Spectrum Static IP

Hi OpenWrt!

I've been rocking a Netgear with OpenWrt for a while now with a dynamic IPV4 address, and since I've been hosting a Mailcow server, I've decided to purchase a static IP from Spectrum. The static IP is working via dnat on their own router, and from what I've found across the web, people were having issues enabling port forwarding on their provided routing device, so I decided to immediately switch it to my router when they came in to install the new modem for business with the static IP.

I've tried replicating this on my OpenWrt router (Nighthawk X4S R7800), but I cannot get it working when setting up the static IP on the wan interface. Dynamic works fine for this new installation.

Should I then get this working in the same fashion as it was working on the provided router via dnat?

I've tried dissecting the dnat wiki, but I'll definitely need guidance on how to replicate this on OpenWrt if possible.

I've contacted Spectrum twice to re-confirm that I have the correct static IPv4, cdir/mask, gateway, etc. I can confirm that they have configured the static IP to my requested reverse DNS domain when doing a nslookup, which is required for mail hosting when sending emails to avoid spam chaos.

I noted all configurations and screenshotted all routing, data, etc.
Additional Screenshots

image608×696 53.9 KB

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Hi, Psherman. Thank you for the quick reply. I very much appreciate it!

Here is the sanitized information. Let me know if you need any additional information.

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxx:xxxx:xxxx:xxxx'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option delegate '0'

config interface 'wan'
        option device 'eth0.2'
        option proto 'static'
        option ipaddr '142.XXX.XXX.110'
        option netmask '255.255.225.252'
        option gateway '142.XXX.XXX.109'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'
        option auto '0'
        option reqaddress 'try'
        option reqprefix 'auto'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 0t'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'Forest & Storm'
        option encryption 'psk2'
        option key 'xxxxxxxxxxxxxxxxxx'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'Forest & Storm Smart Devices'
        option encryption 'psk2'
        option key 'xxxxxxxxxxxxxxxxx'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option limit '150'
        option leasetime '12h'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'box-redhat01'
        option dns '1'
        option ip '192.168.1.24'
        option mac 'xx:xx:xx:xx:xx:xx'


root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option mtu_fix '1'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'mailcow 25'
        option src 'wan'
        option src_dport '25'
        option dest_ip '192.168.1.24'
        option dest_port '25'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'mailcow 80'
        option src 'wan'
        option src_dport '80'
        option dest_ip '192.168.1.24'
        option dest_port '80'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'mailcow 110'
        option src 'wan'
        option src_dport '110'
        option dest_ip '192.168.1.24'
        option dest_port '110'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'mailcow 143'
        option src 'wan'
        option src_dport '143'
        option dest_ip '192.168.1.24'
        option dest_port '143'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'mailcow 443'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.1.24'
        option dest_port '443'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'mailcow 465'
        option src 'wan'
        option src_dport '465'
        option dest_ip '192.168.1.24'
        option dest_port '465'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'mailcow 587'
        option src 'wan'
        option src_dport '587'
        option dest_ip '192.168.1.24'
        option dest_port '587'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'mailcow 993'
        option src 'wan'
        option src_dport '993'
        option dest_ip '192.168.1.24'
        option dest_port '993'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'mailcow 995'
        option src 'wan'
        option src_dport '995'
        option dest_ip '192.168.1.24'
        option dest_port '995'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'mailcow 4190'
        option src 'wan'
        option src_dport '4190'
        option dest_ip '192.168.1.24'
        option dest_port '4190'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Sunshine 47984-47990'
        option src 'wan'
        option src_dport '47984-47990'
        option dest_ip '192.168.1.24'
        option dest_port '47984-47990'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Sunshine 47998-48000'
        option src 'wan'
        option src_dport '47998-48000'
        option dest_ip '192.168.1.24'
        option dest_port '47998-48000'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Sunshine 48010'
        option src 'wan'
        option src_dport '48010'
        option dest_ip '192.168.1.24'
        option dest_port '48010'

root@OpenWrt:~#

I'm not seeing anything that jumps out as problematic. Two thoughts:

1. Just out of curiosity, have you tried setting your router to DHCP? In many cases these days, the static IPs offered by ISPs is actually achieved using DHCP reservations on the ISPs side. This simplifies the customer configuration -- just use DHCP and your static IP (along with the subnet mask, gateway, and dns) will be automatically configured on your equipment.

2. Have you tried restarting your modem -- possibly a few times and/or with a long off-period? When you change the equipment behind your cable modem, you need to flush the learned MAC address from the cable modem and allow it to learn the new device -- a cable modem will only provide an IP/service to the MAC address that it has learned. This is typically re-learning achieved by power cycling the modem. Some people say you need to keep the modem off for 30 minutes, but my experience (with Comcast) was that a reboot would do the trick, although sometimes I had to do it more than once. Power down both the modem and the router, then power up the modem and waif for it to fully boot and lock. Then power up the router. And test gain when the router is fully booted.

1. Yes, DHCP provides the dynamic IP since I have service for both dynamic and static. That's the reason why I'm bringing up the Dynamic NAT topic since that's what's configured on the Spectrum router (screenshots on the link above).

2. I will try this tonight and get back to you with more information. I'm waiting on everyone to go to sleep to give it a shot ASAP.

Thank you so much for taking some of your time to help @psherman , truly appreciate it!

I haven't slept at all. I've discovered that Spectrum uses RIP to distribute static routes from the CPE to the CMTS.

That leaves me with two options:

1. Disable DHCP and route it to my OpenWrt, which I'll have to test via the wan/lan interfaces to void double nating.

2. Spend some time trying to reverse engineer and get the RIP password, which I found out bird supports with RIPv2 if I can figure that out.

If anyone has experience using the bird package, let me know. I've dealt with RIP in the past differently.

Equipment and service lockdown at its finest! Gotta love the struggle, ugh... I'll update this discussion with further investigation.

An additional static IP routed to your line would typically be forwarded by your router to the interface that the mail server is connected to. The mail server would hold the public IP on its Ethernet port so there is no NAT involved.

There is a lot of mangling and routing possible inside a cable modem. The process is supposed to be invisible to the customer, if the modem is properly supported and configured by the company.

There is another problem I forgot to mention. No matter what you do to open the ports on the firewall (example smtp, imaps, etc) it never opens. I even placed the entire mailcow cluster on the DMZ for both IPV4 and IPV6, restarted the router since it's the only way to restart the network daemons after making the changes and still, the ports were not opened after doing an nmap/telnetlportqry test externally. I switched the router back to my OpenWrt and boom! It works.

I've looked trough reddit and seems I'm not the only one with the issue.

https://www.reddit.com/r/networking/s/8Y3O9tZ9c8

I'm going to take some rest now and try again during the weekend.