IPtables for second IP on br0

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
View previous topic :: View next topic  
Author Message
delhite2
DD-WRT User


Joined: 04 May 2009
Posts: 83
PostPosted: Wed Apr 07, 2021 13:05    Post subject: IPtables for second IP on br0 Reply with quote
Hi,
for my system to work correctly and manage the intermingling and crossing devices i had to add a secondary ip on a different subnet to my bridge br0.
i use
Code:
ip addr add 192.168.20.1/24 broadcast 192.168.20.255 dev br0


then to give it access to internet and to enable port forwarding on this device with this second ip subnet whose wan ip is 192.168.2.2 and wan gateway us 192.168.2.1 i use

Code:
iptables -t nat -I POSTROUTING -o vlan2 -j SNAT --to 192.168.2.2
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to 192.168.2.1


now everything works like i want it to, but i am not knowledgeable to iptables and its chains so wanted to ask does by anychance these rules open my firewall completely?
or am i safe as i was before.

edit just noticed my static routes entered in advanced routing stop working after these commands.
what can i do to retain them?
regards
Back to top View user's profile Send private message
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157
PostPosted: Wed Apr 07, 2021 17:09    Post subject: Reply with quote
Given the WAN ip of the dd-wrt router is using a private IP, I assume this is a double NAT situation, w/ your primary router upstream of the dd-wrt router. Assuming that's the case, seems to me the following is sufficient.

Code:
# startup script
ip addr add 192.168.20.1/24 broadcast 192.168.20.255 dev br0


Code:
# firewall script
iptables -t nat -I POSTROUTING -o $(nvram get wan_iface) -j SNAT --to $(nvram get wan_ipaddr)


Note, I purposely used variables because I don't know how accurate your explicit use of network interfaces and IP addresses may be. You provided scant details about this configuration. So my rules are designed to work regardless how the dd-wrt router is configured. But if you wish to use hardcoded values, that's fine too. Just be sure they're right!

For remote access purposes, you'll need to add a static route on the primary (NOT dd-wrt) router that points to the WAN ip of the dd-wrt router as the gateway to the 192.168.20.0/24 network.
_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum