R7000: ISP IP Aliasing | Altice/MEO GlobalConnect Pack

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
TCB13
DD-WRT User


Joined: 06 Jun 2010
Posts: 260
Location: Portugal

PostPosted: Sat Jul 03, 2021 1:32    Post subject: R7000: ISP IP Aliasing | Altice/MEO GlobalConnect Pack Reply with quote
Hello,

So I'm using a provider that does some "unusual" setup in their GPON service. They assign me with a static IP however between their device and my router I've to communicate using a reserved IP range.

Folks at OpenWRT already know how it works and published this:

Quote:
This enterprise VoIP and Internet services package includes a Thomson/Technicolor gateway which can be configured (by the tecnician only) in bridge mode, at installation time. In this configuration, the connection presents itself untagged at the gateway's switch port 4. The Internet service is somewhat unusual, in the sense that it requires IP aliasing (it allows the provider to spare one public IP address per connection). The addressing is static, and the configuration provided is (as an example) something along these lines:

Both the Local and Remote WAN IP addresses belong to a /30 subnet. Inbound traffic arrives at the interface with the Internet IP address as the destination. To configure this connection on an OpenWrt device (let's assume interface eth1), on /etc/config/network, we need:

config interface 'wan'
option ifname 'eth1'
option proto 'static'
list ipaddr '62.10.20.30/32'
list ipaddr '100.64.194.2/30'
option gateway '100.64.194.1'

Now, since the addressing is static, we can do source NAT instead of masquerading. To do so, we configure /etc/config/firewall as follows:

config nat
option name 'MEO SNAT'
option device 'eth1'
option snat_ip '62.10.20.30'
option src 'wan'
option target 'SNAT'


More: https://openwrt.org/docs/guide-user/network/wan/isp-configurations#altice_meopt_empresas

I got an old OpenWRT-capable router changed the config as they explained and the connection worked just fine.

Now I can I do such thing in a Netgear R7000 running dd-wrt? This setup is a frustrating mess.

Thank you.

_________________
1x Netgear R7800 (latest); 3x Netgear R7000 (latest); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14056
Location: Texas, USA

PostPosted: Sat Jul 03, 2021 1:53    Post subject: Reply with quote
Maybe the information here may help shed some light:

https://wiki.dd-wrt.com/wiki/index.php/One-to-one_NAT

I couldn't find a specific wiki on your configuration question, that was the closest thing I could find.

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
TCB13
DD-WRT User


Joined: 06 Jun 2010
Posts: 260
Location: Portugal

PostPosted: Sat Jul 03, 2021 9:58    Post subject: Reply with quote
Thank you for the link, indeed the only source for a setup like this was that OpenWRT page.

From my understanding my WAN is a private network where my router needs to communicate using the private gateway but changing the packets source IP to the public IP. And also accept packets to that public IP.

_________________
1x Netgear R7800 (latest); 3x Netgear R7000 (latest); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6847
Location: Romerike, Norway

PostPosted: Sat Jul 03, 2021 10:20    Post subject: Reply with quote
Configure WAN with static IP:

ipaddr '100.64.194.2/30'
gateway '100.64.194.1'

Enter '62.10.20.30/32'as secondary IP address


Add iptables rule with SNAT to ipaddr '62.10.20.30'
TCB13
DD-WRT User


Joined: 06 Jun 2010
Posts: 260
Location: Portugal

PostPosted: Sat Jul 03, 2021 11:14    Post subject: Reply with quote
Thank you for your answer.

Per Yngve Berg wrote:
Configure WAN with static IP:

ipaddr '100.64.194.2/30'
gateway '100.64.194.1'

Enter '62.10.20.30/32'as secondary IP address


Add iptables rule with SNAT to ipaddr '62.10.20.30'


Considering my R7000 networking in a "standard" WAN DHCP scenario I've this:



Code:
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc sfq state UNKNOWN qlen 1000
    link/ether b0:xx:xx:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    inet6 fe80::b27f:b9ff:fe85:28f8/64 scope link
       valid_lft forever preferred_lft forever
4: vlan1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP qlen 1000
    link/ether b0:xx:xx:xx:xx:xxbrd ff:ff:ff:ff:ff:ff
    inet6 fe80::b27f:b9ff:fe85:28f8/64 scope link
       valid_lft forever preferred_lft forever
5: vlan2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether b0:xx:xx:xx:xx:xxbrd ff:ff:ff:ff:ff:ff
    inet 85.xxx.xxx.xxx/24 brd 85.xxx.xxx.xxscope global vlan2
       valid_lft forever preferred_lft forever
    inet6 fe80::b27f:b9ff:fe85:28f9/64 scope link
       valid_lft forever preferred_lft forever



So, based in your suggestions:

Code:

1. Setup the static IP using DD-WRT GUI:
WAN IP: 100.64.194.2
Subnet: 255.255.255.252
Gateway: 100.64.194.1

2. Commands:

ip addr add 62.10.20.30/32 dev vlan2
iptables -t nat -A POSTROUTING -o vlan2 -j SNAT --to 62.10.20.30


Are those commands even close to what you described?

Thank you.

_________________
1x Netgear R7800 (latest); 3x Netgear R7000 (latest); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14056
Location: Texas, USA

PostPosted: Sat Jul 03, 2021 14:30    Post subject: Reply with quote
I just noticed on my E4200v1 that there is a IP Forwarding (1:1 NAT) page under "NAT / QoS" now that I don't recall seeing before. Perhaps this may be of some use.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
TCB13
DD-WRT User


Joined: 06 Jun 2010
Posts: 260
Location: Portugal

PostPosted: Sat Jul 03, 2021 18:30    Post subject: Reply with quote
kernel-panic69 wrote:
I just noticed on my E4200v1 that there is a IP Forwarding (1:1 NAT) page under "NAT / QoS" now that I don't recall seeing before. Perhaps this may be of some use.


Unfortunately my router doesn't have that menu.

Anyway, I managed to get it to work as suggested before with the following:

Code:
ip addr add 62.10.20.30/32 dev vlan2
iptables -t nat -A POSTROUTING -o vlan2 -j SNAT --to 62.10.20.30
iptables -t nat -I POSTROUTING -s 172.26.1.0/24 -j SNAT --to-source 62.10.20.30


With those two I managed to get both the router and LAN devices to be able to ping hosts on the Internet. Not sure if the second one alone wasn't enough but I'm no longer near that router to test it again.

Now I identified another issue, since the router thinks it's public IP is on the 100.x range typical port forwards and binds might not work. For instance, in order to get the OpenVPN server to work I had to also add:

Code:
iptables -A INPUT -p udp -s 62.10.20.30 --dport 4713 -j ACCEPT
iptables -t nat -I PREROUTING -i vlan2 -p udp --dport 4713 -j DNAT --to-destination 100.64.194.2:4713


DNATting the traffic from the public IP to the WAN real IP might not be the most elegant solution but it works. If anyone has a better way to deal with this I'll try it.

Thank you all.

_________________
1x Netgear R7800 (latest); 3x Netgear R7000 (latest); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6847
Location: Romerike, Norway

PostPosted: Sat Jul 03, 2021 19:27    Post subject: Reply with quote
You have a to old build. The latest is 47000
TCB13
DD-WRT User


Joined: 06 Jun 2010
Posts: 260
Location: Portugal

PostPosted: Mon Jul 05, 2021 11:40    Post subject: Reply with quote
Per Yngve Berg wrote:
You have a to old build. The latest is 47000


Either way, this isn't 1:1 to NAT. This is an ISP doing what the shouldn't do.

Do you have any tips about:

Quote:
I identified another issue, since the router thinks it's public IP is on the 100.x range typical port forwards and binds might not work. For instance, in order to get the OpenVPN server to work I had to also add:

Code:
iptables -A INPUT -p udp -s 62.10.20.30 --dport 4713 -j ACCEPT
iptables -t nat -I PREROUTING -i vlan2 -p udp --dport 4713 -j DNAT --to-destination 100.64.194.2:4713


Thank you.

_________________
1x Netgear R7800 (latest); 3x Netgear R7000 (latest); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum