Routing ISP public IP addresses on L3

I have 3 public IP addresses with a /28 mask from my ISP. The first IP is assigned to the router itself, the second and third to my PC and server, respectively. Now my setup works like this: the LAN1 and LAN2 ports of the router are combined with the WAN port into one bridge. Devices that require a public IP address connect to LAN1 or LAN2. This works great. However, due to the fact that routing works on L2, the firewall on the router will not work for these devices.

How can I properly configure it to route public IP addresses on L3?

More info: Routing ISP public IP addresses on L3 - #10 by rozhur

You can make an SNAT to use the respective SRC WAN IP when the source equals the SRC LAN IP range.

EDIT: :spiral_notepad: you also need to make the respective port forward rules if you intend to open inbound ports/protocols.

1 Like

You could create a "DMZ" and use i.e. ProxyARP https://wiki.debian.org/BridgeNetworkConnectionsProxyArp

You create new zone with new subnet and dont do NAT? Easy, filter what you like.

1 Like

Does the OP have the CIDR space to do so (i.e. they would loose IPs subnetting - but can SNAT without doing so)?

Alternatively, the OP could configure the network so the hosts are on [bridge to] WAN, but then the OP looses benefit of the OpenWrt's firewall.

Dunno, never heard of L2 routing before.

1 Like

Neither have I - I assumed the OP meant they didn't understand how to assign the correct Ethernet interface to the route?

That statement confused me as well- perhaps the OP will expound.

1 Like

By L2 routing I meant L2 switching (sorry for the confusion), which in my case is achieved by bridging the LAN and WAN ports to assign public IP addresses to my devices. However, as has been said more than once, the benefits of a firewall on an OpenWRT router are lost.

I don't want to use NAT.

You have to replace your router with OpenWRT then. nftables L2 bridge filtering (or xtables ebtables) is very limited compared to inet/iptables and not instrumented at all in fw4

I'm not looking for a way to filter on L2. I'm looking for a way to properly configure L3 routing of public IP addresses within one router on OpenWRT. I just can't imagine how to do this correctly. My understanding of how the network works is not enough, but I really want to understand how it should work.

I’ll try to explain in more detail what I have now and what I want:

There is a router on OpenWRT. There are 3 public IP addresses /28 from the ISP.

Let's say 1.0.0.209 is the ISP gateway, 1.0.0.211 is the IP of the router, 1.0.0.218 is the IP of my PC, 1.0.0.217 is the IP of my server.

Current network config on OpenWRT
config device
 option name 'br-wan'
 option type 'bridge'
 list ports 'wan'
 list ports 'lan1'
 list ports 'lan2'

config interface 'wan'
 option device 'br-wan'
 option proto 'static'
 option ipaddr '1.0.0.211/28'
 option gateway '1.0.0.209'

config device
 option name 'br-lan'
 option type 'bridge'
 list ports 'lan1.74'
 list ports 'lan2.74'
 list ports 'lan3'
 list ports 'lan4'

config interface 'lan'
 option device 'br-lan'
 option proto 'static'
 option ipaddr '192.168.74.1/24'
Current firewall config (please ignore these ACCEPTs, I'm just testing for now. I understand that this causes security issues. I plan to configure the firewall completely soon)
config defaults
 option syn_flood '1'
 option input 'ACCEPT'
 option output 'ACCEPT'
 option forward 'REJECT'

config zone
 option name 'wan'
 list network 'wan'
 option input 'ACCEPT'
 option output 'ACCEPT'
 option forward 'ACCEPT'
 option mtu_fix '1'
 option masq '1'
 list masq_src '!wan'

config zone
 option name 'lan'
 list network 'lan'
 option input 'ACCEPT'
 option output 'ACCEPT'
 option forward 'ACCEPT'

config forwarding
 option src 'lan'
 option dest 'wan'

For example, I connect my PC to lan1 port, it gets IP address 1.0.0.218/28 from dhcp on OpenWRT and everything works fine. However, I want the OpenWRT firewall to work for these public IP addresses, for this I am looking for a way to properly configure L3 routing. That's all. It might be very simple, but I can't figure out exactly how.

See my post from above

You want a dedicated interface, a zone, host routes, and Proxy ARP.

2 Likes

As @brada4 and @_bernd noted, this is possible.

You can create another interface with xxx.xxx.xxx.y/28

Where `y == your first usable IP

1 Like