Posted: Fri Aug 04, 2006 2:03 Post subject: multiple external IP addresses
HI,
I'm new here. Been searching the forum and wiki on detailed info about dealing with multiple external IP addresses and haven't found much of anything that answers my questions. It seems there is no way to add an alias IP to the WAN port via the web gui. It would be nice if it could be added for the next version. But my immediate problem is I was unable to find any instructions on the method add the alias via terminal. I'm not a linux guru by any means, so, explicit instructions would be very useful.
The other questions have to deal with what happens if I add an alias and then forward all traffic from it to a specific internal IP address? Do the QOS rules still apply? What limitations are there? What can and can't be done with multiple external IP addresses with DD-WRT. Please note, all this assumes there is one physical internet connection and multiple IP addresses from the ISP.
My particular uses for the multiple IPs are for my Vonage adapter and gaming consoles, like PS2/XBOX. I've been looking at the VLAN stuff, but I haven't found a compelling reason to use it for what I'm doing.
I have the same problem.. I have 5 static public IP addresses and cant seem to find any detailed information on how to set this up. If anyone knows or if anyone knows of somewhere I can get this information post something.
Thanks, yeah I actually saw those other posts, but they didnt really apply to me and my situation exactly, and since Im not very good with linux they werent all that helpfull. I did, on the other hand just find something that I could understand a little more using ifconfig and vlans, so I think I got it figured out. Maybe some Linux pros could look at this and tell me if theres anything else I should be aware of or do, since theres a lot of assumed stuff that I dont know sometimes. This is the main parts of the info I found on another website.
# Clear all chains.
cat /proc/net/ip_tables_names | while read table; do
iptables -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
iptables -t $table -F $chain
fi
done
iptables -t $table -X
done
# Reset counters.
iptables -Z
# Allow new connections, to and from the router.
iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o lo -m state --state NEW -j ACCEPT
# Allow established and related connections.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
Posted: Tue Jun 05, 2007 1:34 Post subject: PREROUTING commands: tie to br0 interface
Regarding the last post, the script works, but you have to change the "-i" in the PREROUTING commands to use "br0" instead of "vlan1". POSTROUTING still uses "vlan1" for its traffic.
bumping this up because this is the closest thing to a usable answer for multiple external IPs on a single interface.
It still shouldn't be this hard.
It should be configurable via the GUI.
So what is the proper way to make an official feature request?
I'd make new ticket in http://svn.dd-wrt.com:8000/dd-wrt/timeline and mark it as "enhancement"... AFAIK there have been some discussions earlier about multi-WAN, so developers knows someones want this, but we still ahve to remember they are busy to get v24 to final shape. So ofcourse you can make request for it, but I say it won't happend that soon, it still will be relatively big changes troughout system to get multi-WAN to work good. But I am all in for making DD-WRT even more superb than it already is.
Its all about firewalling and IPtables, a short description because I understand that for beginners code arent always that self explanatory :)
Rule 1: Internet on vlan1, public IP 20.20.20.20 NAT:ed to LAN IP 10.1.1.2
Rule 2: Traffic back from 10.1.1.2 to Internet NAT:ed to public IP 20.20.20.20
Rule3: Allow traffic on public IP 20.20.20.20 pot 80 (http) to 10.1.1.2
or
Rule 4: Allow all traffic on public IP 20.20.20.20 to 10.1.1.2 (other word,unfirewalled=DMZ style)
The first and primary public IP is set manually or aquired by DHCP normally in web UI. Adding extra public IPs shall be done following above commands.
I have noticed also that above commands can ruin the dd-wrts standard NAT setup, if that happens for you start over by rebooting router and this time first enter below command (followed bt above commands)
Where 10.1.1.0/26 is your LAN subnet and 30.30.30.30 is your first and primary public IP (set in web UI).
Finish with testing your WAN IPs by going to lets say whatismyip.com, first from one of the LAN computers that you have mapped an public IP to, then with another unmapped. In the first case it should report your new public IP, in the second case it should report your old tht you router has.
Posted: Thu Jan 21, 2010 22:22 Post subject: Re: PREROUTING commands: tie to br0 interface
This is an old post but I was unable to find better info any where else, so hopefully this helps someone else.
mpadams wrote:
Regarding the last post, the script works, but you have to change the "-i" in the PREROUTING commands to use "br0" instead of "vlan1". POSTROUTING still uses "vlan1" for its traffic.
I had to use "eth0" not "br0" to get the routing to work for me. Here is what I used to forward port 80:
# Save Startup
ifconfig eth0:1 xxx.xxx.xxx.123 netmask 255.255.255.248 broadcast xxx.xxx.xxx.127
See the wiki: http://www.dd-wrt.com/wiki/index.php/One-to-one_NAT _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Here is a crash course for Windows admins on how to setup multiple external IPs on WAN and how to configure port forwarding on these multiple IPs.
I have this script (without line numbers) setup in my Administration->Commands menu:
Code:
01: ####################################################
02: # Add additional IP addresses to WAN
03: ####################################################
04:
05: ifconfig vlan1:1 212.xx.yy.154 netmask 255.255.255.240 broadcast 212.xx.yy.159
06:
07: ####################################################
08: # Add port forward: 212.xx.yy.154:3390 -> 10.10.10.102:3389
09: # Note: FORWARD rule is needed only if SPI firewall is ON. No harm when firewall is OFF
10: ####################################################
11:
12: iptables -t nat -I POSTROUTING -o vlan1 -s 10.10.10.102 -j SNAT --to 212.xx.yy.154
13: iptables -t nat -I PREROUTING -i vlan1 -d 212.xx.yy.154 -p tcp --dport 3390 -j DNAT --to 10.10.10.102:3389
14: iptables -I FORWARD -i vlan1 -d 10.10.10.102 -p tcp --dport 3389 -j ACCEPT
First part (ifconfig line) is set as Startup script, second part (iptables lines) is setup as Firewall script. You can merge these as a single Startup script if you like.
Here is the explanation:
Line 05 sets up a second external IP on the WAN port. You can use this as a template for more, just increment vlan1:2, vlan1:3, vlan1:4, etc. Note that all these IPs must be able to reach the gateway on the WAN (to be in the same subnet).
Line 12 sets up the back-routing of 10.10.10.102 through the external IP. You need exactly one such POSTROUTING line for an internal IP. You can back-route several internal IPs through a single external IP.
Line 13 is the real deal. This one routes port 3390 on the external IP to port 3389 on the internal. If ports are not changed (i.e. 3389 to 3389) then leave the port out of the --to 10.10.10.102:3389 part, just leave --to 10.10.10.102. You can copy this several times and change ports as needed.
Line 14 is needed only if firewall is on, if you need SPI (statefull packet inspection). Basicly it tells the firewall not to block the PREROUTING part. List every port on every internal IP that will be accessible from outside. If firewall is off you can skip it, but it's no harm to leave as is, no matter firewall state.
From my understanding, this should be sending all of my traffic on $WANIF:3 ip address to 192.168.1.10 on my internal network but it seems to not wan to do that. any ideas?
Remove the :3 from this command. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)