Dd-wrt-AdvNAT
From BE Usergroup Technotes
Contents |
[edit] NAT with DD-WRT and Multiple Static IP's
The reason I've decided to do this is becuase 1) Some of my computers I want to assign the external IP to are connected to via a wireless bridge so physically plugging them direct to the modem is not an option.
2) It allows me to use the WRT as a Firewall only allowing Inbound ports that I specify.
Most of the Guides written for DD-WRT seem to suggest you add your Other external IP's to Vlan1, although I could never get this to work properly on my WRT160N (V24 Svn 10902) so here's how I went about it.
The wan port comes up as eth1 on mine, not sure if it will be on all dd-wrt routers if yours is different then please change all occurrences of eth1 to the actual wan interface of your router.
This may not be the best way to do it, but it works for me. Some of the information on this page was taken from various sources and from trying things. I suggest users take a backup of their working DD-WRT configuration before trying this. (Administration > Backup)
If you Plan to forward ports or do any of the internal > external mapping then It is HIGHLY recommended you use the option to statically assign your internal IPs (It's done by either statically configuring the machines or via "Services" > "Lan" where you can tell the DHCP server to always give a specific MAC address a specific IP, You can get the active clients list from "Status" > "Lan")
[edit] Setting up the multiple Ips
Setup ONE if your Ip's on the web interface
Telnet into the DD-WRT router using username root and your admin password (same one for web interface) enter the following command.
Where i've used XXX.XXX.XXX.A .etc this is where you'd put your own IP address
ifconfig
You should see an interface in the output with your external IP. )
Probably will look something like this.
eth1 Link encap:Ethernet HWaddr 00:XX:XX:5A:XX:XX
inet addr:78.XX.XX.XXX Bcast:ZZ.ZZZ.ZZZ.ZZZ Mask:YYY.YYY.YYY.Y
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:223758 errors:0 dropped:0 overruns:0 frame:0
TX packets:158467 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:126665633 (120.7 MiB) TX bytes:21530051 (20.5 MiB)
Interrupt:5
Now I assume the broadcast and Gateway is the same for all the IP's you are allocated if it's not this may not work.
Login to the web interface and select "Administration" > "Commands" Click "Edit Startup"
Insert the following into the text box.
ifconfig eth1:1 XX.XX.XXX.A netmask YYY.YYY.YYY.Y broadcast ZZ.ZZZ.ZZZ.ZZZ ifconfig eth1:2 XX.XX.XXX.B netmask YYY.YYY.YYY.Y broadcast ZZ.ZZZ.ZZZ.ZZZ
The Netmask/Broadcast set the same as you got from the command you ran in telnet.
Continue until doing this for the rest if your Ip's so you will end up with eth1:1 - eth1:7 (if you have 8 Ip's you would setup 7 of them in this manner as one of them will already be bound to the interface when it was setup in the WebUI.)
Hit save, the router will restart. Access telnet again, and re-enter the command ifconfig, you should now see a lot more interfaces, one with each of your ip's
[edit] Outbound NAT Mapping
This allows you to have traffic orginating from one of your machines on the LAN side of the router to appear as if came from one of your other external addresses.
You need to goto "Administration" > "Commands" and select the option to edit "Firewall" commands.
Then you need to enter the following
iptables -t nat -I POSTROUTING 1 -p all -s 192.168.1.4 -j SNAT --to-source XX.XX.XXX.B
Replace 192.168.1.4 with the IP of the computer you want to be mapped to the external IP.
You can also use CIDR ranges to map more than 1 internal IP to an external IP. (http://relays.osirusoft.com/cgi-bin/cidr.cgi < Iprange to CIDR format calculator)
for example
iptables -t nat -I POSTROUTING 1 -p all -s 192.168.1.2/31 -j SNAT --to-source XX.XX.XXX.B
makes traffic from 192.168.1.2 and 192.168.1.3 appear to have come from my Third IP
[edit] Inbound NAT Mapping
You need to goto "Administration" > "Commands" and select the option to edit "Firewall" commands.
And enter something simular to the following example
iptables -I PREROUTING -t nat -p all -d XXX.XXX.XXX.B -j DNAT --to-destination 192.168.1.200 Note: does not work in v24
This tells the router we want traffic from ip XXX.XXX.XXX.B to be mapped to the computer 192.168.1.200 However at the moment nothing will actually be Mapped becuase we've not told it what ports to forward we do this like so.
Try the example below for V 24
iptables -I PREROUTING -t nat -p tcp -m tcp -d XXX.XXX.XXX.B --dport 80 -j DNAT --to-destination 192.168.1.200
instead. (This is for TCP port 80, change the port and protocol to suit)
iptables -I FORWARD -d 192.168.1.200 -p tcp -m multiport --dports 80 -j ACCEPT
You can actually map several ports with this one command simply separate them with a , e.g 21,22,80,443
To map the udp ports I think the command would be (Not actually tried forwarding UDP ports yet)
iptables -I FORWARD -d 192.168.1.200 -p udp -m multiport --dports 53,119,1234 -j ACCEPT
I shall probably Try UDP and port ranges and update the wiki, As of yet i've not decided which ports I want to open ;)
