Public and private IP's fron same router.

Discussion in 'Tomato Firmware' started by kameleon, Oct 17, 2008.

  1. kameleon

    kameleon LI Guru Member

    I am about to be getting a commercial connection that will give me 5 static IP's. The problem is I have more than 5 machines and of course don't want all my machines to be accessible from the internet. I was wondering how I would setup Tomato to allow like say all my wireless clients to be on a 192.168.x.x but allow my web/email server and a few others to be public IP's I still want the router to log all the connections and such since I log all that to a remote machine for archiving purposes. I know this is doable but could anyone give insight as to how?
  2. kameleon

    kameleon LI Guru Member

    I was about to re-ask this question when I found where I had posted this before! Search feature FTW!

    Anyways, I have 5 static IP addresses that I need to use for some servers I have. But I only have one router running tomato 1.23 w/ victek mod. One of the IP's is on the router as the WAN interface. Everything behind it now is using NAT with private IP's. I want to be able to use my static public IP's alongside with the NAT I currently am using if possible.

    Shouldn't this be as simple as a routing table change? Thanks in advance.
  3. szfong

    szfong Network Guru Member

    Since you've been waiting for an answer for almost half a year and no one's willing or wish to help you, I'll give it a shot.

    Your commercial provider should provide you w/ a dsl/modem combo unit which supports multiple static ip. In the US the Netopia 3347xxx are quite popular and the Enterprise variety is quite good. Tomato can connect to it as a switch, ip pass-thru, double nat, etc... whatever you like but static public ip handling MUST be done on the dsl/modem combo unit.

    Or if your too cheap or not willing to spend the extra $50 (in the US), you use the cheap/free (after rebate) modem and couple it with a router that supports such features as one-to-one nat, multiple static ip, etc... Anyhow, most mid-range firewall router will have this feature, & it gets complicated to setup. I've used & tested it out on a clarkconnect & pfsense box, worked beautifully, BUT is noisy, and electrically & hardware-wise wasteful. Tomato, to my knowledge do not have this ability, OpenWRT however do...

    In short, USE THE THE BUSINESS CLASS HARDWARE THAT THE ISP PROVIDE OR SELL YOU!!! Then connect stuff off of it. It will save you ALOT of GRIEF!!
  4. kameleon

    kameleon LI Guru Member

    Thank you for your reply. The provider did give me a 4 port cable modem and all. I just prefer to use my own tomato box to do the majority of the routing. I want to keep my setup the way it is but allow the static IP's to be able to route through the tomato box. I know I have to be missing something simple. Here's my layout incase it helps:

    cable from provider to their cable modem -
    WRT54GS running Tomato -
    from here I have a long haul line back to my office which then connects to -
    netgear gigabit switch -
    all my machines

    Pretty basic really. I want to be able to use the Tomato box for the QoS and bandwidth graphing mostly. I will have a VoIP box here so the QoS will be nice. Plus with me hosting some of my sites locally I want to have a good bandwidth management device so I can allow the web server plenty of throughput.

    None of this is doable with the crap "router" the provider gave me. It has no special settings. That help clarify some? Thanks
  5. szfong

    szfong Network Guru Member

    You WILL need a router which supports this feature. Cisco, SonicWall, Vyatta, clarkconnect, pfsense will support these capabilities you mentined. Since it's a business-class cable connection, you need a much better router. Some firewall/routers such as the SonicWall uses a subscription model, I believe, but offers ALOT of advanced capabilities that would normally require a separate pc to perform. As an enthusiast, I'd recommend an embedded board, the do it yourself approach, but simply put, you need a more capable router, most router with multiwan support will usually have multi-static ip address support.

    Those five I've mentioned ARE QUITE good, with only the pfsense being "uncrippled & free" ALL AROUND. As you mentioned, QoS is important & is much more advanced in the 5 routers/firewalls I mentioned.

    In the meantime, grab yourself an old pc and use a router such as pfsense for awhile to get to know it, if you like it build yourself a more efficient model. With a smart-switch you can even more sorts of amazing things. I know you want the simplicity of Tomato, as I love Tomato running smoothly and w/o crashing for months, but until someone add those capabilities you need, you'll need to look elsewhere.

    Because your on static-ip and more and more bad people also have higher speeds, Tomato don't handle massive packet flooding as well as the others, though any small pipe can get flooded... For dynamic ip, resetting modem gets you a new ip.
  6. kameleon

    kameleon LI Guru Member

    Thanks for the explanation. I have been looking at the pfsense solution you spoke of and how it could be implemented. I think it will be the easiest to deal with. The only other option I could think of is to set a separate wrt54g running Tomato in router mode for the public statics and have my gigabit switch do the vlan routing for that but that may be a little more complicated than I think initially.

    Here's what I am planning to attempt. I want to have my and my wifes laptops and the media pc to be on a 192.168.x.x IP range with the two laptops being wireless for the most part (I have a dedicated wrt54g for wireless access). The only other physical machine I plan to have is my Xen server. I can run the pfsense "machine" in a VM with a dedicated NIC and let it do all the routing. Then the remaining "mcahines" that are actually VM's I can choose if I want public IP's or just do private IP's w/ NAT. That does sound doable correct? Thanks for the help.
  7. szfong

    szfong Network Guru Member

    Yes its doable, a pfsense router plus a smart/managed switch is all you'll need. Doing a 1:1 nat may be another option to consider for those VM servers. A good embedded board will have 3 interfaces, usually. Some have less, requiring more VLAN/tagging etc on the switch & more configuring in pfsense.. I'd configure them as WAN, LAN, & DMZ and let pfsense do its magic and have Tomato do the wireless or slower wired stuff. Certain more expensive Switches in the layer 2/3 category have more capabilities, but I'd keep it simple.
  8. kameleon

    kameleon LI Guru Member

    Ok, I have to do something this week as I have to get my hosting server accessible since my hosing account is up for renewal next week. I have drawn a (very) rough diagram of the network as it sits now. I am more of a visual person so this helps me understand it.

    Pic here...

    Basically I need everything to stay the same (if possible) but get one or two... maybe three public IP's to the xen server for a few of the virtual servers. The Netgear (GS108-T) switch is fully managed and does VLans and such. I have 3 NIC's in the xen server. I could run pfsense as a virtual machine and give it exclusive access to the 2 extra NIC's, WAN and LAN (have read up on this and is doable in xen). I just need to make 100% sure that what I need done is not possible on the tomato router. Like possibly in the routing table? I hate to complicate things but if I must then I will. I really do appreciate the assistance. Just hope I can wrap my head around this. If I could do a 1:1 NAT that would probably be easiest wouldn't it? I know the tomato router can't do that but the pfsense can.

    Also, what about changing the main tomato router from Gateway mode to Router mode? Isn't that just basically NAT on/off? I wish there was a comprehensive guide somewhere for these kinds of things. lol
  9. szfong

    szfong Network Guru Member

    Your setup looks ok & you may need specific features that are part of something like pfsense.

    Your running multiple servers requiring 1:1 nat and possibly a few other services and hosting, etc... I think a Tomato router may no longer be sufficient. If your gonna be simplifying everything, I do not recommend running pfsense as a VM. Put it on a separate box, preferable an embedded box for low power usage, but test everything first on a regular pc. In the past I found if I do not turn on hardware in a specific order, problems arose... the pfsense forums can be a geat help... as this is mostly for tomato and single ip/line usage forum. for your setup, using vlan's you can easily isolate portions of your network, load balance, failover, etc...

    good luck..
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice