My provider is giving internet connection with 8 public ip over PPPOE
the info he told me are something like:
public ip: 77.88.99.32/29 (netmask 255.255.255.248)
gateway: 77.88.99.33
(broadcast: 77.88.99.39 available public ip: 77.88.99.33 to 77.88.99.38
dns:8.8.8.8 (and/or others like 8.8.4.4 1.1.1.1 )
pppoe user: user@provider.it
password: password
vlan: 835
At present I am cascading 2 routers:
-the first router makes the pppoe connection
(and dynamically gets settings like that on wan:
pppoe wan ip 100.93.120.40
gateway: 100.92.0.1
dns: 77.88.128.153 , 77.88.128.154
checking with a browser my public ip gets something like: 200.201.202.5
)
its lan is configured as a network 77.88.99.32/29
and goes to the second router wan.
-the second router has multiple static ip on the wan:
77.88.99.33, 77.88.99.34, 77.88.99.35, 77.88.99.35, 77.88.99.37, 77.88.99.38
gateway: 77.88.99.33
dns:8.8.8.8 1.1.1.1 8.8.4.4
and routes to my lan (192.168.1.1)
with such configuration everything works fine,
I can set selective firewall rules that allow my servers in the lan to exit and
accept connection from the public ip of my choice
Now the question: How can I get rid of the first router?
I tried to mix the pppoe config and multi static ip in /etc/config/network
in this way unsuccessfully:
config interface 'wan'
option force_link '0'
option ipv6 '0'
option delegate '0'
option device 'eth0.835'
option proto 'pppoe'
option username 'user@provider.it'
option password 'password'
option vlanid '835'
option disabled '0'
option peerdns '0'
list dns '8.8.8.8'
list dns '1.1.1.1'
list dns '8.8.4.4'
option gateway '77.88.99.33'
list ipaddr '77.88.99.34/29'
list ipaddr '77.88.99.35/29'
list ipaddr '77.88.99.36/29'
list ipaddr '77.88.99.37/29'
list ipaddr '77.88.99.38/29'
configure wan PPPoE connection (username, password, vlan) as usual and verify it connects.
You will get a wan ip and be able to browse internet using it.
If your provider gives you multiple public addresses then from luci go to
network->interfaces add new interface
name: wan_multi_ip
static address
device: eth0 (or the device of your wan)
add the provided public IPs for ex. if you have 8 IP starting from 12.34.56.33 then add:
12.34.56.34/29
12.34.56.35/29
12.34.56.36/29
12.34.56.37/29
12.34.56.38/29
gateway: 12.34.56.33
broadcast: 12.34.56.39
firewall tab: assign the created interface to wan zone
when you configure Port forwards in firewall you can specify where the external wan ip should be directed in the lan.
Then in NAT rules set the outbound zone: wan. Action: SNAT rewrite
and which public ip to use to exit to internet (for specific lan ip or any)
otherwise you will exit using the PPPoE tunneling IP
While this seem to work, I can't get the port-forwards to work properly. Now the port forwards from my 'primary' connection are applied to the new ip ranges as well, landing the new ip's to the wrong internal host.
I tried to create a new firewall zone for the wan_multi_ip interface but still all requests to 443/80 are forwarded to the primary interface forwards.
How to differentiate port-forwards/firewall rules on destination address?
If you're using the additional public IPs on a 1:1 basis for web servers etc, they should only be forwarded in the router. The router would not hold the public IP on any interface. Ultimately the server holds the public IP. A packet from the Internet is forwarded all the way to it with the original source and destination addresses intact.
You will also need to make NAT conditional so that the server replies are forwarded directly to the Internet without NAT.