Add public subnet

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello to all, I'm new to this community and OpenWRT. Beautiful project!
I just need a little help.
I successfully installed OpenWRT on a TP-Link Archer C6 v2. And works fine.
Now I need to add a public ip subnet assigned to me by my provider. What I need is to assign some public ip to some of my hosts. But I don't find how to. This is the (fake) subnet:

10.0.0.208/29
10.0.0.209 Gateway
10.0.0.215 Broadcast
10.0.0.210~214 Public ip availables for my hosts

And this is my initial network configuration (all others settings are default).

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd9d:c7e1:b5bb::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ipaddr '192.168.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'pppoe'
        option username 'myusername'
        option password 'mypassword'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'
        option auto '0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 2 3 4 5'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 1'
        option vid '2'

I search over this forum and all over the whole Internet, but find nothing. Thank you in advance.

2
2 Likes
3

The solution proposed by vgaetera works, but... is not the canonical way to configure a subnet. The advantages in this way are that it is possible to use all the ip of subnet range, also gateway, broadcast and network, but there are some disadvantages too. In first I think you can't use a vm that need real fqdn (witch value do you put in /etc/hosts the public ip, the local natted ip? And with what consequences?). I don't think this can be a reliable solution for a mail server, for example, but for cloud or a voip server too.

I searched for a more classical "routed" solution, but I don't find nothing. This is my way to solve the problem. My way, means not necessarily the right solution. So if anyone think it can be done better, is invited to correct me or implement any missing parts.

Reading the OpenWRT manual it become clear what to do to reach the "routed" way.

In first, we need to create a new interface, our public gateway. But we don't wont to loose the natted configuration of our local lan. We need to create a new VLAN «as there is no other way for it to tell what is what». And please note that «Each port can only be assigned as “untagged” to exactly one VLAN ID» And we have our local network signed as "untagged", exactly like in default OpenWRT configuration.

So our switch configuration will be:

switch
switch.jpg968×327 60.3 KB

Now we can create a new interface, which we will call with a fantasy effort "pool" and bridge it to eth0.3. The values of this new interface will be our public subnet gateway and the relative netmask. No other params are needed.

Now we need to config our firewall.

First create a dmz zone for our pool interface:

config zone
        option name 'dmz'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'pool'

Open all (if you want) dmz to and from wan:

config forwarding
        option dest 'wan'
        option src 'dmz'

config forwarding
        option dest 'dmz'
        option src 'wan'

Well, all works now, right? Wrong. If you check now, from internet you can ping one of your public ip (if you have an host alive with a public ip, in our example 10.0.0.210~214, and configured correctly with the right vlan id 3). But if your host is a Debian and you run the command wget -qO- http://ipecho.net/plain ; echo, you'll note that your host exit still natted.

Uncheck "masquerade" from your firewall and edit /etc/config/firewall adding:

config redirect
        option target 'SNAT'
        option proto 'all'
        option src 'lan'
        option src_ip '192.168.0.0/24'
        option src_dip 'your public natted ip'
        option dest 'wan'
        option name 'SNAT: DMZ ICMP 192.168.0.0 -> your public natted ip'

The masquerade will be applied only for your local lan, and your subnet will be routed.

For the last configuration, you may need to reach your public subnet also from your local lan, not only from internet. Add this in your /etc/config/firewall:

config forwarding
        option dest 'dmz'
        option src 'lan'

I think it is all.

2 Likes
4
  • Locally (in route), you put the IP of the device
  • On WAN (Public DNS), you use the IP you NATed to the server

Why not?

BTW, I route IPs downstream all the time. Just make another VLAN with the other IPs on it. Static route to that new VLAN interface, and that should be all you need!

5

Did you tried? Do you really have in production a mail server configured with sources and destination nat? If your hostname point to local ip, I don't think postfix will be happy with "myhostname" parameter, for example.
There is a big difference between "it should work" and "it works".

6

I just said no. I actually noted:

I don't use NAT. Is it a requirement of yours?

Are you sure your IP is not listed Globally as a "residential DHCP-issued" IP for example?

I have no issues with my DNS names on a Postfix server. This is unrelated to OpenWrt if that's the problem. You inquiry was about Public IP assignment, not issues with DNS names on a SMTP server.

Can you better describe your issue?

EDIT: You can firewall without using NAT.

7

Did you try to use split DNS?

8

No, is not my requirement. But was you before to tell

about a natted solution for a production server.

Yes I know it. But I always try to use the most simple and tested solutions, when was possible. There are many way to reach the same goal and ip alias (if I can call it the source and destination nat from a public ip to a local ip and reversal) can be one of these. For a production use I still prefer the classical "routed" way,

1 Like
9

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.