Utilising 8 Public IP's

Hi there,

I need a little help. I have a BTHH5A with OpenWRT on it.

I have access to the Internet and Wifi and even managed to sort out port forwarding.

I have a block of public IPs from my ISP that I would like to use to run my own Name servers.

How can I utilise other public IP's and point them to my NS1 and NS2 servers?

I currently have a block of 8 public IP addresses

56.52.53.0 ---*Cannot use
56.52.53.1 ---Assigned to the router
56.52.53.2
56.52.53.3
56.52.53.4
56.52.53.5
56.52.53.6
56.52.53.7 ---*Cannot use

These are made up ip's NOT the actual IP's from my ISP

Many Thanks

Are you intending to host caching/recursive DNS servers, available for anyone anywhere on the Internet to query? For example, are you planning to run your own version of 8.8.8.8 ?

Are you intending to host authoritative name servers for one or more domains which you own?

If the first scenario, my recommendation is don't. Running a public DNS server is a headache, especially from a security perspective. By all means host your own internal DNS server (e.g. spin up your own instance of Pi-hole, or BIND, or similar), but exposing it publicly is fraught with risk.

If the second scenario, it's easy: edit your domain records to show which of your IP addresses should be the authoritative name servers for your domain(s).

Thanks for the advice...

But your answer had nothing to do with the question.

Then what did you mean by "I have a block of public IPs from my ISP that I would like to use to run my own Name servers. How can I utilise other public IP's and point them to my NS1 and NS2 servers?" ?

It appears you want to run name servers, using one or more of your public IP addresses. If I've misunderstood your requirements, then feel free to elaborate on those requirements.

It's sad and drives me crazy that everyone is so used to NAT that it's not intuitive how to make IP protocol work the way it's supposed to...

Just put the .1 on a VLAN interface and put the other addresses on other machines in the vlan... Then adjust your firewall rules.

The harder part is if you want to mix NAT with public ips.

Simplifying the question...

"How can I utilise several public IP's and connect them to other devices

eg. Computer 1 is connected to IP 56.52.53.2
Computer 2 is connected to IP 56.52.53.3 etc...

How it this achieved in OpenWrt?

Many thanks

dlakelan that sounds like what I am after How do I do that?

Could you give me a step by step guide, please

Regards

Martin

Are you trying to do a NAT network as well as a regular IP network? Or you just want to route this public subnet only?

Also what IP address does the ISP give you on the ISP facing side?

SNAT and DNAT.

SNAT = traffic from your internal device goes outbound with your public IP address as the source
DNAT = traffic to your public IP address gets redirected internally to your device's private IP address.

The NAT method is one option, but the other option is to just use regular routing.

It depends if .1 is assigned on the wan side of the ISP or there is another IP on the wan and the whole block can be utilized in the lan.

Also what IP address does the ISP give you on the ISP facing side?

The block of addresses I have been given can be assumed to be :
56.52.53.0 ---*Cannot use
56.52.53.1 ---Assigned to the router
56.52.53.2 --- To my server
56.52.53.3 --- To NS1
56.52.53.4 --- To NS2
56.52.53.5
56.52.53.6
56.52.53.7 ---*Cannot use

My server is currently sitting behind a NAT with a few port redirects

I am willing to experiment, that's what this is all about after all.

So I am confident that my server security is tough enough to face a public IP

However... I do have other devices that need to be kept away from the public .. such as WiFi-connected devices

trendy
I have seen this and tried to implement it with no successes.

I am very new to OpenWrt so need the guidance

iplaywithtoys

SNAT and DNAT.

SNAT = traffic from your internal device goes outbound with your public IP address as the source
DNAT = traffic to your public IP address gets redirected internally to your device's private IP address.

Can you help me out I don't understand this

There isn't much to guide here. The page has an example for one public IP (100.64.0.3) which is assigned to internal 192.168.1.3. Change the public and private IPs to the ones you are using, then repeat for all the public IPs you want to assign to the lan hosts.

I think the SNAT/DNAT method they're advocating is the best one for your setup based on what you've said so far.

The page @trendy mentioned shows the config code you need to put in your /etc/config/network and /etc/config/firewall

all you need to do is change the example IPs, and make copies of the code and do it one for each pair of public/private IPs you want to handle.

if you're at the stage where that's not intuitive, then you may need info on how to ssh into the router and how to edit files... that'd be here: https://openwrt.org/docs/guide-quick-start/sshadministration

as an editor I recommend you install the "nano" package. then to edit a file nano thefile and follow the on-screen instructions to save and quit.

I don't have a problem with the config or SSH Its that when I implemented it I could not get it to work

perhaps you could show the config you were using?

[quote="
#/etc/config/network

    config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd99:7f4d:1a88::/48'

config atm-bridge 'atm'
option vpi '1'
option vci '32'
option encaps 'llc'
option payload 'bridged'
option nameprefix 'dsl'

config dsl 'dsl'
option annex 'a'
option tone 'a'
option xfer_mode 'ptm'
option line_mode 'vdsl'
option ds_snr_offset '0'

config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.61.254'

config device 'lan_dev'
option name 'eth0.1'
option macaddr '54:64:d9:12:e2:d4'

config interface 'wan'
option proto 'pppoe'
option ipv6 '1'
option username 'myname@myisp.com'
option password '**********'
option delegate '0'
option ifname 'dsl0.101'

config device 'wan_dev'
option name 'dsl0'
option macaddr '54:64:d9:12:e2:d5'

config interface 'wan6'
option ifname '@wan'
option proto 'dhcpv6'
option auto '0'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 4 6t'
option vid '1'

config switch_vlan
option device 'switch0'
option vlan '2'
option vid '2'
option ports '6t'

config interface 'wan3'
option proto 'static'
option ifname 'eth1'
option ipaddr '56.52.53.3'
option netmask '255.255.255.248'
option gateway '56.52.53.0'
[/quote]

Firewall***********

config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config include
option path '/etc/firewall.user'

config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '80'
option dest_ip '192.168.61.70'
option dest_port '80'
option name 'HTTP'

config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '443'
option dest_ip '192.168.61.70'
option dest_port '443'
option name 'HTTPS'

config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '143'
option dest_ip '192.168.61.70'
option dest_port '143'
option name 'IMAP'

config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '993'
option dest_ip '192.168.61.70'
option dest_port '993'
option name 'IMAPS'

config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '8080'
option dest_ip '192.168.61.70'
option dest_port '8080'
option name 'Ispconfig3'

config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '25'
option dest_ip '192.168.61.70'
option dest_port '25'
option name 'SMTP'

config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '21'
option dest_ip '192.168.61.70'
option dest_port '21'
option name 'FTP Server'

config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '22'
option dest_ip '192.168.61.70'
option dest_port '22'
option name 'FTPS Server'

config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '2293'
option dest_ip '192.168.61.70'
option dest_port '2293'
option name 'SSH-Server'

config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '2294'
option dest_ip '192.168.61.71'
option dest_port '2294'
option name 'SSH-DNS-NS1'

config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '2295'
option dest_ip '192.168.61.72'
option dest_port '2295'
option name 'SSH-DNS-NS2'

config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '3306'
option dest_ip '192.168.61.70'
option dest_port '3306'
option name 'sql'

config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '53'
option dest_ip '192.168.61.70'
option dest_port '53'
option name 'DNS'

config redirect
option enabled '1'
option name 'dnat3'
option src 'wan'
option src_dip '56.52.53.3'
option dest 'lan'
option dest_ip '192.168.1.70'
option proto 'all'
option target 'DNAT'

config redirect
option enabled '1'
option name 'snat3'
option src 'lan'
option src_ip '192.168.1.70'
option src_dip '56.52.53.3'
option dest 'wan'
option proto 'all'
option target 'SNAT'

Blockquote