1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Bridging LAN to WAN?

Discussion in 'DD-WRT Firmware' started by sded, Nov 25, 2005.

  1. sded

    sded Network Guru Member

    I am using a Speedstream 5100b DSL modem in bridge mode on a DHCP connection. Want to have simultaneous access to both the DSL data and the housekeeping data. To route the datastream to both to the LAN and to the WAN I use an ethernet cable to bridge LAN/WAN ports on the WRT54G. Is it possible to do this in the firmware? Or WAN to LAN would also work; I don't care where the plug goes. Tried the VLAN option on the mini-23 version to move the WAN port to the LAN bridge, but that didn't do it. Thanks; Ed.
     
  2. 4Access

    4Access Network Guru Member

    Sorry... You're trying to accomplish what...?
     
  3. sded

    sded Network Guru Member

    I would like to route the (single) output of a DSL bridge to both the WAN port and a LAN port (for data and status) without using an external switch or a jumper cable on the WRT54G switch. Can the input be routed from a LAN port to the WAN port internally using firmware?
     
  4. 4Access

    4Access Network Guru Member

    I'm sorry but I'm still not getting it. What do you mean by "data and status"... maybe if you explained that another way it would help.

    Or how would you hook things up (exactly where would the cables go) if you were to use an "external switch or jumper cable"??

    What "input" do you want routed from a LAN port to the WAN port? (By default all traffic is routed from the LAN port to the WAN port if it is destined for the internet...)
     
  5. sded

    sded Network Guru Member

    On a DSL modem configured as a bridge, the ethernet cable supports the WAN data from the modem and the LAN data to/from the modem firmware. I can plug it into a LAN port and access the bridge statistics at 192.168.0.1-but then I have no DSL connection. I can plug it into the WAN port and access the DSL data, but then can't access the modem. I can plug it into a separate switch and run separate cables to a WAN and LAN port on the the WRT54G and do both. I can save the separate switch and run it to a LAN port on the WRT54G, run a cable from another LAN port to the WAN port, and do both (this is how I am currently configured). My question is whether I can do an internal bridging of a LAN port to the WAN port and save the extra cable hanging out?
     
  6. schembo2000

    schembo2000 Network Guru Member

    i think if you plug the modem into the wan port and then set your subnetmask to 255.255.254.0, you will be able to access the modem
     
  7. 4Access

    4Access Network Guru Member

    Assuming I finally understand what he's trying to do I don't think this will work...

    Instead try:

    1. Go to the 'Administration -> Diagnostics' page and press the Run button.

    2. Paste the following into the text box:

    Code:
    ifconfig vlan1:0 192.168.0.2 netmask 255.255.255.0
    iptables -t nat -I POSTROUTING -o vlan1 -d 192.168.0.0/24 -j SNAT --to-source 192.168.0.2
    3. Press the 'Save Firewall' button.

    4. Reboot

    With this configuration you will only need to run a single cable from the modem to the WAN port on the WRT and will be able to access the Modem's admin/statistics page from any PC behind the WRT.

    Tested and confirmed it works with a WRT54G v2 running DD-WRT v23 beta2

    :thumb:
     
  8. sded

    sded Network Guru Member

    There are DSL modems with bridged modes that support this (routed bridge? I think it was called on my Westells), but the plain old bridges like those that SBC supplies from Efficient/Speedstream don't have this feature. In fact, when you change to bridged mode they give you a warning: "When using Bridged mode your access to the modem becomes limited. To return to the DSL modem user interface after this change you need to directly connect your PC to the modem without any gateway or router between the modem and the PC and configure your computer appropriately.
    Configure the IP address of your computer to be on the same network as the modem by using an IP address of the form 192.168.x.x (except 192.168.0.1) and a network mask of 255.255.0.0. "
    In other words, swap the cable to a LAN port. I use 255.255.0.0 as a mask and connecting to the WAN port makes the user interface inaccessible unless the cable is swapped to a LAN port or I use one of the switching procedures described above.
     
  9. 4Access

    4Access Network Guru Member

    Finally got it working! Updated my last post, see steps above. Let me know if it works. Does here. :thumb:
     
  10. sded

    sded Network Guru Member

    Tried it exactly as written several times, but couldn't get it to work. Tried some variations like using 192.168.0.1 (the modem address) in place of 192.168.0.2, saving to startup instead of firewall. Actually got it working briefly, but couldn't repeat it or figure out what I did differently. Putting the modem address in just brings up the dd-wrt diagnostic page instead. My NIC is 192.168.1.9/255.255.0.0 , WRT54G is 192.168.1.1, modem is 192.168.0.1 if that makes a difference. When I had it working, what killed it was switching to a wireless NIC at 192.168.1.8 (may just be a coincidence) and I couldn't repeat the success. Tried erasing nvram, reloading dd-wrt mini, couldn't get it to work. Any other ideas? Or procedures? Since it did work briefly, seems like I'm just missing something. But as written, it didn't work for me. And I did include the whole thing, including the code:<select>. Thanks; Ed.
     
  11. 4Access

    4Access Network Guru Member

    Ah! That might be the problem. You DON'T want to include the text "code:<select>" just the text IN the box, starting at ifconfig.

    If that doesn't work then post the output of the following commands so I can see what's going on:

    ifconfig

    iptables -t nat -L -v -n

    iptables -L FORWARD -v -n


    You may want to edit out your public IP address from the output of the ifconfig command and the first iptables command.
     
  12. sded

    sded Network Guru Member

    NOTE: I tried it again from the top about 15 minutes later than the message below, and it worked briefly. So something may be writing over it or resetting it.

    OK; still didn't get it to work, but here is the data after execution of command sequence:

    br0 Link encap:Ethernet HWaddr 00:14:BF:zz:xx:yy
    inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
    UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST MTU:1500 Metric:1
    RX packets:1391 errors:0 dropped:0 overruns:0 frame:0
    TX packets:1336 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:158826 (155.1 KiB) TX bytes:482604 (471.2 KiB)
    eth0 Link encap:Ethernet HWaddr 00:14:BF:17:49:83
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:1710 errors:0 dropped:0 overruns:0 frame:0
    TX packets:2078 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:272428 (266.0 KiB) TX bytes:546641 (533.8 KiB)
    Interrupt:4 Base address:0x1000
    eth1 Link encap:Ethernet HWaddr 00:14:BF:zz:zz:yy
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:47 errors:0 dropped:0 overruns:0 frame:1440
    TX packets:567 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:4709 (4.5 KiB) TX bytes:46130 (45.0 KiB)
    Interrupt:2 Base address:0x5000
    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1
    RX packets:1364 errors:0 dropped:0 overruns:0 frame:0
    TX packets:1364 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:76551 (74.7 KiB) TX bytes:76551 (74.7 KiB)
    vlan0 Link encap:Ethernet HWaddr 00:14:BF:zz:xx:yy
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:1342 errors:0 dropped:0 overruns:0 frame:0
    TX packets:1720 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:160112 (156.3 KiB) TX bytes:510769 (498.7 KiB)
    vlan1 Link encap:Ethernet HWaddr 00:14:BF:zz:xx:yy
    inet addr:72.25.101.43 Bcast:72.25.101.255 Mask:255.255.255.0
    UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST MTU:1500 Metric:1
    RX packets:368 errors:0 dropped:0 overruns:0 frame:0
    TX packets:358 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:81536 (79.6 KiB) TX bytes:35872 (35.0 KiB)
    vlan1:0 Link encap:Ethernet HWaddr 00:14:BF:zz:xx:yy
    inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0
    UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST MTU:1500 Metric:1



    Chain PREROUTING (policy ACCEPT 1 packets, 48 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DNAT icmp -- * * 0.0.0.0/0 72.25.xxx.yy to:192.168.1.1
    0 0 TRIGGER all -- * * 0.0.0.0/0 72.25.xxx.yy TRIGGER type:dnat match:0 relate:0
    Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 MASQUERADE all -- * vlan1 0.0.0.0/0 0.0.0.0/0
    Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination

    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
    0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
    0 0 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 tcpmss match 1461:65535 TCPMSS set 1460
    307 40786 lan2wan all -- br0 * 0.0.0.0/0 0.0.0.0/0
    518 105K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 DROP tcp -- * vlan1 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723
    0 0 DROP udp -- * vlan1 0.0.0.0/0 0.0.0.0/0 udp dpt:1701
    0 0 DROP udp -- * vlan1 0.0.0.0/0 0.0.0.0/0 udp dpt:500
    0 0 ACCEPT udp -- vlan1 * 0.0.0.0/0 224.0.0.0/4 udp
    0 0 TRIGGER all -- vlan1 br0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
    99 5395 trigger_out all -- br0 * 0.0.0.0/0 0.0.0.0/0
    99 5395 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
    0 0 DROP all -- * * 0.0.0.0/0
     
  13. 4Access

    4Access Network Guru Member

    The iptables command isn't taking. I have a feeling you're still pasting it in wrong. Note that the Code box in step 2 has only two commands in it, the second one starting with "iptables" is probably too long and is wrapping onto a 3rd line.

    Try this: Repeat the steps again but this time when you get to step 2 click on the word "Select" in the header of the code box which will hightlight all the text in the box. Next press the CRTL + C keys on your keyboard (Hold down CTRL and then press C) then go to the router and paste the text into the run box.

    After pressing the 'Save Firwall' button this time though, don't reboot immediately, instead type the following command into the Run box and press the Cmd button:

    nvram get rc_firewall

    You should see the exact same text that's in the code box in step 2 above. If not there's a problem with the way you're entering the commands and we'll have to try finding another way for you to enter the necessary commands. (Telnet maybe.) If the commands are the same reboot and everything should work.
     
  14. sded

    sded Network Guru Member

    Checked everything per your instructions, but still no success. Code lines looked fine. Tried entering the same commands with telnet followed by a reboot; no change. Could there be something missing/added in the code box? There have been a few random short term successes I can't explain. BTW I went ahead and upgraded to the the mini 12/2 build with no change. Thanks for the effort; Ed.
     
  15. 4Access

    4Access Network Guru Member

    Hmm... I'm not sure where your trouble is. I just double checked the commands again and they work fine here. What version is your WRT? I'm running a slightly older build of DD-WRT on my test box at the moment so I'll try loading the 12/2 build in a few minutes and make sure there's no problems there. Did you make sure to reset your router to defaults after updating the firmware? (Hold reset button for 30 sec.)

    When you entered the commands from step 2 via telnet were they accepted without any errors? Also it's worth mentioning that when you entered the commands from telnet, unless you manually saved them to nvram the settings will only last until you reboot the router...

    The fact that you say it works for a short while is strange... you haven't made any other significant changes to the router's configuration have you?
     
  16. sded

    sded Network Guru Member

    Realized after I sent the message that I hadn't saved the telnet entries, but they did enter without errors. How to save? Did the 30 second reset often; normally reset to factory. This morning (and other times) did an erase nvram and reboot before entering the commands, using wrt defaults with the 12/2 mini-generic. I certainly can't explain it, especially the temporary successes, but the cable still works. :) Let me know what else to try. Thanks; Ed.
     
  17. sded

    sded Network Guru Member

    Eureka!

    Looks like I stumbled across the solution reading your other posts to amree. With the redirect, and my NICs on 192.168.1.x, I needed to change the NIC subnet mask back to 255.255.255.0. I had it set at 255.255.0.0 to directly access both the 0.x and the 1.x subnets (lazy). Now works just like it's supposed to. Not sure why it wouldn't work anyway; maybe you have a better feel for it? Should be in a FAQ somewhere-this is a very generic problem for DSL modems. Most don't see it because they are using PPPOE connections, but it is a nuisance for DHCP and static IP with DSL bridges. And the tens of thousands of bridges and PPPOE bridges that SBC (and others) give out all have this problem. BTW, this is a persistent change unless I do an NVRAM erase or a long reset, then I will need to do it again? Thanks again; Ed.
     
  18. 4Access

    4Access Network Guru Member

    Yeah I have at least 4 mini guides like this I really need to put in the DD-WRT Wiki... I've been meaning to work on that for a while. I just have to force myself to stop reading the forum in my spare time and update the Wiki instead... Maybe I'll try to get at least this one into the Common Configuration Guides section before the weekend is over.

    Yup :)
     
  19. sded

    sded Network Guru Member

    Works on Hyperwrt also

    Took a quick look and verified that adding the script commands to the firewall script in tofu11 also works fine. Ed.
     
  20. virgil

    virgil Network Guru Member

    I tried the firewall script 4Access provided on my WRT54G running HyperWRT2.1b1 (tofu10 and tofu11) :

    Code:
    ifconfig vlan1:0 192.168.0.2 netmask 255.255.255.0
    iptables -t nat -I POSTROUTING -o vlan1 -d 192.168.0.0/24 -j SNAT --to-source 192.168.0.2
    but couldn't connect to the modem (in bridge mode)

    so I erased the firewall script, rebooted and tried entering the lines individually under Administration > Management > Run Command but at the second line, i got

    any ideas on what is going wrong? :cry:
     
  21. 4Access

    4Access Network Guru Member

    I have a feeling the SNAT target is not included in the Tofu firmware...

    Do you see it listed when you enter the following command?

    cat /proc/net/ip_tables_targets

    If it's not then unfortunately you're out of luck. Either request that it be added to Tofu or consider trying DD-WRT.
     
  22. virgil

    virgil Network Guru Member

    OK - got this as a reply:

     
  23. 4Access

    4Access Network Guru Member

    Hmmm... "ERROR" is not actually a target to the best of my knowledge. I think there might be a problem with the SNAT target. You might want to have Tofu look into that.
     
  24. sded

    sded Network Guru Member

    Worked for me on tofu11 by entering it into the firewall script and rebooting. Check your NIC IP address and netmask per problems above. Is modem at 192.168.0.1?

    0707a
    I'm using tofu11 again now and the script is working fine-can access the modem on 192.168.0.1 through the WAN port with no problem. Procedure was
    Go to administration/scripts/edit firewall scripts
    copy and paste the two command lines to the firewall script box
    hit save
    hit close
    hit reboot


    Device List
    Refresh

    IF MAC Address IP Address Name RSSI Lease Expires
    vlan1 00:13:A3:30:C2:B8 192.168.0.1
    br0 00:0C:F1:1E:B7:FE 192.168.1.8 -32 dBm
    vlan1 00:02:3B:00:86:31 72.xx.yy.1
    :D :rockon:

    But site survey still doesn't work 8O
     
  25. 4Access

    4Access Network Guru Member

    Just to compare, what output do you get when you run the command:

    cat /proc/net/ip_tables_targets
     
  26. sded

    sded Network Guru Member

    Sorry; back to dd-wrt mini now. Worked all day on Tofu11 without a problem. Will check next time I use Tofu.
     
  27. sded

    sded Network Guru Member

    OK, finished chores, back to Tofu11

    Erased NVRAM, reflashed Tofu11 and restored saved configuration from yesterday. Still have access to modem on 192.168.0.1
    Response to
    # cat /proc/net/ip_tables_targets

    TRIGGER
    autofw
    TCPMSS
    TTL
    LOG
    REDIRECT
    MASQUERADE
    MARK
    DSCP
    TOS
    CLASSIFY
    REJECT
    DNAT
    SNAT

    ERROR


    Modem had been up quite a while, needed to reboot that too to get access. Has that been tried? BTW, spaces in target names are not there in original; artifact of site.
     
  28. virgil

    virgil Network Guru Member

    sded

    If it's not a bother, can you

    1. erase the firewall script, reboot and

    2. enter these commands (individually) under the Administration > Management > Run Command window.

    ifconfig vlan1:0 192.168.0.2 netmask 255.255.255.0

    iptables -t nat -I POSTROUTING -o vlan1 -d 192.168.0.0/24 -j SNAT --to-source 192.168.0.2

    What is the response you get from the second line?
     
  29. sded

    sded Network Guru Member

    Erased nvram; rebooted, entered the commands. First one was just echoed, second one got an error message, as Tofu indicated:

    iptables v1.2.11: Unknown arg `--to-source'
    Try `iptables -h' or 'iptables --help' for more information.

    Works fine with just the first command executed in Tofu11, since the second one was never valid.
     
  30. virgil

    virgil Network Guru Member

    So if only the first line in the script is valid on tofu11

    # ifconfig vlan1:0 192.168.0.2 netmask 255.255.255.0

    and the second line has an error

    # iptables -t nat -I POSTROUTING -o vlan1 -d 192.168.0.0/24 -j SNAT --to-source 192.168.0.2

    iptables v1.2.11: Unknown arg `--to-source'
    Try `iptables -h' or 'iptables --help' for more information.


    How do you access the modem from your LAN?

    Do you telnet to the WRT54G and then telnet again to the modem? :eek:
     
  31. sded

    sded Network Guru Member

  32. sded

    sded Network Guru Member

  33. virgil

    virgil Network Guru Member

    sded

    > Per Tofu in other thread ( http://www.linksysinfo.org/modules.php?name=Forums&file=viewtopic&t=10726&start=20 ) first command is all it takes to make it work.

    Actually, i am puzzled as in HyperWRT, the ifconfig command merely creates a vlan that maps to the WAN port, but does not have instruction on how to route the packets from LAN port to WAN port. That's why [/i]iptables[/i] is needed - at least in DD-WRT (and most docs on Linux firewalls)

    Am also puzzled by your Device List and methinks you have more in your config - particularly the last line's MAC ...

    Would you be able to post the results of just "ifconfig" when you telnet to WRT54G running HyperWRT after the first ifconfig command line?
     
  34. sded

    sded Network Guru Member

    I get
    # ifconfig

    br0 Link encap:Ethernet HWaddr 00:14:BF:17:49:83
    inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
    UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST MTU:1500 Metric:1
    RX packets:46740 errors:0 dropped:0 overruns:0 frame:0
    TX packets:52354 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:6832662 (6.5 MiB) TX bytes:27545853 (26.2 MiB)

    eth0 Link encap:Ethernet HWaddr 00:14:BF:17:49:83
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:98739 errors:0 dropped:0 overruns:0 frame:0
    TX packets:117224 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:35620601 (33.9 MiB) TX bytes:36579742 (34.8 MiB)
    Interrupt:4 Base address:0x1000

    eth1 Link encap:Ethernet HWaddr 00:14:BF:17:49:85
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:146999
    TX packets:0 errors:133 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
    Interrupt:2 Base address:0x5000

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

    vlan0 Link encap:Ethernet HWaddr 00:14:BF:17:49:83
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:46740 errors:0 dropped:0 overruns:0 frame:0
    TX packets:69708 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:7019622 (6.6 MiB) TX bytes:28865925 (27.5 MiB)

    vlan1 Link encap:Ethernet HWaddr 00:14:BF:17:49:84
    inet addr:72.25.xxx.yy Bcast:72.25.xxx.255 Mask:255.255.255.0
    UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST MTU:1500 Metric:1
    RX packets:51999 errors:0 dropped:0 overruns:0 frame:0
    TX packets:47516 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:26823677 (25.5 MiB) TX bytes:7713817 (7.3 MiB)

    vlan1:0 Link encap:Ethernet HWaddr 00:14:BF:17:49:84
    inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0
    UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST MTU:1500 Metric:1

    BTW, I tested it first from the basic Tofu11 configuration with default settings, and it worked fine. So it is something Tofu did.
     
  35. sded

    sded Network Guru Member

    Also got around to verifying today that dd-wrt also works with just the first command. v23/mini, did an erase nvram; reboot, then ran just the first command from cmd and could access the modem on 192.168.0.1 with no problems.
     
  36. 4Access

    4Access Network Guru Member

    And it actually makes sense that only the first command is needed now that I think about it. I was overthinking things again. Ah well. At least when I *finally* get around to adding this to the Wiki it'll be right. :D
     

Share This Page