Pseudonym for IP addresses

Hello humans of OpenWrt

I'm having a problem that I cannot solve, or maybe I'm too mentally convoluted.

Sometimes, I connect to my network with wifi (IP address Y)
Some other times, I connect to the same network via an ethernet cable (IP address X, but same computer)
When I connect via cable, firewall rules and mapped ports don't work anymore, obviously.
I could set up different firewall rules with different ports in each case, but I'd like to minimize time, not changing ports in programs continuously every time I switch ip address.
Currently, OpenWrt also cannot set 2 individual destination IPs on the same dest_ip option for the same firewall rule, like this:

config rule
        option target 'ACCEPT'
        option src 'wan'
        option dest 'lan'
        option name 'random UDP rule'
        option proto 'udp'
        option dest_ip '192.168.1.14 192.168.1.121'
        option src_port '40799'
        option dest_port '40799'

it's suggested somewhere else on the web, but it doesn't work.
Also, if I change wifi card or adapter often, I will have to update every rule.

My ideal solution would be to set an universal "IP address alias", a pseudonym, for a series of different IP addresses. Not an alias for hostnames or other misleading names.

Example.

  • these network devices can be (or not be) present on the local network (each IP is associated via mac addresses to a network card of course):
    X 192.168.1.14
    Y 192.168.1.121
    Z 192.168.1.53
  • let's choose a pseudonym IP address, A: e.g. 192.168.1.100

Ideally, on OpenWrt I'll do these:

  • to set A as pseudonym for X, Y and Z
  • to set firewall rules for A only

Therefore, this should happen:

  • if X is present, redirect traffic destined for A to X and translate X's traffic as it was A's
  • if Y is present, redirect traffic destined for A to Y and translate Y's traffic as it was A's
  • if Z is present, redirect traffic destined for A to Z and translate Z's traffic as it was A's
  • in case of multiple of these IP are active, either associate A following a strict X or Y or Z order, or one at random, or the fastest, or all active ones at the same time (this is another problem)

I've read a lot about DNAT and SNAT, but I'm not sure if continuously rerouting traffic to maybe non-existening IPs in the lan is the sane choice, and I couldn't get to work anyway.
Changing mac address of the network card is an option, but not always available (some usb cards are too fluky, or having active both ethernet and wifi interface can create real confusion).
Am I missing something?

DHCP reservation by hostname should have the endpoint host always get the same IP whether it connects by wifi or wired. Of course the host has to have a unique hostname on your network.

You will also need a short lease time if you're frequently changing from wired to wifi. To that point the advice would be don't frequently change between wired and wifi.

2 Likes

Create 2 static leases, e.g. 192.168.1.14 and 192.168.1.15 and specify dest_ip=192.168.1.14/31 in the firewall redirect.
Note, that you should use redirect instead of rule when accessing a port on the host behind NAT.
In addition, in most cases you must avoid specifying src_port.

2 Likes

this is a possible workaround, it should work yes, but only using contiguous IP addresses within the CIDR notation range (that I didn't know that well before). Thank you for the hint.

to mk24: the ip addresses are static leased, probably a short lease will help in the implementation yes.

This idea of mine of 'pseudonym IP' is some sort of 'virtual pointer' to multiple IPs. It's pretty much it, but I'm not good enough with networking theory to get a super flexible solution and also easy to set.

The only time I can see this not working is if the device is using some MAC privacy scheme (like most phones lately). This can be turned off.

But I agree with @mk24 , I run my network this way and have done so for years. All individual devices whether on LAN or Wifi get the same IP and all rules just work at that stage.

Why wouldn't you do this? You're trying to solve the wrong problem IMO.

1 Like

@lantis1008 short DHCP leases won't cover the case when multiple network card on the same machine are connected. Also, what lease time are you using? 10 seconds?

No I think the standard 24hrs (12hr renew).
I never connect both at the same time, always break and make. Seems to work fine.
This is using the standard UCI DHCP host stanzas with two MACs separated by a space

This is by far the easiest solution. Why haven't I thought of that! LuCI interface reports 'none' as mac address field in the static leases page, but otherwise the 2 mac address field is there and it works fine.

1 Like

Yeah not sure if that's a LUCI bug or not. @jow might have a comment there

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.