[Uumas]

I have an rt-n18u running dd-wrt with dhcp disabled so the requests go to my isp and all devices have public IPs. I'd like to enable firewall with this setup so all devices wouldn't be completely exposed to the internet. I'd like to achieve the following:

1. Block all incoming tcp/udp traffic by default
2. Allow traffic to specific ports on specific devices. This would probably have to be identified by mac address or hostname as the ip addresses aren't static
3. Allow all traffic between local devices.

The router is currently acting as a pure bridge without it's own public ip so this would probably need to be changed to make it do routing? Is this possible while still passing through the dhcp requests and clients getting their IPs from isp dhcp?
And the firewall part probably requires using iptables directly as the gui seems to be intended only for nat setups. Should these commands be saved in commands -> firewall or is there a better place?

[eibgrad]

This is how it's normally done.

https://wiki.dd-wrt.com/wiki/index.php/One-to-one_NAT

Of course, this assumes a block of static IPs from the ISP. Seems a bit unusual for an ISP to be willing to offer multiple dynamic IPs from the IPv4 space these days.

[Per Yngve Berg]

What do you need the public IP addresses for?

https://wiki.dd-wrt.com/wiki/index.php/Public_Sub-Net_Over_Dynamic_WAN

[kernel-panic69]

I somehow doubt all the LAN devices have public IPs. I have a feeling that the LAN dhcp is provided by ISP equipment here. Need proof of concept and screenshots to verify the OP.

[Uumas]

Sorry for not responding for a while, was expecting to get notifications for replies but apparently I hadn't checked the box...

So, the ISP has dhcp, which is meant to assign every customer's router an IP address, but is happy to assign one customer multiple addresses if there isn't a local router dhcp server in between. They don't assign an IP block, but a random address per dhcp request, so there needs to be a dhcp request made to the ISP for each device that connects to the local network.

I want to have public IP addresses to be able to easily ssh into my local devices. I could of course have them all be behind one public IP with port forwarding, but I'd prefer not to do nat when it's not needed.

The dhcp is provided by ISP equipment, but I don't have any of it in my apartment and it provides public addresses. If you want to test yourself, you can ping uupi.uumas.fi, it should be always on. oreo.uumas.fi, papu.uumas.fi and lemon.uumas.fi reply to ping when they are turned on. My phone is currently pingable at 87.92.197.203 but the address is dynamic so it will change at some point and I don't have a dns record pointing to it. Also, here's `ip a` output on all the computers. You can notice papu actually has two public addresses currently as it's connected both to wired and wifi.

Neither of the suggested wiki articles seem to apply to my situation, where the addresses aren't static or predictable.

[kernel-panic69]

You are wanting to have to administrate many firewalls instead of a single firewall and router. That doesn't make any sense from a security standpoint. You can set up DD-WRT to have the functionality you want...

[Uumas]

I do want to use dd-wrt as the firewall. Firewall and nat are two separate things. Your firewall can do nat but it can do firewalling without nat too. I'm asking how to do that when the devices don't have predictable ip addresses. I already have two ideas about how this could possibly be implemented, but neither seem too great:

1. Have a shell script constantly checks the devices IP addresses from dns and updates the firewall rules accordingly. This seems like a suboptimal solution due to having to make constant dns queries.

2. Some kind of a mitm dhcp server running on the dd-wrt that passes requests through to upstream dhcp and updates the firewall rules based on the mac address of the device making the request. I have no idea how/if this could be done though.

[kernel-panic69]

The easiest way is to use DD-WRT in gateway mode and stop using public IPs for all your devices since that only complicates things much more than required.

[Uumas]

I know that would be the easy solution but it has drawbacks. I'm looking for the more complicated solution with a better end result.

[eibgrad]

What good is having public IPs per device if those can't be assigned predictably? Now you'd need a DDNS for every device to regain some of that predictability. Multiple public IPs only make sense when they can be assigned statically. And once that's possible, one-to-one NAT becomes a viable solution. Assigning multiple public IPs via DHCP is just asking for problems, at least from the OP's perspective. It would make more sense to use IPv6 public IPs, since at least then the ISP would not be hesitant about providing you w/ a static block, since there are so many IPs available. But I'm sure he's hesitant to do so w/ IPv4 due to the limited number available.

So whatever value you believe comes from having access to multiple public IPs, it's going to be outweighed by the complexity it brings to the configuration on the router. IOW, whatever you gain, you lose just as much.

To the extent you could ever get this working at all, seems to me dd-wrt is NOT the answer. dd-wrt, like most every third-party firmware, is fundamentally a *NAT* router. But given your intentions, you're no longer talking about a NAT router, but just an ordinary router. And while that's possible using Router mode, you still have the issue of a lack of predictability. But you solve the unpredictability problem by using NAT! So you're right back where you started.

Like any problem, there probably is a solution lurking out there, one made possible by someone w/ the time and determination to make it happen, no matter the obstacles. But I don't know of it. And I doubt it's going to magically appear anytime soon.

JMTC