Claim more than one address from WAN


Our ISP have provided us with a couple of IP addresses however the traffic is not automatically routed to us, we need to claim the addresses with a separate MAC address for each one.

Here is what I tried in order to claim the second IP address. I create an alias and try to set another mac address for the alias.

It does not work however. I have runned tcpdump in eth3 and I dont receive anything at all if I ping x.x.16.7 from a remote host. Also the alias interface is not showing up if I run ifconfig -a, but maybe that is expected?

I use a small mini pc as router. It has 4 NICs. Only one of them is connected to the WAN side and I would like it to stay that way.

Here is my config

config interface 'wan'
        option ifname 'eth3'
        option proto 'static'
        option broadcast 'x.x.16.255'
        option ipaddr 'x.x.16.6'
        option gateway 'x.x.16.1'
        list dns 'x.x.239.10'
        list dns ''
        option netmask ''

config interface 'wantest'
        option ifname 'eth3'
        option proto 'static'
        option ipaddr 'x.x.16.7'
        option netmask ''
        option gateway 'x.x.16.1'
        option broadcast 'x.x.16.255'
        option dns 'x.x.239.10'
        option hwaddr "01:0E:C4:D5:7B:26"

if I run ip address list I get this which actually looks quite good except that I dont have separate MAC address on the .16.7 interface:

6: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:0e:c4:d5:7b:26 brd ff:ff:ff:ff:ff:ff
    inet x.x.16.6/24 brd x.x.16.255 scope global eth3
       valid_lft forever preferred_lft forever
    inet x.x.16.7/24 brd x.x.16.255 scope global secondary eth3
       valid_lft forever preferred_lft forever

You got it almost. You just missed the firewall rules which are needed for this setup.

@pwned thank you very much for the reply.

But my ISP requires a separate MAC-address for each IP. It seem that the second IP is added but both .6 and .7 shares the same 00:0e:c4:d5:7b:26 MAC address. And wouldnt I be able to catch packets on tcpdump -i eth3 even though it is firewalled?

According to my ISP I need a separate MAC address since they do not route these IPs to me if they dont have a MAC-address. Just how they set up things.

I just installed kmod-macvlan and tried to set up a virtual device using

config device 'veth0'
	option name 'veth0'
	option type 'macvlan'
	option ifname 'eth3'

But it had no effect at all. I would expect to have a new veth0 interface I could set up in Luci but neither Luci nor ifconfig -a nor ip address list would show me anything related to veth0.

That's odd. Messing arround with MAC addresses is ugly. I would avoid that and go for another router. What about:

config device 'veth1' #<- I think this has to match and differs with releases? you could try 'veth1_dev' also.
	option name 'veth1'
	option type 'macvlan'
	option ifname 'eth3'
	option macaddr '11:11:11:22:22:22'

config interface 'wan1'
	option ifname 'veth1'
	option netmask ''
	option gateway ''
	option ipaddr ''

Hi @pwned thank you very much for your reply and sorry for my late follow up. I now finally managed to get data flowing from one more ip towards my router. I had to remove the gateway line in order for it to start working as my primary wan broke otherwise. don't know if this will be an issue later on and that the isp will forget about me if I am not using the gateway... time will tell.

But I still have a problem. The idea of multiple IPs is to for example use port 443 and 22 for some servers I have behind OpenWRT.

I named the interface wan2 and gave it a zone also named wan2 and I set up the firewall zone for lan to accept forward to and from wan2.
I also added a port forward from wan2 port 22 to an internal server on lan.

I try to ssh from a remote computer.
It did not work. Using tcpdump I can see incoming traffic on port 22 on wan2.
I can also see incoming and outgoing SYN packets with tcpdump on the actual server.
Traffic does seem to go out on the primary wan interface and not wan2. This should be OK in most cases I guess, but since I cannot see this return traffic on the remote computer I assume my ISP is blocking the traffic since it is the wrong source ip on the wrong MAC.

Does this make sense? Any way I can force the return traffic on the same wan interface it arrived?

Kind regards

You need to set up PBR to utilize both default routes: