1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is this possible? - Multiple Static WAN IPs w/ Toastman

Discussion in 'Tomato Firmware' started by cr00kedview, Feb 22, 2012.

  1. cr00kedview

    cr00kedview Network Guru Member

    Here's my scenario - I am using an RT-N16 with Toastman's K26 USB VPN build.

    I currently have a webserver (IIS7.5) running a site with SSL, we'll say it's 192.168.0.100 for this example. I have ports 80 and 443 forwarded to this internal IP. I need to add a second site with a different SSL certificate (different domain name than the first site), and from my understanding, I will need a second IP since the SSL port is bound to a single IP on IIS.

    I need to be able to have a second static IP from my ISP route to a different internal IP, say 192.168.0.200, but ONLY on ports 80 and 443. I need to retain all other forwarding on the first static IP.

    I've tried accomplishing this by adding the separate domain names to the SRC address field in port forwarding, but this didn't work at all.

    So, is this possible, and if so, how?

    Thanks!
     
  2. ntest7

    ntest7 Network Guru Member

    Yes possible, but not via the web interface. You'll need to use standard linux networking commands ifconfig and iptables; google for further help.

    I'll take a stab at the commands needed to give you a starting point. The general procedure below is correct, but the example commands might need tweaking.

    Test from a telnet or ssh window. When you get it working, add the proper commands to the Administration/Scripts/Firewall page.

    - add the secondary IP as an alias to the wan port
    ifconfig vlan1:0 1.2.3.5 broadcast 1.2.3.255 netmask 255.255.255.0
    (use the IP, broadcast, and netmask your ISP supplies) (well, duh!)

    - add iptables NAT rules
    iptables -t nat -A PREROUTING -p tcp -d 1.2.3.5 --dport 443 -j DNAT --to 192.168.0.200
    iptables -t nat -A PREROUTING -p tcp -d 1.2.3.5 --dport 80 -j DNAT --to 192.168.0.200
    iptables -t nat -A POSTROUTING -p tcp -d 192.168.0.200 --dport 443 -j SNAT --to 1.2.3.5
    iptables -t nat -A POSTROUTING -p tcp -d 192.168.0.200 --dport 80 -j SNAT --to 1.2.3.5

    - open the port
    iptables -A wanin -p TCP -d 192.168.0.200 --dport 443 -j ACCEPT
    iptables -A wanin -p TCP -d 192.168.0.200 --dport 80 -j ACCEPT


    Let us know how it goes!
     
  3. lancethepants

    lancethepants Network Guru Member

    http://tomatousb.org/tut:setup-multiple-static-public-ips

    TLS 1.1 is supposed to take care of multiple SSL domains on a single IP, whenever it goes standard. Nginx supports it right now, but I think Chrome is the only supported browser. The link is from the TomatoUSB.org tutorials section.
     
  4. ntest7

    ntest7 Network Guru Member

    Well, looks as if I've reinvented the wheel. Thanks for the link!
     
  5. cr00kedview

    cr00kedview Network Guru Member

    Thanks for the info, guys. I just want to confirm that if I follow the steps in ntest7's post, I won't fudge with any of the current port forwards?
     
  6. ntest7

    ntest7 Network Guru Member

    Correct. Neither my example commands nor the how-to link commands should affect existing forwards.
     
  7. cr00kedview

    cr00kedview Network Guru Member

    Would this work if the separate addresses are in a different gateway?
     
  8. ntest7

    ntest7 Network Guru Member

    This is specifically for using multiple static IPs assigned by your ISP, not for multiple connections. The IPs must be part of the same subnet. For multiple connections see the DualWAN mod.
     
  9. cr00kedview

    cr00kedview Network Guru Member

    ntest7,

    Using your example above, I'm able to access the website on the second IP from behind the LAN, but not from a computer outside the LAN. Is there something I'm missing? Right now, my config is:

    ifconfig vlan1:0 24.220.193.227 broadcast 24.220.193.231 netmask 255.255.255.248

    iptables -t nat -A PREROUTING -p tcp -d 24.220.193.227 --dport 443 -j DNAT --to 192.168.0.251
    iptables -t nat -A PREROUTING -p tcp -d 24.220.193.227 --dport 80 -j DNAT --to 192.168.0.251
    iptables -t nat -A POSTROUTING -p tcp -d 192.168.0.251 --dport 443 -j SNAT --to 24.220.193.227
    iptables -t nat -A POSTROUTING -p tcp -d 192.168.0.251 --dport 80 -j SNAT --to 24.220.193.227

    iptables -A wanin -p TCP -d 192.168.0.251 --dport 443 -j ACCEPT
    iptables -A wanin -p TCP -d 192.168.0.251 --dport 80 -j ACCEPT
     
  10. shadowken

    shadowken Networkin' Nut Member

    Modify the last two lines and specify a source port e.g :
    iptables -A wanin -p tcp --sport 3128 -d 192.168.0.251 --dport 443 -j ACCEPT
    iptables -A wanin -p tcp --sport 3120 -d 192.168.0.251 --dport 80 -j ACCEPT
     
  11. cr00kedview

    cr00kedview Network Guru Member

    Still no dice from the WAN side - I also changed to vlan2 for the RT-N16. In the two lines that you had me modify, do I need to specify the second static IP somehow?
     
  12. shadowken

    shadowken Networkin' Nut Member

    did you restart firewall service ?
    if so , remove wanin rules .
    goto PORT FORWARDING > Add rules > with the source port , destination ip & port .
     
  13. cr00kedview

    cr00kedview Network Guru Member

    Okay, I'll refresh what's going on:

    I currently have 2 static IPS, 24.220.193.226 and 24.220.193.227. The .226 is the IP I have configured in the router GUI settings, and I also have ports 80 and 443 forwarded through the router GUI to go to internal IP 192.168.0.250. The webserver behind this IP works fine, everyone outside the LAN can access the local machine.

    Now, for the second IP, .227, this is what I currently have in my firewall config (and I've restarted the router):

    ifconfig vlan2:0 24.220.193.227 broadcast 24.220.193.231 netmask 255.255.255.248

    iptables -t nat -A PREROUTING -p tcp -d 24.220.193.227 --dport 443 -j DNAT --to 192.168.0.251
    iptables -t nat -A PREROUTING -p tcp -d 24.220.193.227 --dport 80 -j DNAT --to 192.168.0.251
    iptables -t nat -A POSTROUTING -p tcp -d 192.168.0.251 --dport 443 -j SNAT --to 24.220.193.227
    iptables -t nat -A POSTROUTING -p tcp -d 192.168.0.251 --dport 80 -j SNAT --to 24.220.193.227

    iptables -A wanin -p tcp --sport 443 -d 192.168.0.251 --dport 443 -j ACCEPT
    iptables -A wanin -p tcp --sport 80 -d 192.168.0.251 --dport 80 -j ACCEPT

    This allows LAN traffic to access the webserver at 192.168.0.251, but people outside the LAN cannot, so it seems like there's something preventing the forwarding from happening.

    Hope this helps and thanks everyone for the tips!
     
  14. cr00kedview

    cr00kedview Network Guru Member

    Should also note that I followed the instructions linked by lancethepants without success. Is there a way to clear all the iptables stuff that I've entered without effing up my port forwards done through the GUI?
     
  15. ntest7

    ntest7 Network Guru Member

    Easy undo: delete everything on the Scripts/Firewall page and reboot the router.

    manual undo (no reboot): from the telnet/ssh prompt, type these two lines:
    rm /tmp/script_fire.sh
    service firewall restart
     

Share This Page