another problem. A bit distinct from the others.

I am trying to have two IP addresses over one WAN port. I have only one DSL modem and one WRT54GL router. One address would be strictly for the web, dns and mail server, the other for torrents, mail, web surfing, etc... (workstations). The server has higher priority!

Is that possible with these scripts and how?

I have two static IP addresses (different ip, different netmask, different gateway) assigned from my ISP.
rockyrocky
DD-WRT Novice


Joined: 14 Aug 2008
Posts: 1

PostPosted: Thu Aug 14, 2008 19:44    Post subject: Reply with quote
can any help me, followed the step by step guide on www.roadrunnerguide.com/dualwan.html, i just cant get my router to work Sad
wan ip show 0.0.0.0

please help
IN7OX
DD-WRT Novice


Joined: 15 Jul 2008
Posts: 19

PostPosted: Fri Aug 15, 2008 6:29    Post subject: Reply with quote
has anyone got the scripts for triple wan as i have been using dual for a while now and want to try something new
you know how it is lol
cheers
Goto page Previous  1, 2, 3 ... 34, 35, 36 ... 66, 67, 68  Next Display posts from previous:    Page 35 of 68
Post new topic   This topic is locked: you cannot edit posts or make replies.    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum