1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

IP Passthrough Possible ?

Discussion in 'Tomato Firmware' started by venk25, Jan 4, 2008.

  1. venk25

    venk25 Network Guru Member

    Is it possible to assign WAN IP address to one system on the LAN ? Can be via DHCP or non-DHCP LAN IPs.

    I know the answer is No, at least from the GUI - but can anybody think of other ways - like routing table tweaks ?

    Currently I get WAN IP via DHCP but it rarely changes - so, even if I have to manually set that IP on the LAN system, it can work.
     
  2. mstombs

    mstombs Network Guru Member

    I'd be interested in knowing how to do this as well. The speedtouch dsl modem routers (closed source) have this feature.

    I could make the router pass on the single WAN IP it from a command line script if I could disable the current firewall and nat function - which means it the router would become single user.

    I have done this before for my adsl router to turn it into a half-bridge modem (fine single user, if that single user is a nat router!).

    But I hit a problem with "arp" and "route" functions when experimenting with this hybrid mode - the issue is that the router obtains the WAN IP on its WAN interface (usually vlan1) - so you cannot tell it that the WANIP is also reachable via the lan ports (usually br0).
     
  3. mikester

    mikester Network Guru Member

    If you plug the WAN cable into a LAN port and your PC into the LAN port the router will act as a hub and simply pass the traffic through...however you will lose the firewall.
     
  4. paped

    paped LI Guru Member

    Not sure why you want to do this but if you just need to access all ports on a PC from the internet I would have thought that the DMZ IP address could be used as this bypasses the firewall.
    Other than that if you wanted to access just certain services on the PC such as a web server on you PC from the internet just forward port 80 to the PC's "static" or "reserved dhcp" LAN IP address. For other services just forward the relevent ports in the same way i.e. smtp would be port 25, pop3 port 110 etc. You can even forward to a different port i.e. connect over the internet to say port 8080 and have to router forward it to port 80 at your PC's LAN IP address.
    You also mentioned (or somebody did) that your internet IP on the router changes "occasionally" to bypass this set-up a free DYNDNS domain name and configure tomato to automatically update your DYNDNS account with the new IP address when it changes....

    Hope this helps....
     
  5. mstombs

    mstombs Network Guru Member

    There are some devices (VPN, VOIP etc) that need to be given the real WANIP.
    Most are now NAT aware and can operate behind a NAT firewall - but if the device encrypts its IP address inside message packets they may get rejected by the device at the other end of the link that expects the packet to have come from the same IP as encoded.
     
  6. venk25

    venk25 Network Guru Member

    Thanks for the replies.

    mikester, apart from loosing the firewall, the issue I have is I get only one IP from my ISP and I have more than 1 systems at home !

    paped - I should have been clearer - yes I have static IP, static DHCPs, port forwards that does what I need for most cases. The reason I'm looking for IP passthrough - mstombs nailed it. I have a locked VoIP box that is configured by my provider to use outbound proxy (no STUN). My provider doesn't allow incoming SIP URI calls but I want to have it via direct IP calls. I found the username, setup port forwarding etc. and managed to get incoming calls to ring but nothing beyond. This is because the box encodes its the private LAN IP in SIP messages. If I can assign my WAN IP to the box, it will put the WAN IP in SIP messages and everything should work.
     
  7. paped

    paped LI Guru Member

    Light bulb moment - I understand now, apologies for that as my suggestions will not really work in your situation then....
     
  8. mstombs

    mstombs Network Guru Member

    Assign WAN IP to a LAN device

    Apologies for digging up this old thread, but I finally found out how to do this in my adsl router code so here is the equivalent in Tomato.

    This works fine with my adsl connection but doesn't with cable - I do know why but do not know how to fix...

    This little script basically takes the ISP provided WAN IP away from the router and allows it to be assigned to a LAN device (manual static). The router still uses the WAN IP to nat other connections using SNAT instead of MASQUERADE. The info for this is in

    http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html#ss6.1

    Code:
    #!/bin/sh -x
    WIF=$(nvram get wan_iface)
    WIP=$(nvram get wan_ipaddr)
    WNM=$(nvram get wan_netmask)
    WGW=$(nvram get wan_gateway)
    LIF=$(nvram get lan_ifname)
    LIP=$(nvram get lan_ipaddr)
    LNM=$(nvram get lan_netmask)
    IFCONFIG=/sbin/ifconfig
    ROUTE=/sbin/route
    IPTABLES=/usr/sbin/iptables
    #	remove WAN IF IP
    $IFCONFIG $WIF 0.0.0.0 up
    #	replace default route to Gateway through WIF
    $ROUTE add -host $WGW dev $WIF
    $ROUTE add default gw $WGW
    #	add route to WAN IP through LAN iface
    $ROUTE add -host $WIP dev $LIF
    # enable proxy_arp so can use WGW s gateway on LAN device
    echo "1" >/proc/sys/net/ipv4/conf/$WIF/proxy_arp
    echo "1" >/proc/sys/net/ipv4/conf/$LIF/proxy_arp
    #	replace MASQ on WIF with SNAT
    $IPTABLES -t nat -D POSTROUTING -o $WIF -j MASQUERADE
    $IPTABLES -t nat -I POSTROUTING -s $LIP/$LNM -o $WIF -j SNAT --to-source $WIP
    #	add a bit of extra firewall
    $IPTABLES -t nat -I PREROUTING -i $WIF -d ! $WIP -j DROP
    This doesn't work with my cable modem because arp "who-has" commands are sent out on the WAN port with the router local IP address, and the cable modem refuses to reply to them (it will only talk to a device using the WAN IP it has given). My adsl modem running a similar version of Linux to Tomato doesn't seem to mind and happily replies. I didn't see this problem in my modem as the ppp connection doesn't use arp, so it 'may work' for pppoe connections...

    I haven't tested but existing static and upnp port forwards should still be working, to get DMZ and external connections to the LAN device with the WAN IP will need some more commands... I only tested outgoing initiated.
     
  9. mikester

    mikester Network Guru Member

    Wouldn't a simple port forward do? From the WAN side it'll look like it's attaching to the WAN IP...all you need to do is forward the appropriate ports to the LAN IP.
     

Share This Page