multiple external IP addresses

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
cstumpf
DD-WRT Novice


Joined: 03 Aug 2006
Posts: 9

PostPosted: Fri Aug 04, 2006 2:03    Post subject: multiple external IP addresses Reply with quote
HI,

I'm new here. Been searching the forum and wiki on detailed info about dealing with multiple external IP addresses and haven't found much of anything that answers my questions. It seems there is no way to add an alias IP to the WAN port via the web gui. It would be nice if it could be added for the next version. But my immediate problem is I was unable to find any instructions on the method add the alias via terminal. I'm not a linux guru by any means, so, explicit instructions would be very useful.

The other questions have to deal with what happens if I add an alias and then forward all traffic from it to a specific internal IP address? Do the QOS rules still apply? What limitations are there? What can and can't be done with multiple external IP addresses with DD-WRT. Please note, all this assumes there is one physical internet connection and multiple IP addresses from the ISP.

My particular uses for the multiple IPs are for my Vonage adapter and gaming consoles, like PS2/XBOX. I've been looking at the VLAN stuff, but I haven't found a compelling reason to use it for what I'm doing.

Thanks
Sponsor
satnone
DD-WRT Novice


Joined: 04 Mar 2007
Posts: 6

PostPosted: Sun Mar 04, 2007 16:54    Post subject: Reply with quote
I have the same problem.. I have 5 static public IP addresses and cant seem to find any detailed information on how to set this up. If anyone knows or if anyone knows of somewhere I can get this information post something.

WRT54G with v23 SP2 VPN
avalanche
DD-WRT User


Joined: 16 Jun 2006
Posts: 133
Location: Kolding, Denmark

PostPosted: Sun Mar 04, 2007 19:49    Post subject: Reply with quote
search the forum for the answer on the multiple IP's, there are multiple messages about that.

eg. the thread: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=10555

from the above thread:

#FORWARD EVERYTHING EXAMPLE
/usr/sbin/ip addr add aa.bb.cc.dd/29 dev vlan1
/usr/sbin/iptables -I FORWARD -d pp.qq.rr.ss -j ACCEPT
/usr/sbin/iptables -t nat -I PREROUTING 1 -p all -d aa.bb.cc.dd -j DNAT --to pp.qq.rr.ss
/usr/sbin/iptables -t nat -I POSTROUTING 1 -p all -s pp.qq.rr.ss -j SNAT --to aa.bb.cc.dd

aa.bb.cc.dd is the external IP
pp.qq.rr.ss is the internal IP that you want to respond to aa.bb.cc.dd

I'm using something like this of course it's modified with other rules so it's not a DMZ. Security is up to you
satnone
DD-WRT Novice


Joined: 04 Mar 2007
Posts: 6

PostPosted: Sun Mar 04, 2007 22:07    Post subject: Reply with quote
Thanks, yeah I actually saw those other posts, but they didnt really apply to me and my situation exactly, and since Im not very good with linux they werent all that helpfull. I did, on the other hand just find something that I could understand a little more using ifconfig and vlans, so I think I got it figured out. Maybe some Linux pros could look at this and tell me if theres anything else I should be aware of or do, since theres a lot of assumed stuff that I dont know sometimes. This is the main parts of the info I found on another website.

195.167.182.123 -> 10.0.0.1
195.167.182.124 -> 10.0.0.2
195.167.182.125 -> 10.0.0.x (all others)
=========================

# Add external aliases to external interface.
ifconfig vlan1:1 195.167.182.124 netmask 255.255.255.248 broadcast 195.167.182.127
ifconfig vlan1:2 195.167.182.125 netmask 255.255.255.248 broadcast 195.167.182.127

# Default accept all.
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT

# Clear all chains.
cat /proc/net/ip_tables_names | while read table; do
iptables -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
iptables -t $table -F $chain
fi
done
iptables -t $table -X
done

# Reset counters.
iptables -Z

# Allow new connections, to and from the router.
iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o lo -m state --state NEW -j ACCEPT

# Allow established and related connections.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# NAT mapping for 195.167.182.123 -> 10.0.0.1
iptables -t nat -I PREROUTING -i vlan1 -d 195.167.182.123 -j DNAT --to-destination 10.0.0.1
iptables -t nat -I POSTROUTING -o vlan1 -s 10.0.0.1 -j SNAT --to-source 195.167.182.123

