I have a /24, I actually have it subnetted...I use the network and broadcast barriers for SNATs on the router.
If the OP wanted to assign IPs to the devices anyways, this should not be an issue...otherwise, they need to make sure they Port Forward and SNAT the correct ports if used for another service in another network (that just make its convoluted - I'd reserve an IP I don't use in the new VLAN for such a purpose).
Also, each zone can has:
So yea, it can be done...but if the network has those IPs, a masquerade would not occur, the router has been given a (specific) route.
oh nice that GUI for restricting masquerade is exactly what's needed... at that point I think you're right it's just make a VLAN, connect all the "public" devices in that VLAN, give them static IPs, and then for the "private" vlan do masquerade on wan with restricted to just the 192.168.1.0/24 (or whatever) subnet. voila
well, I'm assuming that there are two groups of machines, one group have public IPs (servers), and a separate group have private only (a home LAN). So the private only machines need masquerade.
This was the only thing keeping me from recommending just putting a VLAN in. But now that I see you can masq based on source address subset without too much manual config... Here's what I'd suggest: @mrbronz61
VLAN1) Your home LAN
VLAN2) Your WAN (typical but could also be say eth1)
VLAN3) Your DMZ/Server Farm
put 192.168.1.1 on eth0.1 and use that like regular OpenWrt out of the box config for the home LAN.
put 126.96.36.199 on the WAN interface (for sake of argument suppose it's eth0.2).
Create a custom routing rule that routes 188.8.131.52/29 to dev eth0.3
Connect your server/public devices to vlan3 ports on your switch
Static IP each of the public devices in their operating system
put eth0.3 in the WAN firewall zone or in its own firewall zone with rules for forwarding from/to WAN
select masquerade on the WAN interface and use only from source 192.168.1.0/24
It sounds like the ISP has given a single block of Public IP instead of a WAN block and a LAN block to OP.
In this case, I think the simple way of assign the Public IP to other machines connecting to the Router is to use Layer2 switching.
By default, WAN port is VLAN 2 in OpenWrt. So just assign another port to VLAN2 (untagged), connect the host server to it, and assign IP address in exactly the same way as the Router - just with a different IP address in the block.
In this configuration, the OpenWrt router is just a VLAN switch to the Host Server - so the Host will have full access to the Public Internet and must be running a Host Firewall.
Personally, my ISP give me two set of Dynamic IPs (each set having both IPv4 and IPv6), I am using VLAN trunking to allow one of my Virtual Guest running inside Fedora to use the second set of Public IPs.
But I am interested to to learn how to use the second set of Dynamic IPs in the layer3 way as well.
I did say that earlier in the post I will restate it here for convenience
The block of addresses I have been given can be assumed to be :
184.108.40.206 ---*Cannot use
220.127.116.11 ---Assigned to the router
18.104.22.168 --- To my server
22.214.171.124 --- To NS1
126.96.36.199 --- To NS2
188.8.131.52 ---*Cannot use
What should my upstream subnet mask be for this block of IP addresses. I was under the impression it should be 255.255.255.248
However, its showing 255.255.255.255 which in my limited knowledge is only one single public IP address.