Disable NAT mode and creat route LAN to WAN

Hello friends
I want to completely disable the modem nat and have a dedicated route to communicate with them
This means that the client can communicate directly with the ip network with its own ip
wan ip: 172.x.x.x
lan ip: 94.x.x.153
user ip: 94.x.x.154
How do I enable these settings?

Your IPs look a little bit strange to me. It seems that you are using a private IP on the wan side and public IPs on the lan side?
Could you share what the 2nd block of the wan IP is?
If it's in the range of 172.16.0.0 to 172.31.255.255 it is a private IP.

Also why do you use public IPs for your lan?

1 Like

Yes, exactly
Because isp wants to give us an ip range service
And only I can access the internet with the ip range that isp gives me and I set it to Lan
That's why NAT needs to be disabled and router mode enabled so I can access the Internet on my client.

Are you sure you want to use public IPs for you LAN? This is highly uncommon as your clients are directly exposed without a firewall.
Usually you assign the public IP to the router and create a NAT. The clients can also access the internet behind a NAT. You don't need public IPs for your clients to reach the internet.

1 Like

Yes, I'm absolutely sure
This is a special service
And for these settings I do not know exactly what to do on openwrt

Can you provide me with the netmask of your public subnet and if it has dhcp from the isp or not?

1 Like

Yes, Sure
isp gives me ip as dhcp
And the subnet is 255.255.255.255
Also the subnet that I have to set to lan is 255.255.255.248

Which IP is he giving you as dhcp? The 172.x.x.x or the public ones?
Because it looks like your router would have to IPs on the WAN interface then.

1 Like

Gives me 172.x.x.x via dhcp
And this ip is on my wan

Have any idea to create route from lan to wan with no nat?

I see a problem here.
If you would like to use your public IPs you would move all physical ports into WAN interface and don't use the lan interface. So you would not be able to use the 172.x.x.x IP on the WAN interface as it already has a static IP from your public address pool. Also you can't use DHCP and Static on the same interface.

1 Like

I do not want to use dhcp and static on them at the same time on the wan

ip static is set to lan and I want send everything from lan to them without nat

Ok, can you post me the output of the /etc/config/network file with all public IPs and MAC addresses redacted

1 Like

Also it would be good to know how your ISP handles his Routing exchange. If he has an entry that your public subnet can be reached by sending it to 172.x.x.x (your WAN IP) you would just need to turn off Masquerading I believe.

2 Likes

yes sure

ifconfig :

br-lan    Link encap:Ethernet  HWaddr 0C:CF:89:21:8B:57  
          inet addr:94.x.x.153  Bcast:94.x.x.159  Mask:255.255.255.248
          inet6 addr: fe80::ecf:89ff:fe21:8b57/64 Scope:Link
          inet6 addr: fd8e:7e89:d344::1/60 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:10595 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4405 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2069205 (1.9 MiB)  TX bytes:450682 (440.1 KiB)

eth0      Link encap:Ethernet  HWaddr 0C:CF:89:21:8B:57  
          inet6 addr: fe80::ecf:89ff:fe21:8b57/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:11888 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5008 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2522316 (2.4 MiB)  TX bytes:629411 (614.6 KiB)
          Interrupt:5 

eth0.1    Link encap:Ethernet  HWaddr 0C:CF:89:21:8B:57  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:10595 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4405 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2069205 (1.9 MiB)  TX bytes:450682 (440.1 KiB)

eth0.2    Link encap:Ethernet  HWaddr 0C:CF:89:21:8B:58  
          inet6 addr: fe80::ecf:89ff:fe21:8b58/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:376 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:123285 (120.3 KiB)

eth1      Link encap:Ethernet  HWaddr 00:16:08:36:55:B8  
          inet addr:172.x.x.2  Bcast:255.255.255.255  Mask:255.255.255.255
          inet6 addr: fe80::216:8ff:fe36:55b8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6232 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10612 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:431628 (421.5 KiB)  TX bytes:1134166 (1.0 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:5238 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5238 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:371974 (363.2 KiB)  TX bytes:371974 (363.2 KiB)

/etc/config/network


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd8e:7e89:d344::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ip6assign '60'
	option ipaddr '94.x.x.153'
	option netmask '255.255.255.248'
	option mtu '1500'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr 'xxxxxx'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_dev'
	option name 'eth0.2'
	option macaddr 'xxxxxxx'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'


config interface 'wan1'
	option proto 'dhcp'
	option ifname 'eth1'
	option mtu '1500'



/etc/config/firewall


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan1 wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
	option src '*'
	option dest 'lan'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'




Yes, I checked this as well, I turned off masq in zone wan, but the problem was not solved
I even completely removed wan1 from the zone to see if I could create a root manually, but I did not get the correct answer
I hope you can help me

You forgot to redact on the ifconfig. Please edit

1 Like

You have both the wan and lan interface on eth0, but you have an eth1 which hasn't any interface on it. Which device are you using?

1 Like

Wan1 is interface that feylt ip from isp
Eth1 is lte module device that I get dhcp ip from this
Wan interface is not important this is on wan port on modem ignore this

Can you send me a screenshot from the LuCI Firewall page?
Would be easier for me to get an overview

1 Like