1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is this possible?

Discussion in 'Tomato Firmware' started by petah, Jul 4, 2008.

  1. petah

    petah Addicted to LI Member

    Is this possible? edit (yes it is possible!!!!)

    EDIT... It is possible what I wanted to do. Works pretty good so far so keep reading!!!!!!

    Basically what I wanted to do is have my Asus running Tomato to do NAT and do regular/real ip routing for 1 server.





    newbie here.

    Currently running Asus WL500P with Tomato and using PPPoE connection with 1 static ip assigned.

    I have another /30 block with 1 useable IP which I would like it assigned to a server that is hooked up to the router.

    Is this possible? How would I do it? (I've bridged port #4 to WAN via this link: http://www.dd-wrt.com/wiki/index.php/VLAN_Bridging_WAN_and_a_LAN_port)
     
  2. ooglek

    ooglek LI Guru Member

    Tomato does not do VLANs. But...

    From what I've read and what I can find, Tomato does NOT support VLANs.

    However, that doesn't mean you couldn't do something fancy with the iptables config to allow traffic to pass unfettered from WAN to LAN port 4. I am NOT an iptables god, and though I understand what it does, I'm not sure how to do it. BUT I do suspect it is possible. See if you can search Google (or your favorite search engine) for "iptables bridge" or bridging or something like that. This is your basic Linux install, just different hardware, and if you had 5 ethernet ports on a PC running Linux, even without VLANs you could probably get this done.
     
  3. LLigetfa

    LLigetfa LI Guru Member

    VLANs are supported, just not in GUI. I have a VLAN setup to access the WebGUI of my modem using iptables rules. I don't know iptables well enough though to confidently allow a second public IP in.
     
  4. HennieM

    HennieM Network Guru Member

  5. petah

    petah Addicted to LI Member

    thanks for the links... still not getting it right.

    maybe i am missing some firewall rules or my ifconfig/ip/route configuration is not done correctly. i'll try to draw a better picture with more info tomorrow.
     
  6. petah

    petah Addicted to LI Member

    Here is the info.


    I recently switched ISP and now using a Asus WL500P router with DD-WRT/Tomato which is Linux 2.4.22 Kernel and Iptables.


    ISP I am with uses PPPoE and assigns me a static IP address 206.248.138.248.

    I bought an extra 206.248.141.240/30 block. ISP assigns 206.248.141.241 IP on their side and told me I can use 206.248.141.242 on my side.



    The router I have supports vlan1(I suppose I assign the extra static ip to this interface?), ppp0(my main static ip), eth0(I think that is for wireless). Any idea how to route 206.248.141.242 IP? Am i missing something with firewall rules as well?

    thanks.
     
  7. PeterT

    PeterT Network Guru Member


    Isn't the real issue that regardless of whether Tomato (or any other router) supports it, that you would have to get your ISP to setup routing on HIS side to ensure that the address for your /30 block is routed to YOUR router ?
     
  8. HennieM

    HennieM Network Guru Member

    OK, there's no physical ports that have to bridged (in this setup). Getting requests to and from the right external IP to the right internal IP and vice versa is done with iptables. It's routing, or more correctly, NATting, not bridging.

    We assume your vlan1 interface is your WAN port connected to the internet (via whatever protocol - PPPoE, PPPoA, DHCP, etc. does not matter).

    If you do "ifconfig", you should see some details showing vlan1 having your first IP address 206.248.138.248.

    As a first step want to assign a second IP (206.248.141.242) to the vlan1 interface.

    You can use

    /usr/sbin/ip addr add 206.248.141.242/30 dev vlan1

    OR (and I prefer the below one as you can see what's cooking in ifconfig)

    ifconfig vlan1:0 206.248.141.242 netmask 255.255.255.252

    Do "ifconfig" again and you'll see interface vlan1:0 having that IP.

    Now, if somebody were to ping 206.248.141.242 from the internet, your router's WAN interface will respond to that ping.

    Next step is to sort out the firewall and port forwarding. The most prominent rule would be to pass incoming requests on IP 206.248.141.242 on to your internal server. Let's assume this server is at 192.168.1.5

    iptables -t nat -I PREROUTING -d 206.248.141.242 -j DNAT --to-destination 192.168.1.5

    and

    iptables -t nat -I POSTROUTING 1 -p all -s 192.168.1.5 -j SNAT --to 206.248.141.242

    Now all requests and all protocols (http, smtp, telnet, ssh, etc.) coming in on 206.248.141.242 will be passed on to 192.168.1.5, and 192.168.1.5 will answer back via 206.248.141.242. You also might want to add some filtering rules, etc. to just let through the protocols you want to.

    I have copied these iptables rules from http://www.dd-wrt.com/phpBB2/viewtopic.php?t=7062 and not verified them, so check it carefully.
     
  9. petah

    petah Addicted to LI Member

    HennieM,

    Thanks for the reply! That is what I have been doing assigning 206.248.141.242 to vlan1. I am pretty sure I am suppose to assign it to vlan1 not br1 right?

    However, my main ip 216.248.138.248 is assigned to ppp0. This is what my ifconfig looks like:

    br0 Link encap:Ethernet HWaddr 00:18:F3:59:D3:9C
    inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:211875 errors:0 dropped:0 overruns:0 frame:0
    TX packets:198928 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:70466136 (67.2 MiB) TX bytes:69500525 (66.2 MiB)

    br1 Link encap:Ethernet HWaddr 00:18:F3:59:D3:9D
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:18750 errors:0 dropped:0 overruns:0 frame:0
    TX packets:19409 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:6282316 (5.9 MiB) TX bytes:2240273 (2.1 MiB)

    eth0 Link encap:Ethernet HWaddr 00:18:F3:59:D3:9C
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:230626 errors:0 dropped:0 overruns:0 frame:0
    TX packets:218339 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:81822289 (78.0 MiB) TX bytes:72614278 (69.2 MiB)
    Interrupt:4 Base address:0x1000

    eth1 Link encap:Ethernet HWaddr 00:18:F3:59:D3:9C
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:28
    TX packets:103 errors:188 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:0 (0.0 B) TX bytes:33067 (32.2 KiB)
    Interrupt:2 Base address:0x2000

    ppp0 Link encap:point-to-Point Protocol
    inet addr:206.248.138.248 P-t-P:206.248.154.102 Mask:255.255.255.255
    UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1442 Metric:1
    RX packets:13389 errors:0 dropped:0 overruns:0 frame:0
    TX packets:15291 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:3
    RX bytes:3674250 (3.5 MiB) TX bytes:1217028 (1.1 MiB)

    vlan0 Link encap:Ethernet HWaddr 00:18:F3:59:D3:9C
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:205814 errors:0 dropped:0 overruns:0 frame:0
    TX packets:192221 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:69752957 (66.5 MiB) TX bytes:66777139 (63.6 MiB)

    vlan1 Link encap:Ethernet HWaddr 00:18:F3:59:D3:9D
    inet addr:206.248.141.242 Bcast:0.0.0.0 Mask:255.255.255.252
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:14842 errors:0 dropped:0 overruns:0 frame:0
    TX packets:16744 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:3987914 (3.8 MiB) TX bytes:1740610 (1.6 MiB)

    Now.. I came across something strange. ISP assigns 206.248.141.241 and told me to route my 206.248.141.242 IP to it.

    I have noticed my PPPoE can connect to a few gateways. I have tried to set up 206.248.141.242 on my side but couldn't even get a routing going.

    I have connected/disconnected a few times to get different gateways and I have tired to ping 206.248.141.241 IP which is suppose to be assigned on your side. I have noticed when I am on some gateways I cannot ping 206.248.141.241.

    Gateways where I CANNOT ping 206.248.141.241 IP on your side:
    206.248.154.101
    206.248.154.102

    Gateways where I CAN ping 206.248.141.241 IP on their side: 206.248.154.120

    I take it the ISP didn't set up the routing right on their side?
     
  10. LLigetfa

    LLigetfa LI Guru Member

    OK, this is getting in a little over my head hence my confusion. I understand the first IP comes via a PPPoE tunnel but how does the second IP work? Does it not also need a PPPoE tunnel or does it come as raw ethernet on the WAN interface?
     
  11. petah

    petah Addicted to LI Member

    Correct, the first IP comes from PPPoE tunnel... the second IP from what I understand (from my old provider where I had a /29 set up) is that it is suppose to be routed through the PPPoE tunnel. I don't think it can come as raw ethernet on the WAN side since everything goes through the PPPoE tunnel.

    I assume vlan1 is on the WAN side but goes through PPPoE anyway since the default gateway is through the PPPoE tunnel.

    # netstat -r
    Kernel IP routing table
    Destination Gateway Genmask Flags MSS Window irtt Iface
    206.248.154.102 * 255.255.255.255 UH 40 0 0 ppp0
    192.168.0.0 * 255.255.255.0 U 40 0 0 br0
    127.0.0.0 * 255.0.0.0 U 40 0 0 lo
    default erx01.tor.pppoe 0.0.0.0 UG 40 0 0 ppp0
    # ping 206.248.141.241
    PING 206.248.141.241 (206.248.141.241): 56 data bytes

    --- 206.248.141.241 ping statistics ---
    5 packets transmitted, 0 packets received, 100% packet loss

    #

    As you can see I am on a bad gateway (206.248.154.102) so I can't even ping 206.248.141.241 ip right now.
     
  12. HennieM

    HennieM Network Guru Member

    The second IP, if used as we intend in this setup, is not a new _connection_, it's just a new handle or pseudo-interface to an existing interface or connection. It's like we call you petah, and other times we call you pet - it's still you, but you just answer to different names.

    Traffic to/from your second IP travels over the same physical and logical interface as traffic to/from your primary IP.

    I'm no VLAN expert, so I may be totally wrong about this: a VLAN is a virtual interface that works on one or more physical or logical interfaces. Usually you can check which physical/logical interfaces a vlan encompasses by looking at /proc/net/vlan and files in there. See if you can find out which vlan (vlan0 or vlan1) uses ppp0, and then use that vlan.

    Note though, that you should configure "vlanx:0", like "vlan1:0", not just "vlan1".

    You can also try it on "ppp0:0" instead of "vlan1:0", but I don't know if such a non-vlan config would work for a PPPoE tunnel.

    As an example, i did:
    Code:
    ifconfig ppp0:0 10.1.2.201 netmask 255.255.255.252
    and my ifconfig now shows this (funny address intentional...):
    Code:
    ppp0      Link encap:Point-Point Protocol
              inet addr:301.307.14.31  P-t-P:301.307.14.1  Mask:255.255.255.255
              UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
              RX packets:292820 errors:0 dropped:0 overruns:0 frame:0
              TX packets:174191 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:3
              RX bytes:198915164 (189.7 MiB)  TX bytes:13698608 (13.0 MiB)
    
    ppp0:0    Link encap:Point-Point Protocol
              inet addr:10.1.2.201  P-t-P:10.1.2.201  Mask:255.255.255.252
              UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
    My ppp0:0 took all the characteristics from its primary interface ppp0, it's just got a different IP/mask.
     
  13. petah

    petah Addicted to LI Member

    This is what I got from a support person from my ISP... does that make sense?




    Hey there,

    This is how we've advised clients to do this in the past:

    Router logs in with PPPoE login information and attains: 206.248.138.248. You would then program the /30 so that the router acts as a gateway with IP: 206.248.141.241 and subnet mask: 255.255.255.252.

    The machine that gets the external IP would then become:

    IP: 206.248.141.242
    Subnet Mask: 255.255.255.252
    Default Gateway (your asus): 206.248.141.241
    DNS Server 1: 206.248.154.22
    DNS Server 2: 206.248.154.170

    Give that setup a try and let us know.
     
  14. petah

    petah Addicted to LI Member

    This is what my vlan config is... does it look right?

    # more config
    VLAN Dev name | VLAN ID
    Name-Type: VLAN_NAME_TYPE_PLUS_VID_NO_PAD
    vlan0 | 0 | eth0
    vlan1 | 1 | eth0
    #
     
  15. HennieM

    HennieM Network Guru Member

    I can't say if your vlan setup is OK. It looks just like mine, so I would think it is.

    The setup advised by your ISP looks like it will work if you don't have NAT. It further seems that you can use both IPs 206.248.141.241 and 206.248.141.242 on "your" side. They seem to intend that you use .241 for your router, and .242 for your "server".

    It also seems that they will route traffic for subnet 206.248.141.240/30 to 206.248.141.241 (note, not to 206.248.141.242!!).

    For this setup, you need to go back to http://www.dd-wrt.com/wiki/index.php/VLAN_Bridging_WAN_and_a_LAN_port and forget everything else we've mentioned in this thread. This setup puts your "server" directly onto the WAN, as if your server is directly connected to the internet, so no NAT, etc. Note that the dd-wrt link is for a WRT54GS v2. The physical port assignments on you Asus may be different from that in the link, so you'll have to figure out if you really have LAN#4 bridged to the WAN.

    Assuming that you could get your Asus's LAN#4 onto the WAN as explained in the dd-wrt link, I'll suggest a setup here, but I have no idea if it will work. The problem is that your .141.241.and .141.242 addresses are on a different subnet from your originally assigned IP 206.248.138.248, so IMO, you still need to create another pseudo-interface like ppp0:0 or vlan1:0. Anyway, here goes:

    1) Run an ethernet cable from your server and connect it to LAN#4 port on the Asus.
    2) Now assign the static IP 206.248.141.242 netmask 255.255.255.252 default gateway 206.248.141.241 to your server.
    3) Now do, on the Asus
    Code:
    ifconfig ppp0:0 206.248.141.241 netmask 255.255.255.252
    OR, if that does not work, try
    Code:
    ifconfig vlan1:0 206.248.141.241 netmask 255.255.255.252
    That's it. If this works, your server should now be directly connected to the internet. Remember that you should do firewalling etc. on the server, as the Asus's firewall rules are not applied for traffic to/from the server.
    Also, as your server is now directly on the internet, the server would not be able to talk to any other machines on your home net.
     
  16. petah

    petah Addicted to LI Member

    thanks for the reply yet again!

    I've spoke with a support guy at my privoder and he thinks the /30 block may have been double-assigned. I'll check with them tomorrow since they are closed today. Once it has been verified that the block is in working condition i will then try the routing again.

    on a good note.... found out one of their senior network tech is an old friend of mine, i'll be able to figure this issue out soon!

    I'll post results as soon as I get it up and working. at this time it seems to be my provider's issue (as usual... i didn't think I am that stupid ... yet.. even though I have not played with Linux in a long time.. I've been using FreeBSD router for the past 5 years and recently wanted to ditch my old amd 650mhz box and go with a lower power consumption router)
     
  17. petah

    petah Addicted to LI Member

    Hey Hennie,

    I have received a new /30 block from my ISP. Here is the info:

    /30 206.248.140.168 / 255.255.255.252

    Gateway: 206.248.140.169
    Subnet: 255.255.255.252
    IP: 206.248.140.170

    I have managed to get 206.248.140.169 onto the router's vlan1. But I am not having any luck bridging port #4 of the LAN(vlan0) to WAN (vlan1) using the guide from DDWRT... I guess Tomato does not support bridging LAN to WAN like DDWRT does?

    I have briefly tried 1-to-1 NAT and works.... however does that mean I'll have to forward all the ports ... port by port?



    Any other suggestions? I'd like to bridge LAN to WAN idea but I couldn't get it to work using vlan1 and bridging port #4 to WAN.


     
  18. HennieM

    HennieM Network Guru Member

    I'm sure Tomato supports the port vlan/bridging - it's just about which switch port (0,1,2,3,4,5) is assigned to which vlan. I know nothing about that, so I can unfortunately not help with that.
    I don't know what 1-to-1 NAT means exactly, but, with a NAT setup:

    Assuming vlan1 is your WAN interface, you have probably done
    Code:
    ifconfig vlan1:0 206.248.140.169 netmask 255.255.255.252
    and followed that with
    Code:
    iptables -t nat -I PREROUTING -d 206.248.140.169 -j DNAT --to-destination 192.168.1.5
    assuming your "server" has internal FIXED address 192.168.1.5. This iptables rule forwards everything, i.e. ALL IP traffic on ALL ports, that comes in for IP 206.248.140.169 to your server at 192.168.1.5 - no additional rules needed.

    Your "server's" publicly known IP must, in this case, then be 206.248.140.169. Further, your "server" MUST have the static DHCP or otherwise fixed IP of 192.168.1.5, with the normal gateway/DNS such as any other PC/device on your internal net (most likely default gateway 192.168.1.1, DNS server 192.168.1.1). Your server is still on your private/home net!

    If you want to rather use either .169 or .170 IP for your server, replace the above 2 lines with the 3 lines below:
    Code:
    ifconfig vlan1:0 206.248.140.169 netmask 255.255.255.252
    ifconfig vlan1:1 206.248.140.170 netmask 255.255.255.252
    This assigned both IPs .169 and .170 to the router on pseudo-interfaces vlan1:0 and vlan1:1.

    Now make the prerouting rule
    Code:
    iptables -t nat -I PREROUTING -d 206.248.140.168/30 -j DNAT --to-destination 192.168.1.5
    which will forward all ports and all IP traffic with destination .169 OR destination .170, via NAT, to your server at 192.168.1.5.

    Put these 3 lines in Tomato's Administration > Scripts > Init, and you don't have to do them everytime the router starts up.
     
  19. petah

    petah Addicted to LI Member

    Thanks! I might stick with NAT and see how it goes... I am having some issues with SSH into the server through NAT so I'll have to read up on it.

    I'll try the LAN/WAN bridging again... probably have to play around with it to see what i get.
     
  20. petah

    petah Addicted to LI Member

    reporting back...... i am one step closer... just 1 more thing i have to do.

    I have set up the router to have 206.248.140.169/255.255.255.252 on br1 interface.

    I have then set up my laptop to have 206.248.140.170/255.255.255.252 and default gateway of 206.248.140.169.

    I am able to ping 206.248.140.169 from the internet.

    I am able to ping 206.248.140.169 from my laptop.

    I am able to ping 206.248.140.170 from my router.

    I am not able to ping 206.248.140.170 from the internet.

    I am not able to get onto the internet from my laptop 206.248.140.170

    Machines behind NAT works perfect here.

    Now... what am I missing here? Iptables firewall rules to divert traffic from 206.248.140.168/30 to br1 instead of dropping it?

    any comments/suggestions is appreciated. thanks!
     
  21. petah

    petah Addicted to LI Member

    Update. After assigning IPs to br1 as my wan interface I am able to route the ip. What I was missing: iptables FORWARD lines.

    iptables -I FORWARD -d xxx.xxx.xxx.xxx/30 -j ACCEPT
    iptables -I FORWARD -s xxx.xxx.xxx.xxx/30 -j ACCEPT

    i am going to tighten it down so it does only on br1 interface instead of trying for all interfaces lol.

    Thanks for the help HennieM! I am glad I bought this Asus router and stuck Tomato with MLPPP on, Bell Canada cannot throttle my connection!
     
  22. HennieM

    HennieM Network Guru Member

Share This Page