Hello friends
I want to completely disable the modem nat and have a dedicated route to communicate with them
This means that the client can communicate directly with the ip network with its own ip
wan ip: 172.x.x.x
lan ip: 94.x.x.153
user ip: 94.x.x.154
How do I enable these settings?
Your IPs look a little bit strange to me. It seems that you are using a private IP on the wan side and public IPs on the lan side?
Could you share what the 2nd block of the wan IP is?
If it's in the range of 172.16.0.0 to 172.31.255.255 it is a private IP.
Also why do you use public IPs for your lan?
1 Like
Yes, exactly
Because isp wants to give us an ip range service
And only I can access the internet with the ip range that isp gives me and I set it to Lan
That's why NAT needs to be disabled and router mode enabled so I can access the Internet on my client.
Are you sure you want to use public IPs for you LAN? This is highly uncommon as your clients are directly exposed without a firewall.
Usually you assign the public IP to the router and create a NAT. The clients can also access the internet behind a NAT. You don't need public IPs for your clients to reach the internet.
1 Like
Yes, I'm absolutely sure
This is a special service
And for these settings I do not know exactly what to do on openwrt
Can you provide me with the netmask of your public subnet and if it has dhcp from the isp or not?
1 Like
Yes, Sure
isp gives me ip as dhcp
And the subnet is 255.255.255.255
Also the subnet that I have to set to lan is 255.255.255.248
Which IP is he giving you as dhcp? The 172.x.x.x or the public ones?
Because it looks like your router would have to IPs on the WAN interface then.
1 Like
Gives me 172.x.x.x via dhcp
And this ip is on my wan
Have any idea to create route from lan to wan with no nat?
I see a problem here.
If you would like to use your public IPs you would move all physical ports into WAN interface and don't use the lan interface. So you would not be able to use the 172.x.x.x IP on the WAN interface as it already has a static IP from your public address pool. Also you can't use DHCP and Static on the same interface.
1 Like
I do not want to use dhcp and static on them at the same time on the wan
ip static is set to lan and I want send everything from lan to them without nat
Ok, can you post me the output of the /etc/config/network file with all public IPs and MAC addresses redacted
1 Like
Also it would be good to know how your ISP handles his Routing exchange. If he has an entry that your public subnet can be reached by sending it to 172.x.x.x (your WAN IP) you would just need to turn off Masquerading I believe.
3 Likes
yes sure
ifconfig :
br-lan Link encap:Ethernet HWaddr 0C:CF:89:21:8B:57
inet addr:94.x.x.153 Bcast:94.x.x.159 Mask:255.255.255.248
inet6 addr: fe80::ecf:89ff:fe21:8b57/64 Scope:Link
inet6 addr: fd8e:7e89:d344::1/60 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10595 errors:0 dropped:0 overruns:0 frame:0
TX packets:4405 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2069205 (1.9 MiB) TX bytes:450682 (440.1 KiB)
eth0 Link encap:Ethernet HWaddr 0C:CF:89:21:8B:57
inet6 addr: fe80::ecf:89ff:fe21:8b57/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11888 errors:0 dropped:0 overruns:0 frame:0
TX packets:5008 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2522316 (2.4 MiB) TX bytes:629411 (614.6 KiB)
Interrupt:5
eth0.1 Link encap:Ethernet HWaddr 0C:CF:89:21:8B:57
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10595 errors:0 dropped:0 overruns:0 frame:0
TX packets:4405 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2069205 (1.9 MiB) TX bytes:450682 (440.1 KiB)
eth0.2 Link encap:Ethernet HWaddr 0C:CF:89:21:8B:58
inet6 addr: fe80::ecf:89ff:fe21:8b58/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:376 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:123285 (120.3 KiB)
eth1 Link encap:Ethernet HWaddr 00:16:08:36:55:B8
inet addr:172.x.x.2 Bcast:255.255.255.255 Mask:255.255.255.255
inet6 addr: fe80::216:8ff:fe36:55b8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6232 errors:0 dropped:0 overruns:0 frame:0
TX packets:10612 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:431628 (421.5 KiB) TX bytes:1134166 (1.0 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:5238 errors:0 dropped:0 overruns:0 frame:0
TX packets:5238 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:371974 (363.2 KiB) TX bytes:371974 (363.2 KiB)
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd8e:7e89:d344::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ip6assign '60'
option ipaddr '94.x.x.153'
option netmask '255.255.255.248'
option mtu '1500'
config device 'lan_dev'
option name 'eth0.1'
option macaddr 'xxxxxx'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config device 'wan_dev'
option name 'eth0.2'
option macaddr 'xxxxxxx'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
config interface 'wan1'
option proto 'dhcp'
option ifname 'eth1'
option mtu '1500'
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan1 wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option src '*'
option dest 'lan'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
Yes, I checked this as well, I turned off masq in zone wan, but the problem was not solved
I even completely removed wan1 from the zone to see if I could create a root manually, but I did not get the correct answer
I hope you can help me
You forgot to redact on the ifconfig. Please edit
1 Like
You have both the wan and lan interface on eth0, but you have an eth1 which hasn't any interface on it. Which device are you using?
1 Like
Wan1 is interface that feylt ip from isp
Eth1 is lte module device that I get dhcp ip from this
Wan interface is not important this is on wan port on modem ignore this
Can you send me a screenshot from the LuCI Firewall page?
Would be easier for me to get an overview
1 Like