Had 3 WAN Address, need help on doing 1:1 NAT and regular NAT

Hello,

I got 3 public dynamic IP, to obtain them I need to send the 3 DHCP request from my router (running OpenWRT 23.05.4) 's MAC address (*:E9:7C) and additionally 2 other MAC Addresses, so my plan is:

  • *:E9:7C (The IP will be used for a single home server, IF_LAN_1)
  • *:E9:7D (The IP will be used for trusted home multi-device network, IF_LAN2 which will also be merged with WiFi)
  • *:E9:7E (The IP will be used for guest-only multi-device network, IF_LAN3)

Question are marked using the > block to make it easier to find on this long thread.


Basic Configuration to obtain the 3 IPs

So far I've followed this, to be able to send DHCP requests from those MAC, I installed kmod-macvlan and configured them as so in /etc/config/network:

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '6t 3'
        option description 'WAN_VLAN'

config switch_vlan
        option device 'switch0'
        option vlan '10'
        option ports '6t 0'
        option description 'LAN1_VLAN'

config switch_vlan
        option device 'switch0'
        option ports '6t 1'
        option vlan '20'
        option description 'LAN2_VLAN'

config switch_vlan
        option device 'switch0'
        option ports '6t 2'
        option vlan '30'
        option description 'LAN3_VLAN'

config device
        option name 'eth0.1'
        option type '8021q'
        option ifname 'eth0'
        option vid '1'
        option ipv6 '0'

config device 'vwan1'
        option name 'vwan1'
        option type 'macvlan'
        option ifname 'eth0.1'
        option mode 'vepa'
        option macaddr '*:E9:7D'
        option mtu '1500'
        option ipv6 '0'

config device 'vwan2'
        option name 'vwan2'
        option type 'macvlan'
        option ifname 'eth0.1'
        option mode 'vepa'
        option macaddr '*:E9:7E'
        option mtu '1500'
        option ipv6 '0'

config interface 'wan'
        option device 'eth0.1'
        option proto 'dhcp'

config interface 'wan1'
        option proto 'dhcp'
        option device 'vwan1'
        option delegate '0'
        option metric '10'

config interface 'wan2'
        option proto 'dhcp'
        option device 'vwan2'
        option delegate '0'
        option metric '20'

config interface 'IF_LAN1'
        option proto 'static'
        option device 'eth0.10'
        option ipaddr '192.168.255.1'
        option netmask '255.255.255.252'
        option defaultroute '0'

config interface 'IF_LAN2'
        option proto 'static'
        option device 'eth0.20'
        option ipaddr '192.168.255.9'
        option netmask '255.255.255.248'
        option defaultroute '0'

config interface 'IF_LAN3'   
        option proto 'static'  
        option device 'eth0.30'
        option ipadr '192.168.255.17'
        option netmask '255.255.255.248'
        option defaultroute '0'

firewall is on defaults, /etc/config/firewall:

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'DROP'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'IF_LAN1'
        list network 'IF_LAN2'
        list network 'IF_LAN3'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan2'
        list network 'wan1'

config forwarding
        option src 'lan'
        option dest 'wan'

... other stuff here, unchanged since OpenWRT Defaults ...

And everything seemed to work just fine, ip route:

default via *.12.1 dev eth0.1  src *.12.23 
default via *.12.1 dev vwan1  src *.12.26  metric 10 
default via *.12.1 dev vwan2  src *.12.29  metric 20 
*.12.0/26 dev eth0.1 scope link  src *.12.23 
*.12.0/26 dev vwan1 scope link  metric 10 
*.12.0/26 dev vwan2 scope link  metric 20 
192.168.255.0/30 dev eth0.10 scope link  src 192.168.255.1 
192.168.255.8/29 dev eth0.20 scope link  src 192.168.255.9 
192.168.255.16/29 dev eth0.30 scope link  src 192.168.255.17

Now all devices connected on any of the LAN ports (1/2/3) are able to connect to the internet via eth0.1 which I confirm by running a speedtest on all of the device and seeing the bandwidth graph on the upstream router is rising only on first assigned IP.

Assigning IP on eth0.1 to home server (eth0.10)

From what I know, I need to do a SNAT 1:1, but I have no idea where to start other than it's probably something on the LuCi Network->Firewall->NAT Rules.

Is there any example configurations that I could look at or pointers to tutorials/documentations?


Assigning IP on vwan1 to home network (eth0.20)

To avoid unable to reach the router at all when I messed up, I'm connected to my openwrt router on eth0.10 (the one that should be used for home server).

So after following the guide here, I tried running this on SSH:

ip rule add from 192.168.255.8/29 table 100 prio 1

# Move default gateway to vwan1
ip route add default dev vwan1 table 100

Devices on eth0.20 lost internet and was unable to reach the router at all, so I deleted the added rule and tried specifying the upstream gateway's IP as the next hop:

ip rule add from 192.168.255.8/29 table 100 prio 1

# Move default gateway to vwan1
ip route add default via *.12.1 dev vwan1 table 100

Devices on eth0.20 can reach Internet but couldn't reach the router, I confirm that Internet is using the second IP correctly after seeing the upstream graph for second IP is rising when doing speedtest.

To fix the unable to reach the router, I added this (which worked):

ip route add 192.168.255.8/29 dev eth0.20 table 100

The problem is that I need to add the upstream gateway's IP as next hop for things to work, if I did not specify next hop at all, devices on eth0.20 cannot reach Internet, so it looks like if the gateway IP ever changes my routing will break.

Now the question is how can I persist that ip in the OpenWRT configuration? and perhaps is there a way so that I did not need to specify any next hop IP at all (to keep things really dynamic).


Assigning IP on vwan2 to guest network (eth0.30)

As this network will basically be the same as the home network, I think if I can manage to get the vwan1 <-> eth0.20 to work, I can probably adjust the config for this guest network too, so no question asked in this area.


Thank you for reading my thread :slight_smile:

config interface 'IF_LAN2'
        option proto 'static'
        option device 'eth0.20'
        option ipaddr '192.168.255.9'
        option netmask '255.255.255.248'
		option ip4table '50'

config interface 'wan1'
        option proto 'dhcp'
        option device 'vwan1'
        option delegate '0'
        option metric '10'
		option ip4table '100'
		
config rule
        option in 'IF_LAN2'
        option lookup '100'

https://openwrt.org/docs/guide-user/network/routing/pbr_netifd

That worked, thank you @pavelgl :slight_smile:

Just for anyone wondering, here is my final /etc/config/network to apply the second and third target:

config interface 'IF_LAN2'
        option proto 'static'
        option device 'eth0.20'
        option ipaddr '192.168.255.9'
        option netmask '255.255.255.248'
        option defaultroute '0'
        option ip4table '100'

config interface 'IF_LAN3'
        option proto 'static'
        option device 'eth0.30'
        option ipaddr '192.168.255.17'
        option netmask '255.255.255.248'
        option defaultroute '0'
        option ip4table '110'

config interface 'wan1'
        option proto 'dhcp'
        option device 'vwan1'
        option delegate '0'
        option metric '10'
        option ip4table '100'

config interface 'wan2'
        option proto 'dhcp'
        option device 'vwan2'
        option delegate '0'
        option metric '20'
        option ip4table '110'

config rule
        option in 'IF_LAN2'
        option lookup '100'


config rule
        option in 'IF_LAN3'
        option lookup '110'

Just need to figure out the first target (1:1 NAT) and then my network is set!

I'm not quite sure what you mean by that.

By separating the subnets into different routing tables, each subnet will use its own wan interface and requests will be masqueraded to the corresponding public IP. Thus, your home server (at 192.168.255.2) will always use the main wan and be represented on the internet by its current public IP. Isn't that your goal?

Unlike masquerade, SNAT requires static IP addresses, which is not the case here.

your home server (at 192.168.255.2) will always use the main wan and be represented on the internet by its current public IP. Isn't that your goal?

Yes, that's part of my goal so the home server will access the internet via that IP, but I want the server to be DMZ-ed (as in port forward every port from wan to that server)

I believe I need to have Static NAT / Regular port forwarding in that case?

You only need a port forwarding rule, but that would be a poor solution due to the current firewall configuration.

The reason is that all wan interfaces are assigned to the same firewall zone, which means that requests sent to all wan ports (eth0.1, vwan1 and vwan2) will be redirected to the home server. Only requests sent to the main wan will get correct replies, but I wouldn't leave it at that.

Either create a new zone or use a custom firewall rule to only redirect requests sent to eth0.1.

Thank you, I have created a new zone and a firewall rule to forward the requests and it's now working fine although turns out my cheap router's CPU (MediaTek MT7628AN) is not really capable enough for the job it struggles even on 70Mbps.

1 Like