# NAT mapping for 195.167.182.124 -> 10.0.0.2
iptables -t nat -I PREROUTING -i vlan1 -d 195.167.182.124 -j DNAT --to-destination 10.0.0.2
iptables -t nat -I POSTROUTING -o vlan1 -s 10.0.0.2 -j SNAT --to-source 195.167.182.124

# NAT all other connections.
iptables -t nat -A POSTROUTING -o vlan1 -s 10.0.0.0/24 -j MASQUERADE

# Fix mss.
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1421:65535 -j TCPMSS --clamp-ms
mpadams
DD-WRT Novice


Joined: 05 Jun 2007
Posts: 1

PostPosted: Tue Jun 05, 2007 1:34    Post subject: PREROUTING commands: tie to br0 interface Reply with quote
Regarding the last post, the script works, but you have to change the "-i" in the PREROUTING commands to use "br0" instead of "vlan1". POSTROUTING still uses "vlan1" for its traffic.
Lore
DD-WRT Novice


Joined: 07 Jun 2006
Posts: 19

PostPosted: Sun Aug 05, 2007 6:23    Post subject: Reply with quote
Did this end up working for you? Did you have to change it to br0 like the last poster said?

By the way, the site where you got the information from is here, right?

http://www.remoteroot.net/2007/07/18/1-1-nat-with-dynamic-napt-on-a-linksys-wrt54g/
cstumpf
DD-WRT Novice


Joined: 03 Aug 2006
Posts: 9

PostPosted: Tue Jan 22, 2008 12:35    Post subject: Reply with quote
bumping this up because this is the closest thing to a usable answer for multiple external IPs on a single interface.

It still shouldn't be this hard.

It should be configurable via the GUI.

So what is the proper way to make an official feature request?
olmari
DD-WRT Guru


Joined: 24 Oct 2006
Posts: 1447
Location: Vaasa, Finland

PostPosted: Tue Jan 22, 2008 13:25    Post subject: Reply with quote
cstumpf wrote:
bumping this up because this is the closest thing to a usable answer for multiple external IPs on a single interface.

It still shouldn't be this hard.

It should be configurable via the GUI.

So what is the proper way to make an official feature request?


I'd make new ticket in http://svn.dd-wrt.com:8000/dd-wrt/timeline and mark it as "enhancement"... AFAIK there have been some discussions earlier about multi-WAN, so developers knows someones want this, but we still ahve to remember they are busy to get v24 to final shape. So ofcourse you can make request for it, but I say it won't happend that soon, it still will be relatively big changes troughout system to get multi-WAN to work good. But I am all in for making DD-WRT even more superb than it already is.

_________________
Site 1:
P3 1GHz Coppermine with DD-WRT v24 as main router
2x Buffalo WHR-HP-G54 with DD-WRT v24 as AP

Site 2:
AMD64 4200+ Dualcore AM2 with DD-WRT v24 as main router
Buffalo WHR-HP-G54 with DD-WRT v24 as AP
joksi
DD-WRT Guru


Joined: 16 Jan 2007
Posts: 1240

PostPosted: Tue Jan 22, 2008 13:48    Post subject: Reply with quote
At the moment Im having two public IPs assigned to my WRT.

I have done like this and it works as expected.

iptables -t nat -I PREROUTING -i vlan1 -d 20.20.20.20 -j DNAT --to-destination 10.1.1.2
iptables -t nat -I POSTROUTING -o vlan1 -s 10.1.1.2 -j SNAT --to-source 20.20.20.20

iptables -I FORWARD -p tcp -i vlan1 -d 10.1.1.2 --dport 80 -j ACCEPT
...or...
iptables -I FORWARD -p all -i vlan1 -d 10.1.1.2 -j ACCEPT

Its all about firewalling and IPtables, a short description because I understand that for beginners code arent always that self explanatory :)

Rule 1: Internet on vlan1, public IP 20.20.20.20 NAT:ed to LAN IP 10.1.1.2
Rule 2: Traffic back from 10.1.1.2 to Internet NAT:ed to public IP 20.20.20.20

Rule3: Allow traffic on public IP 20.20.20.20 pot 80 (http) to 10.1.1.2
or
Rule 4: Allow all traffic on public IP 20.20.20.20 to 10.1.1.2 (other word,unfirewalled=DMZ style)

The first and primary public IP is set manually or aquired by DHCP normally in web UI. Adding extra public IPs shall be done following above commands.

I have noticed also that above commands can ruin the dd-wrts standard NAT setup, if that happens for you start over by rebooting router and this time first enter below command (followed bt above commands)

iptables -t nat -I POSTROUTING -o vlan1 -s 10.1.1.0/26 -j SNAT --to-source 30.30.30.30

Where 10.1.1.0/26 is your LAN subnet and 30.30.30.30 is your first and primary public IP (set in web UI).

Finish with testing your WAN IPs by going to lets say whatismyip.com, first from one of the LAN computers that you have mapped an public IP to, then with another unmapped. In the first case it should report your new public IP, in the second case it should report your old tht you router has.

Save it as startup script and your done. Smile
shanesj
DD-WRT Novice


Joined: 07 Jan 2010
Posts: 1

PostPosted: Thu Jan 21, 2010 22:22    Post subject: Re: PREROUTING commands: tie to br0 interface Reply with quote
This is an old post but I was unable to find better info any where else, so hopefully this helps someone else.

mpadams wrote:
Regarding the last post, the script works, but you have to change the "-i" in the PREROUTING commands to use "br0" instead of "vlan1". POSTROUTING still uses "vlan1" for its traffic.


I had to use "eth0" not "br0" to get the routing to work for me. Here is what I used to forward port 80:

# Save Startup
ifconfig eth0:1 xxx.xxx.xxx.123 netmask 255.255.255.248 broadcast xxx.xxx.xxx.127

# Save Firewall
iptables -t nat -I POSTROUTING -o eth0 -s 10.0.10.0/24 -j SNAT --to-source 10.0.10.1
iptables -t nat -I PREROUTING -d xxx.xxx.xxx.123 -j DNAT --to-destination 10.0.10.91
iptables -t nat -I POSTROUTING -o vlan1 -s 10.0.10.91 -j SNAT --to-source xxx.xxx.xxx.123
iptables -I FORWARD -p tcp -i eth0 -d 10.0.10.91 --dport 80 -j ACCEPT
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Fri Jan 22, 2010 0:16    Post subject: Reply with quote
See the wiki: http://www.dd-wrt.com/wiki/index.php/One-to-one_NAT
_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
wqweto
DD-WRT Novice


Joined: 26 Jan 2010
Posts: 1

PostPosted: Tue Jan 26, 2010 17:39    Post subject: Reply with quote
Here is a crash course for Windows admins on how to setup multiple external IPs on WAN and how to configure port forwarding on these multiple IPs.

I have this script (without line numbers) setup in my Administration->Commands menu:
Code:
01: ####################################################
02: # Add additional IP addresses to WAN
03: ####################################################
04:
05: ifconfig vlan1:1 212.xx.yy.154 netmask 255.255.255.240 broadcast 212.xx.yy.159
06:
07: ####################################################
08: # Add port forward: 212.xx.yy.154:3390 -> 10.10.10.102:3389
09: # Note: FORWARD rule is needed only if SPI firewall is ON. No harm when firewall is OFF
10: ####################################################
11:
12: iptables -t nat -I POSTROUTING -o vlan1 -s 10.10.10.102 -j SNAT --to 212.xx.yy.154
13: iptables -t nat -I PREROUTING -i vlan1 -d 212.xx.yy.154 -p tcp --dport 3390 -j DNAT --to 10.10.10.102:3389
14: iptables -I FORWARD -i vlan1 -d 10.10.10.102 -p tcp --dport 3389 -j ACCEPT

First part (ifconfig line) is set as Startup script, second part (iptables lines) is setup as Firewall script. You can merge these as a single Startup script if you like.

Here is the explanation:

Line 05 sets up a second external IP on the WAN port. You can use this as a template for more, just increment vlan1:2, vlan1:3, vlan1:4, etc. Note that all these IPs must be able to reach the gateway on the WAN (to be in the same subnet).

Template: ifconfig vlan1:{seq_No} {external_IP} netmask {external_mask} broadcast {highest_external_IP_for_IP_mask_combination}

Line 12 sets up the back-routing of 10.10.10.102 through the external IP. You need exactly one such POSTROUTING line for an internal IP. You can back-route several internal IPs through a single external IP.

Template: iptables -t nat -I POSTROUTING -o vlan1 -s {internal_IP} -j SNAT --to {external_IP}

Line 13 is the real deal. This one routes port 3390 on the external IP to port 3389 on the internal. If ports are not changed (i.e. 3389 to 3389) then leave the port out of the --to 10.10.10.102:3389 part, just leave --to 10.10.10.102. You can copy this several times and change ports as needed.

Template: iptables -t nat -I PREROUTING -i vlan1 -d {external_IP} -p tcp --dport {external_port} -j DNAT --to {internal_IP}[:{internal_port}]

Line 14 is needed only if firewall is on, if you need SPI (statefull packet inspection). Basicly it tells the firewall not to block the PREROUTING part. List every port on every internal IP that will be accessible from outside. If firewall is off you can skip it, but it's no harm to leave as is, no matter firewall state.

Template: iptables -I FORWARD -i vlan1 -d {internal_IP} -p tcp --dport {internal_port} -j ACCEPT

Useful commands:

ifconfig -- lists line 05 configuration
iptables -t nat -nL -- lists line 12 and 13 configuration
iptables -t filter -nL -- lists line 14 configuration

cheers,
</wqw>
mrjstin
DD-WRT Novice


Joined: 03 Feb 2010
Posts: 5

PostPosted: Thu Feb 04, 2010 20:25    Post subject: Reply with quote
hi there...

i've been trying to get this to work for a few hours with no luck. hopefully someone can help...

basically, the public ip's are all getting to the router from the outside but the router isnt sending them to the internal ip's.

here's what im trying right now...

startup:

WANIF=`nvram get wan_iface`
WANMASK=`nvram get wan_netmask`
ifconfig $WANIF:1 173.xxx.xxx.xxx netmask $WANMASK
ifconfig $WANIF:2 173.xxx.xxx.xxx netmask $WANMASK
ifconfig $WANIF:3 173.xxx.xxx.xxx netmask $WANMASK
ifconfig $WANIF:4 173.xxx.xxx.xxx netmask $WANMASK
ifconfig $WANIF:5 173.xxx.xxx.xxx netmask $WANMASK

then in my custom script:

# WAN .35 -> LAN .10
iptables -t nat -I PREROUTING -d 173.xxx.xxx.xxx -j DNAT --to 192.168.1.10
iptables -t nat -I POSTROUTING -s 192.168.1.10 -j SNAT --to 173.xxx.xxx.xxx
iptables -I FORWARD -i $WANIF:3 -d 192.168.1.10 -j ACCEPT


From my understanding, this should be sending all of my traffic on $WANIF:3 ip address to 192.168.1.10 on my internal network but it seems to not wan to do that. any ideas?
olmari
DD-WRT Guru


Joined: 24 Oct 2006
Posts: 1447
Location: Vaasa, Finland

PostPosted: Thu Feb 04, 2010 20:59    Post subject: Reply with quote
Maybe you need quotation marks. like:

ifconfig "$WANIF":1 173.xxx.xxx.xxx netmask $WANMASK

Just an idea tough, haven't tested.. but for me it looks like each ifconfig line would try to read "$WANIF:x" instead of $WANIF + "Mad"

_________________
Site 1:
P3 1GHz Coppermine with DD-WRT v24 as main router
2x Buffalo WHR-HP-G54 with DD-WRT v24 as AP

Site 2:
AMD64 4200+ Dualcore AM2 with DD-WRT v24 as main router
Buffalo WHR-HP-G54 with DD-WRT v24 as AP
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Fri Feb 05, 2010 9:48    Post subject: Reply with quote
mrjstin wrote:
iptables -I FORWARD -i $WANIF:3 -d 192.168.1.10 -j ACCEPT

Remove the :3 from this command.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum