Use WAN Port for different traffic

Hello all,

I'm puzzled with the following:

What i'm trying to do is let the digicorder use the WAN port for direct communication (no natting - basicly as a switch) with the modem in order to recieve the correct WAN IP adress. but also let the digicorder receive an LAN IP from the dhcp of the router.

How can i achieve this ?

Currently running Lede but thinking of switching to Libremesh so the devices can roam seamless between the 2 routers.

Kind regards.

What do you mean by "in order to recieve the correct WAN IP address"?

• I have an idea, but want to verify the above before I reply to the rest

My ISP works like this.

If they receive the WAN mac-adress of the digicorder > you get an 10.x.x.x range IP-adress. (this is needed for their subscription-service ( CAS-Latens Encryption , VOD, etc)

If they receive any other kind of mac-adress > you'll get either dhcp-adress from the modem or in my case direct Wan IP-adress since i dont have a router+modem combo.

The digicorder also has a different LAN mac-adress so it's reachable for the LAN network (DLNA client).

It now "works" by adding a 5port belkin switch between the Router & the modem and plug the digicorder in that switch. (minus the LAN DLNA client function.)

I just want to "mimick" this with the WAN port of my router so that:

1. i do not need the belink 5P switch
2. I only use 1 port on my router to connect to the modem.
3. I can use the other device that is also on my "powerline network" so i can reach it via Lan.

Thanks for the response.

Xtremegamer

Does the ISP recommend connecting the Digicorder directly to WAN?

• This is massively insecure, as this will bypass the firewall of a router, making your Digicorder fully accessible to anyone on the internet.

The 10.0.0.0/8 subnet is not a WAN subnet... it's a Private Address Space set aside by RFC1918, same as 192.168.0.0/16 and 172.16.0.0/12.

• Wouldn't it be easier to simply change your DHCP server to use a subnet from the IP block 10.0.0.0/8, or create a vlan for the LAN port the Digicorder is connected to?

  • /etc/config/network:

    • This will make LAN port 4 (sw.port 3) apart of a separate vlan

    #
    
      ##::[[---  LEDE LAN Network Config  ---]]::##
    
    ####################################################
               ##----- Active Networks-----##
    ####################################################
    
        # LAN #
    #---------------------------------------------------
    config interface 'isp'
        option  ifname          'eth0.3'
        option  proto           'static'
        option  ipaddr          10.0.0.254
        option  netmask         255.255.255.0
    
    ####################################################
              ##----- Virtual Switches -----##
    ####################################################
    
        # vLANs #
    #---------------------------------------------------
    
      # 3: ISP:
    config switch_vlan
       option  device          'switch0'
       option  vlan            3
       option  ports           '3 5t'
    

  .

  • /etc/config/firewall:

    #
    
         ##::[[---  LEDE Firewall Config  ---]]::##
    
    ####################################################
                   ##----- Zones -----##     
    ####################################################
    
        # ISP #
    #---------------------------------------------------
    config zone
        option  name            'isp'
        option  network         'isp'
        option  input           'ACCEPT'
        option  output          'ACCEPT'
        option  forward         'REJECT'
    
    ####################################################
            ##----- Interzone Forwarding  -----##
    ####################################################
    
        # ISP #
    #---------------------------------------------------
    config forwarding
        option  dest            'wan'
        option  src             'isp'
    

.
You can bridge WAN port and the Digcorder LAN port, which should allow the Digicorder to receive a second WAN IP.

• PLEASE NOTE: This will bypass the firewall of the router, making your Digicorder fully accessible to anyone on the internet.

  • /etc/config/network:

    • This will make LAN port 4 (sw.port 3) apart of the WAN vlan

    #
    
      ##::[[---  LEDE LAN Network Config  ---]]::##
    
    ####################################################
               ##----- Active Networks-----##
    ####################################################
    
        # WAN #
    #---------------------------------------------------
    config interface 'wan'
       option  ifname          'eth1.2'
       option  proto           'dhcp'
    
    config interface 'wan6'
       option  ifname          'eth1.2'
       option  proto           'dhcpv6'
    
    ####################################################
              ##----- Virtual Switches -----##
    ####################################################
    
        # vLANs #
    #---------------------------------------------------
    
      # 2: WAN:
    config switch_vlan
       option  device          'switch0'
       option  vlan            2
       option  ports           '3 4 6t'
    

Hi,

Thanks for the reponse.

Firstly , yes it could be insecure to connect it directly but the digicorder gets terminated on their internal lan-network, the Router/modem combo does the same, so it's always "insecure".

I do follow you on the set 2 ports to the same vlan or create a seperate vlan and add it to the WAN Zone BUT

I would like to keep my 4 ports for clients , and also want to be able to reach my lan from this port since:

1. the digicorder act as a dlna client on the LAN mac-adress.
2. another device is on the same "powerline network" that needs to be able to reach the lan.

I've found someone who managed todo it like this:

They setup a managed switch between the modem and the router, and Setup 3 ports:
1 for the WAN port of the router
1 for the Digicorder but applied ACL's so that only the WAN Mac-adress may pass and connected a port to the lan zone of the router. essentially creating a bridge over the WAN-LAN Zone but only allowing the WAN MAC adress, and also denied dhcp-leases for the WAN-mac adress so the ISP dhcp would answer.

I'm trying to achieve the same but with the internal switch of the router itself, thus i want to allow traffic of either my WAN Zone and the digicorder's WAN Mac-adress from the WAN-port and still let the LAN Mac adress receive a ip-adress from my dhcp.

I'm thinking , i would need to virtually "bridge" the WAN-LAN Zone by creating a New Zone just for the digicorder and only allow that mac-adress.

The only thing i don't know is will it directly communicate to the Modem or always via the router's IP (NAT) ?

If i just bridge this port with my Wan port i will lose the ablility to reach my lan zone.

Any idea's how to bridge these interfaces in such a way that the digicorder essentialy uses the WAN port as a "switch" and just send it's data directly to the router, but deflects any traffic for the LAN mac-adress to the LAN-Zone or does this need to be done with a seperate switch ?

Also i cannot create this 10.x.x.x range for the digicorder as it will call home and check if this IP-adress was leased by their dhcp-server (anti-piracy).

Thanks for your time,

Xtremegamer

Belgium / Telenet? See my question on a similar topic (VLAN assignment based on mac address). No response so far that's given me the info I need to accomplish the same thing.

Yes indeed the very same, if you have a managed switch you could try this:
https://userbase.be/forum/viewtopic.php?t=50855#p715113 (dutch)

but as i've explained i want todo the same with the internal switch that is in theory also a 5port Managed switch.

A link makes it easier to find: VLAN assignment based on client mac address possible?