Get extra public ip address on 2 ports x86 openwrt box + switch

In short, is there a way to give a public ip to a specific device connected to the switch under openwrt?

My iptv stb needs public ip.
Currently, it is connected to the isp's 4-port hub, but this does not make the home network a single network.

isp hub assigns public ip to each of the 4 ports. I would like to replace this with my openwrt box and connect the switch at the bottom to make the home network one

now: WAN -> isp hub -> openwrt box (public ip1) -> AP (192.168.x.x)
------------------------------> other room1 (public ip2)
------------------------------> other room2 (public ip3)
------------------------------> iptv (public ip4)

I want: WAN -> openwrt box (public ip1) -> switch -> AP (192.168.x.x)
-------------------------------------------------------------------> other room1 (192.168.x.x)
-------------------------------------------------------------------> other room2 (192.168.x.x)
-------------------------------------------------------------------> iptv (public ip2)

There is only one port for lan, so it doesn't seem simple.
Is it possible to achieve this with vlan?

With vlans and a managed switch it would be possible.
One vlan will be for the private IPs and the other will be bridged with the wan interface to relay the public IP to the stb.

I set up vlan100 and vlan200 on the switch (to be precise, ap mode asus router).
port 1~3 / wifi is set to vlan100 and port 4 is set to vlan200, and I am trying to get the public IP through port4.

But I am not sure what next setting should be done in openwrt.
eth1 is wan and eth0 is lan.
eth0.100 was added for lan and works fine with private ip.

what is next?
I tried to bridge eth1 with eth0.200 but it didn't work.

eth1 also need to make vlan?
Do I need a tool like dhcp-forwarder?

I'm not sure how I can pass the client's dhcp request through the openwrt box to reach the isp dhcp server.

On OpenWrt side you need both eth0.100 (as lan) and eth0.200 (bridged to wan)
On the other side you need the interface which connects to OpenWrt to be trunk carrying vlan 100 and 200. Then the other ports can be access/untagged for each vlan you want.

I am still not making it work.
Devices connected to port4 seem to receive ARP broadcast packets from isp, but not dhcp lease.

It may be achieved without creating a VLAN or a Managed Switch.

config interface 'lan_wan'
        option proto 'static'
        option ifname '@lan'
        list ipaddr 'public_IP1/29'
        list ipaddr 'public_IP2/29'

Assign private IPs to all the machines in the LAN, including IPTV etc.

Create a DNAT rule in firewall for 1:1 NAT to IPTV:

config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option dest_ip '192.168.x.y'
        option src_dport '1-65535'
        option dest_port '1-65535'
        option name 'DNAT for IPTV'
        option src_dip 'public_IPx'

Disable MASQUERADING for your Public IP pool on the LAN side

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        list masq_src '!public_IP1/29'
        list masq_dest '!public_IP2/29'
        option forward 'DROP'
        option input 'DROP'
        option network 'wan wan6 wan2'

Do let us know if it works for you.


I didn't see that ISP provisions the IP address to IPTV over the DHCP while writing the above response.

I think you would require a dns-forwarder to simplify things.

This method can be used to get open nat (nat type 1) to xbox or ps4.
Various soho routers (asus, netgear, tp-link, etc) provide the function of obtaining a public IP by excluding a specific port from LAN.

Most of the data about openwrt was written about devices with built-in switches, and I couldn't find any useful articles available for x86.

so I give up.

It was a firewall issue.
I changed all options of input output forward in wan zone to accept and uncheck masquerading.

After that, I was able to get public ip on port 4 and access to the internet.

Now br-wan have eth1 and eth0.200 interface.

I need to apply firewall only to eth1 in this bridge and exclude eth0.200 from the firewall. (To communicate via public ip as above)

I am looking for it but I would appreciate it if you let me know.

kern.warn kernel: [73267.671331] REJECT wan out: IN=br-wan OUT=br-wan PHYSIN=eth0.200 PHYSOUT=eth1 MAC=ff:ff:ff:ff:ff:ff:AA:AA:AA:AA:AA:AA:08:00 SRC= DST= LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=23970 PROTO=UDP SPT=68 DPT=67 LEN=308
kern.warn kernel: [73267.693375] REJECT wan in: IN=br-wan OUT= PHYSIN=eth0.200 MAC=ff:ff:ff:ff:ff:ff:AA:AA:AA:AA:AA:AA:08:00 SRC= DST= LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=23970 PROTO=UDP SPT=68 DPT=67 LEN=308

iptables -I FORWARD -i br-wan -o br-wan -j ACCEPT

This rule allowed me to get public ip from dhcp server.
Communication has been enabled by adding the following rule to the wan zone.

list masq_src (My lan)

config zone
        option name 'wan'
        option output 'ACCEPT'
        option mtu_fix '1'
        option network 'wan6 wan'
        option input 'REJECT'
        option forward 'REJECT'
        option masq '1'
        list masq_src

But I am not sure if it is safe to add this rule.

iptables -I FORWARD -i br-wan -o br-wan -j ACCEPT

You may want to restrict that rule to ports 67 and 68 for DHCP requests and replies so that WAN -> LAN is still restricted at large.

Not sure about IPv6 though.

I tested to only forward udp 67,68 ports. I got public ip, but communication was impossible.

The communication order looks like this:
AP port 4 (vlan200) -> openwrt lan port (eth0.200, vlan200) -> br-wan bridge (eth0.200 -> eth1) -> wan

AP Port 4 needs to be completely exposed to the internet, so the above rule seems to be correct.

However, I am not sure if the above rules affect other networks.

Once an interface is part of the bridge, you can't create specific rules as they may not apply.

Considered adding rules on the bridge based on the MAC address of IPTV using the LUCI?

Allow inbound and outbound fully to that MAC as src and dest in 2 separate rules, while keeping the FORWARD and INPUT policy of WAN to DROP.

You have set the MASQUERADE condition correctly on the WAN zone which only applies on the traffic from your LAN.

I hope to see your IPTV working now.

You can change this to ACCEPT in the wan zone. I believe it will solve the intrazone traversing traffic.

It option looks same with iptables rules.

iptables -I FORWARD -i br-wan -o br-wan -j ACCEPT

I deleted the rule from custom rules and checked that option.
It works well.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.