Multiple IPs on WAN?

Discussion in 'Tomato Firmware' started by twinspop, Feb 11, 2007.

  1. twinspop

    twinspop LI Guru Member

    Is it possible to alias multiple IPs to the WAN port and use NAT rules to pass traffic through to private IPs on my LAN? If so, any tips on how? I'll make the bold assumption that the web interface doesn't have this potential. NVRAM settings somewhere?

  2. ifican

    ifican Network Guru Member

    I do not know of any soho devices that have this capability, though there are other vendors that do. If you get someone good with linux they may beable to give you a command set to do just this, assuming all of your ip's are static.
  3. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    The RV042/RV082 can do this with the standard Linksys firmware. Maybe also the RV016? I'm using this on my own RV042, creating one-to-one NAT rules for specific inside servers.

  4. twinspop

    twinspop LI Guru Member

    Figgered it-- WRT54G multiple WAN IPs

    It can be done with Tomato and the WRT54G. Using the Administration -> Scripts area I put this info into the firewall area (sub in your public IPs for IP1-3

    /sbin/ifconfig vlan1:0 inet IP1 netmask
    /sbin/ifconfig vlan1:1 inet IP2 netmask
    /sbin/ifconfig vlan1:2 inet IP3 netmask
    /usr/sbin/iptables -t nat --flush
    /usr/sbin/iptables -I PREROUTING -t nat -d IP1 -j DNAT --to-destination
    /usr/sbin/iptables -I PREROUTING -t nat -d IP2 -j DNAT --to-destination
    /usr/sbin/iptables -I POSTROUTING -t nat -o vlan1 -s -j SNAT --to IP3
    /usr/sbin/iptables -I POSTROUTING -t nat -o vlan1 -s -j SNAT --to IP1
    /usr/sbin/iptables -I POSTROUTING -t nat -o vlan1 -s -j SNAT --to IP2
    /usr/sbin/iptables -I FORWARD -d -j ACCEPT

    Anyway, this isn't really meant as a how-to for your situation, but more of a starting point for anyone else trying to get multiple public IPs running with static mappings to internal IPs.

  5. DeMiNe0

    DeMiNe0 Network Guru Member

    Could someone perhaps explain the above script? I'm trying the same thing as well here.
  6. hiccup

    hiccup Guest

    Hi, first post.

    Me too on this one.
  7. shutterbc

    shutterbc LI Guru Member

    There's a similar topic discussed on the dd-wrt forums at this link:

    I believe the basic idea is the same, though you use different commands to implement it.

    He's using /usr/sbin/ip and you're using /sbin/ifconfig. I'm wondering if there are any other differences I should be aware of, but I'm playing around with this right now.

    These commands set up the WLAN interface for multiple IP addresses. If you ran ifconfig, you'd see them listed out.

    flushes the nat table.

    These rules rewrite the destination IP address of a packet (DNAT) so that traffic hitting the router's static IP can be forwarded to an internal IP. For more info, read up on targets.

    These rules rewrite the source IP address of a packet (SNAT) so that traffic heading out of the router to the Internet has an Internet source IP.

    This rule forwards packets destined for servers inside the firewall.

    hope I got all those details roughly correct. I'll be implementing something based on these rules for an organization that needs to dedicate two IP addresses for H.323 video phones. They bought a block of 5 static IPs so I'll be trying to get Tomato firmware to do the job.
  8. shutterbc

    shutterbc LI Guru Member

    Arrgh. I tested the above configuration successfully in a lab, and then had disappointing failure when trying to use the configuration with a Zoom X5 DSL modem. I thought I put the modem into bridge mode fine, because I was able to connect with a PC using the external IP address.

    But for some reason my Tomato firmware wasn't able to ping the gateway... has anyone had trouble like this? I feel like I'll need to do some packet sniffing to get further. In the meantime I had to fall back to a double-NAT config.
  9. mstombs

    mstombs Network Guru Member

    I think I have answered this question before for a zoom modem - you have it running a a modem only 'half bridge mode'. If your ISP allows PPPOE you should put the modem into PPPOE full bridge modem and run the PPPOE client on the router (can also do this on a PC). If, like mine, you have PPPOA only - you have to run in half bridge (to avoid double NAT) but Tomato (common to Hyperwrt, and I think dd-wrt and OpenWrt and similar vintage Linux systems) do not expect the ISP Gateway to not be in the local Network (XP and recent linux have no problem with this).

    IF this is your problem, there's a simple fix in the form of a firewall script see here for more details:-
  10. bradtem

    bradtem Network Guru Member

    What about passing through an external IP

    I have a block of 5 static external IPs. Right now I thus keep two LANs, one external, on which my linksys sits, as well as servers, and one internal, where all the natted machines sit behind the linksys.

    But I want to be able have servers "behind" the linksys but using the external IPs. Ie. they would not think they had a natted address, they would use the external address, configured just as they are on the external LAN. (They could also have an address on the internal network if they wanted, on the same interface or perhaps -- see below -- a different one.)

    Why would I want this? I want to semi-bridge these external packets through the linksys so it can do traffic shaping. I want my asterisk server to be external, not behind NAT, but this means the traffic shaper in the linksys has no idea of the traffic coming out of that server, and thus does not realize it should throttle large downloads going through it from natted machines to make room for the higher priority voip.

    I tried the d-link dl-102 on the whole network but it does not suffice.

    The only downside to this is it creates a single point of failure, but I can live with that to get more reliable voip.

    Now for bonus points, I understand the linksys knows which of the 4 ethernet ports on it packets come from. This would allow you to designate one as the "external" lan, so that the external machines could not, if compromised, send packets to the natted machines directly, unless they had a different ethernet card on the internal lan. But for now, I would be interested in how to at least get traffic shaping of all my traffic.
  11. shutterbc

    shutterbc LI Guru Member

    Progress update

    Whee... I know more about ARP than I ever cared to before. I figured I'd share this experience with others just in case it's useful to anyone:


    Network scenario
    5 Static IP addresses are available for use, provided by Verizon Business DSL. The modem is a Zoom X5 5654 modem. The router is a Buffalo WHR-HP-G54 running Tomato firmware 1.07.

    Internet connection settings are listed below:
    encapsulation: 1483 bridged IP LLC
    VPI 0
    VCI 35

    Zoom X5 settings
    Enabling bridged mode:
    Advanced setup -> WAN configuration:
    - enable bridge
    - disable IGMP
    - disable DHCP
    - disable DNS

    click save, then write to flash (sometimes "save" button is missing, oddly)

    Advanced -> DHCP
    - DHCP mode set to "none"

    Advanced -> NAT
    - still shows as "enabled". Seems to make no difference if I keep it enabled or set to "disabled"

    The problem
    Connecting with PC works in full bridge. Linux router can only ping gateway.

    I decided to try sniffing a connection with Wireshark while I’m connected to the Internet directly via the modem in full bridge mode. Here’s what I get off the wire when connecting to an SSH server out in the Internet:

    Ethernet II, Src: Dell_53:98:b2 (00:15:c5:53:98:b2), Dst: Cisco_12:5b:18 (00:03:a0:12:5b:18)

    Here the destination address is a Cisco device, probably the gateway router at Verizon.

    When I check the ARP cache on the Linux router, I see the following:
    # cat /proc/net/arp
    IP address HW type Flags HW address Mask Device
    151.204.[c].1 0x1 0x0 00:40:36:34:29:EA * vlan1 0x1 0x2 00:16:76:5F:70:8D * br0

    Now, the HW address for 151.204.[c].1 (gateway) is the MAC address of the Zoom modem, NOT the Cisco router I’m expecting to see. Question is, how do I flush the ARP cache and why did the modem advertise itself as the gateway??

    Oh. Wait. Another capture from the PC shows me:
    Dell_53:98:b2 -> Broadcast ARP Who has 151.204.[c].1? Tell 151.204.[c].[d]
    TribeCom_34:29:ea -> Dell_53:98:b2 ARP 151.204.[c].1 is at 00:40:36:34:29:ea
    Cisco_12:5b:18 -> Dell_53:98:b2 ARP 151.204.[c].1 is at 00:03:a0:12:5b:18

    There we go. There are two ARP responses... and the second one is the one I want. On Windows, we end up caching the second one, and in Linux, we end up caching the first one.

    Any ideas how to silence this modem? In a full bridge mode, technically that modem shouldn't be responding to an ARP request, especially for the gateway.

    So here's where I have learned a bit about ARP. In Tomato, I don't have an "arp" tool, but I can do most stuff I need with "ip neighbor". I found a good resource here:

    Basically, I can probably set a permanent ARP entry for the far end router by doing something like the following command:

    ip neighbor add 151.204.[c].1 lladdr 00:03:a0:12:5b:18 dev vlan1 nud permanent

    I tested it out in a lab, pretty cool stuff. But -- how about if Verizon changes the far end router on me? Then I'm screwed, since the permanent entry will make troubleshooting darn difficult, especially without a packet sniffer on the line.

    The ideal solution would be to change the ARP caching behavior such that the last update is the one that is stored in the ARP table.
  12. mstombs

    mstombs Network Guru Member

    Looks like the modem is doing proxy_arp, responding itself when it knows it is the route to the required device - but I don't understand why it would then also pass on the arp request? I can believe multiple arp responses would break things as this looks like a hacker attack!

    It seems as though you are trying to include the far end router in your local LAN, which I can't believe is correct - arp is only intended to be used for local network devices. Are you spoofing the netmask to include the gateway?

    I think you should give the modem one of the static addresses and then specify this as the gateway from the router, then arp from each device will be local. If you only use a local IP address for the modem you will have to add the custom route commands to Tomato as it won't understand the gateway not being in the same network - (not checked in latest version - must do that!)
  13. shutterbc

    shutterbc LI Guru Member

    Well here's the thing -- everything works when I send Internet-bound packets to the far end router. It's supposed to be static IP, bridged networking -- that is, I would expect the modem to be transparent and never respond to any ARP requests. I already verified with my laptop that the bridge is allowing me to communicate with the far end router just fine.

    And, Verizon seems to be telling me to do this. Even though my netblock contains only 5 addresses, Verizon specifies the netmask as a class C and instructs me to direct traffic to a x.x.x.1 gateway address -- the far end router.

    What I'm actually doing is assigning the first IP available to me to the modem. What I didn't include in my writeup is that the modem doesn't seem to respond to that when I ping it, though you're right that I haven't yet tried using it as the gateway.
  14. shutterbc

    shutterbc LI Guru Member

    Looks like you want the solution for creating multiple VLANs. Try this topic on for size, it might be what you are looking for:

    Even though it's for dd-wrt, I believe this may work on other firmwares.
  15. mstombs

    mstombs Network Guru Member

    Re Modem setup. It seems Verizon want things set up similar to cable networks here - my cable modem had a /23 netmask even though I had only 1 IP address. With DSL setup I have seen they tend to give you a 8 IP addresses and a tight mask, which means only 6 are usable (first reserve to define the network, last is a broadcast). But your DSL modem is not as transparent as it should be!

    Re VLAN
    The VLAN variables do work with Tomato - I've got port 4 setup as VLAN2 - but have only used it as a WAN2 port not on LAN side. I noticed in the source code some routers get their non-Linksys standard vlan config configured - possibly every start-up.
  16. shutterbc

    shutterbc LI Guru Member

    Well, I guess my post just documents the fact that the Zoom X5 has issues in that department. Anyone got a recommendation on a better modem, since Zoom has stopped talking to me?
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice