I have 3 public IP addresses with a /28 mask from my ISP. The first IP is assigned to the router itself, the second and third to my PC and server, respectively. Now my setup works like this: the LAN1 and LAN2 ports of the router are combined with the WAN port into one bridge. Devices that require a public IP address connect to LAN1 or LAN2. This works great. However, due to the fact that routing works on L2, the firewall on the router will not work for these devices.
How can I properly configure it to route public IP addresses on L3?
By L2 routing I meant L2 switching (sorry for the confusion), which in my case is achieved by bridging the LAN and WAN ports to assign public IP addresses to my devices. However, as has been said more than once, the benefits of a firewall on an OpenWRT router are lost.
You have to replace your router with OpenWRT then. nftables L2 bridge filtering (or xtables ebtables) is very limited compared to inet/iptables and not instrumented at all in fw4
I'm not looking for a way to filter on L2. I'm looking for a way to properly configure L3 routing of public IP addresses within one router on OpenWRT. I just can't imagine how to do this correctly. My understanding of how the network works is not enough, but I really want to understand how it should work.
I’ll try to explain in more detail what I have now and what I want:
There is a router on OpenWRT. There are 3 public IP addresses /28 from the ISP.
Let's say 1.0.0.209 is the ISP gateway, 1.0.0.211 is the IP of the router, 1.0.0.218 is the IP of my PC, 1.0.0.217 is the IP of my server.
Current network config on OpenWRT
config device
option name 'br-wan'
option type 'bridge'
list ports 'wan'
list ports 'lan1'
list ports 'lan2'
config interface 'wan'
option device 'br-wan'
option proto 'static'
option ipaddr '1.0.0.211/28'
option gateway '1.0.0.209'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1.74'
list ports 'lan2.74'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.74.1/24'
Current firewall config (please ignore these ACCEPTs, I'm just testing for now. I understand that this causes security issues. I plan to configure the firewall completely soon)
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'wan'
list network 'wan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
option masq '1'
list masq_src '!wan'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config forwarding
option src 'lan'
option dest 'wan'
For example, I connect my PC to lan1 port, it gets IP address 1.0.0.218/28 from dhcp on OpenWRT and everything works fine. However, I want the OpenWRT firewall to work for these public IP addresses, for this I am looking for a way to properly configure L3 routing. That's all. It might be very simple, but I can't figure out exactly how.