[SOLVED] How to configure static block / multiple static IPs on WAN?

We currently are using Endian Firewall (not the appliance but the Linux based "DIY" method with x86 hardware and a bunch of NICs) and I'm looking at switching to something that gets updated more often and with more modern features. We're using LEDE on a couple of cheap APs and thus thought I'd try testing LEDE / OpenWRT out in a VM as a replacement for our Endian router setup. I am having difficulty figuring out how to assign a block of IPs to the WAN interface - a /27 in our case.

I have tried entering the static IP with /27 on the end of the IP address in LuCI but that doesn't seem to change anything, when looking in the console I still only see one IP bound on the WAN interface.

Is there a way to do this in LuCI UI? Or do I need to edit the network configuration manually (and if so - how? Multiple option ipaddr for each IP?)

You wouldn't assign a block of IPs to your router, you'd assign one public IP to your WAN, and then one IP per device on a special VLAN that uses Public IP addresses.

How does that work? Is this VLAN essentially a DMZ then?

To make this a plug and play change without many hours of server changes I'd need to Static NAT most of the /27 (we currently map Public IP 12.x.x.N/27 to private IP 10.x.x.N/27) and then port forward from the public to private IPs. The non-server devices all DHCP and just get regular NAT'd via the main router IP.

Otherwise to change to using a DMZ with public IPs on the devices/servers themselves I have dozens of servers with many sites and applications I have to change IP addresses on from internal to public IP ...

If I can't do this in LEDE, I'll just have to look elsewhere, which isn't the end of the world or anything. But if I can do it in LEDE the way we're currently set up (so that it's a drop in replacement from the standpoint of everything connected to it) that would be nice.

Why couldn't you just give static DHCP leases to all your server devices giving them 12.x.x.N directly instead of 10.x.x.N there is no NAT required? Just place a mapping between MAC and IP in the dnsmasq config.

For non server devices put them on a second VLAN and they'll just regular NAT via the main router.

So you'd have two VLANs, lets say VLAN 5 for the public IP devices and VLAN 6 for a big pool of non-servers all getting say 192.168.1.x or 10.x.x.x if you prefer.

You'll want a managed switch to handle the VLAN to port mappings. I can suggest a Zyxel 24 port GS1900 it's a great device. Update the firmware as soon as you get it though.

What subnet mask did you enter? 255.255.255.224 ?

I think this can work with aliases?

Take a look here:
https://wiki.openwrt.org/doc/uci/network
Almost at the bottom:

Aliases: the new way

The reason for a device to "have" an IP address is so that that device responds to packets destined for that IP address. But you don't want the router to respond to packets destined to your static IPs you want your servers to respond to those packets. so your servers should own the IPs they need to respond to, and the router should route the packets to the servers.

Assign a single public IP to the WAN, and then assign your 12.x.x.N or whatever IPs to your servers using DHCP static reservations based on the MACs of your servers. That's how it's supposed to work.

Yeah but OP wants those public IPs natted to internal IPs.

There is no reason the servers can't have both the public and the private IPs on them. So if you have a bunch of code that reaches your servers by hard coded IP address... (a terrible practice, but obviously not under the OPs control) just keep the internal addresses on there as well.

EDIT: the point is that NAT is both totally unnecessary and a resource and performance bottleneck. It offers literally NOTHING of value here. You don't even have to renumber your servers as they can simply have a public ip address added to their existing ethernet interface and immediately begin responding to public IPs as well as the previous private ones.

it's as easy as running this line on the servers during startup

ip addr add 12.x.x.N/27 dev eth0

or whatever

@dlakelan
With many dozens of virtual hosts and Java applications listening to specific IP:port combinations (and not on "*:port" or such), switching to a DMZ setup even with the internal addresses still available is a hassle - in fact potentially more work to keep the internal plus add DMZ than switching to DMZ only. We have externally accessible sites running on the private IPs via the existing static NAT arrangement, but also internal only sites / services that run on the internal addresses, and some of these overlap... years of things accumulating, as they do.

@shm0
I will try adding aliases when I'm back in the office tomorrow where I can get to the VM running LEDE. This sounds like it's what I want (at least the first step of it).

I think what you want then is a bunch of dnat rules in your router firewall.

https://openwrt.org/docs/guide-user/firewall/port.forwarding

It still isn't the case that that the router itself will own the IP addresses. It will just see the packets, rewrite the dest addresses and then send them along.

This is an insecure and poorly performing hack, but it's what you do to reproduce your existing hack :wink:

1 Like

While I understand the desire to go with commodity-grade wireless routers, how much bandwidth are you pushing?

Most of the MIPS-based devices can't NAT much more than a few hundred Mbps, even without bandwidth shaping.

Instead of option ipaddr, use multiple list ipaddr or list ip6addr as documented in the wiki.
I don't know a way to do this in LuCI, or if you can use CIDR notation (/27) to assign multiple addresses.

1 Like

@jeff In our case, actually using cheap-but-plenty-fast-for-packets x86 hardware for the router. Current solution is using Endian Firewall which is a Linux-based router distribution... the current hardware handles our 100Mbit connection just fine. It's just our APs that are on cheap hardware, and they do fine at the achievable wireless rates (lots of channel overlap due to many competing APs in the building from other offices),.

@dlakelan

I tried the following (without binding the .70 IP, just the first usable IP), does not appear to work though. I may have rather goofed it though since I couldn't find an example trying to do what I was doing. Comparing it to what I ended up with below, perhaps I just didn't know what I was doing. It's possible that I didn't need to add the extra WAN interfaces as I did below, but at least that way I could pick those IPs when setting the DNAT/SNAT rules.

config redirect
         option src wan
         option name test
         option src_dip 12.x.y.67
         option src_dport 22
         option proto tcp
         option dest lan
         option dest_ip 192.168.1.106

@shm0 @jeff @mpa Thanks everyone for helping to look into this

I have figured out how to get the desired behavior, and I was able to even do it from LuCI

In Network > Interfaces, add a new interface for each additional external IP, and check the corresponding box to 'cover' the same ethernet adapter as the original WAN interface. Then, in Network > Firewall > Port Forwards, add a port forward to the internal IP. During the initial setup of the forward, won't be able to pick the intended external IP, but after creating it, edit it, and then set the external IP in 'External IP Address'.

That at least covers inbound traffic. Adding the SNAT is easy enough in Network > Firewall > Traffic Rules > Source NAT, but again can't actually pick the Source IP address until after hitting 'add and edit'.

For reference, the config added by LuCI to /etc/config/network for the additional WAN interfaces will look like :

config interface 'wan_67'
        option proto 'static'
        option ifname 'eth1'
        option ipaddr '12.x.x.67'
        option netmask '255.255.255.224'
        option gateway '12.x.x.65'
        option broadcast '12.x.x.95'

And the /etc/config/firewall entries :

config redirect
        option enabled '1'
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option dest_ip '192.168.1.106'
        option src_dip '12.x.x.67'
        option proto 'tcp udp'

config redirect
        option enabled '1'
        option target 'SNAT'
        option src 'lan'
        option dst 'wan'
        option proto 'all'
        option src_dip '12.x.x.67'
        option src_ip '192.168.1.106'
2 Likes

This topic was automatically closed 6 days after the last reply. New replies are no longer allowed.