Utilising 8 Public IP's

For this case, using Layer2 VLAN will be the easiest to do.

With Layer2 VLAN, all of your .2, .3 and .4 machines will be connected directly to Internet.

If you are OK to start with VLAN, then concentrate on find out how to assign physical ports of your Router to the correct VLAN.

Then you just need to assign static Public IPs as given by your ISP.

2 Likes

@mrbronz61 I Agree with @sampson can you show us your switch config page?

1 Like

I rest my case

You win and still continue to give advice

Take care stay safe

1 Like

:bulb: @ppmm, you forgot the OP wants a step-by-step each time you speak to them; and even after you provide one, they say they need more. Hence why the OP merely stated to you:

As we again note, that the OP:

  • Didn't tell you what's wrong or further needed in you response
  • What upset the OP
  • Why the OP became dismissive to you as well

The OP merely wants THREE whole step-by-step guides - without even providing the current config as requested:

I have a feeling there's a reason the OP fails to provide configs. As you know, some posters come "speculating" about a future desired config" - sometimes they admit they never touched anything...or it was just all "in theory". We're just suppose to waste time making steps and guess the OP didn't break something before:

  • Before the OP picks one - just make 3 guides :frowning_face:
  • Before the OP asks for information or clarity on what they claim they don't understand

...or the OP coulda simply told us they're not making any changes and imagine a default config. :wink:
...or maybe the OP thought they were still being disrespectful in replying to me.

(And as you know that usually turns out poorly; because OPs tend to be further enraged we gave steps to work on a "broken device".)

1 Like

I'm still operating on the theory that the OP is acting in good faith, but operating at a really very low current level of knowledge. Like, maybe doesn't even know where the switch config page is for example, or isn't really aware how VLANs work.

@mrbronz61 Based on the things you've described here, in particular that you have firewalls on each of the servers, I recommend you simply do the setup as described visually in my diagram above:

What you will need to do is figure out which VLAN your WAN is currently on (on OpenWrt it's usually VLAN 2), then assign N ports on your router to be untagged in the same VLAN as your WAN. then you can simply plug your servers into those ports. They will now be "on the internet" and responsible for their own security. You can statically configure them to have whichever of your IPs you want.

then you're done.

If you show your switch config page, we can tell you what things to click.

3 Likes

My dear friend...

Out of the respect @dlakelan has given me...I will give leeway as well and say:

@mrbronz61 if you need to know where these pictures to config thing are located, feel free to ask. I really cannot guess something like that when someone is exhibiting an attitude, obdurate, and not answering direct questions actually related to the inquiry.

  • It's located under Network > Switch
  • You do recall I showed the OP and example pic, correct?

Using a rubric in schools to measure if the same quality or method was administered...I fear the OP is gonna explode at you too. :frowning_face_with_open_mouth:

@mrbronz61 I found your post where you showed your switch config:

vlan 2 uses exclusively tags here. and the CPU is not part of VLAN2 so I think this will cut your vlan1 off from the internet.

Instead I'd say on VLAN2 line you should have the CPU tagged, and then LAN 2,3,4 should be untagged for VLAN2 and OFF for vlan1.

leave LAN 1 port UNTAGGED for vlan 1, and plug a switch into that port to get more ports if you need more wired devices in your LAN.

The WAN port should be untagged for VLAN 2, off in VLAN 1 and have your ISP equipment plugged in there.

If you set that and plug your ISP into WAN and your servers into LAN 2,3,4 they will be "on the internet" the same as your router is. Just give them static IPs.

You can access the LAN via LAN 1, where you can plug an additional switch to let you plug your non-public devices.

2 Likes

Wow, a first time poster (on this forum) is telling me to get off a thread that I watched the last 5 days, that's quite an ineristing move.

Well normally people who are eager to learn would not "advice" people that are eager to help.

I have the solution if anyone is interested with many thanks from iplaywithtoys, who in my humble opinion is a legend.

My problem has been how to connect the devices to OpenWRT with my limited knowledge.

So my goal is this:

Please note that the Public IP addresses in this example are made up for the purpose of demonstration.

So let’s just give a little recap of what I have and how some of the things work.
I won’t go into too much detail as a lot of it is self-explanatory from the diagram above.

I have a BT Home Hub 5 A with OpenWRT v 18.06
I have been given a /29 block of IP addresses from my ISP, I want to connect each of these devices to my network. iplaywithtoys, first mentioned using DNAT and SNAT in post #9.

So simply put:

SNAT = traffic from an internal device (192.168.1.2) goes outbound with your public IP address (56.52.53.2) as the source.

DNAT = traffic to your public IP address (56.52.53.2) gets redirected internally to your device's private IP address (192.168.1.2).

So once you understand this you can use the example from THIS LINK and create the entries I will show my example from above for all 6 entries

config redirect
option name 'WebDNAT'
option src 'wan'
option src_dip '56.52.53.2'
option dest 'lan'
option dest_ip '192.168.1.2'
option proto 'all'
option target 'DNAT'

config redirect
option name 'WebSNAT'
option src 'lan'
option src_ip '192.168.1.2'
option src_dip '56.52.53.2'
option dest 'wan'
option proto 'all'
option target 'SNAT'

config redirect
option name 'NS1DNAT'
option src 'wan'
option src_dip '56.52.53.3'
option dest 'lan'
option dest_ip '192.168.1.3'
option proto 'all'
option target 'DNAT'

config redirect
option name 'NS1SNAT'
option src 'lan'
option src_ip '192.168.1.3'
option src_dip '56.52.53.3'
option dest 'wan'
option proto 'all'
option target 'SNAT'

config redirect
option name 'NS2DNAT'
option src 'wan'
option src_dip '56.52.53.4'
option dest 'lan'
option dest_ip '192.168.1.4'
option proto 'all'
option target 'DNAT'

config redirect
option name 'NS2SNAT'
option src 'lan'
option src_ip '192.168.1.4'
option src_dip '56.52.53.4'
option dest 'wan'
option proto 'all'
option target 'SNAT'

We now have all we need for this to work.

I did not initially understand how a device could work correctly without having a direct connection to the public IP address, but with a simple explanation from iplaywithtoys, it was like a lightbulb moment. He stated it like this.

Remember that routing is simply working out the answer to the question, "Where do I send this?" Every device which participates in routing has to ask and answer the same question every time it processes a packet.

  • The outside world knows that your /29 block is managed by your ISP
  • Any inbound traffic to your /29 block has to enter ISP systems before reaching you
  • Your ISP’s routers know about your /29 block directly
  • Your ISP's routers know to direct all relevant traffic to your router's IP address ('56.52.53.2), (i.e. answering the question "Where do I send this?")
  • Your router's WAN interface receives traffic destined for 56.52.53.2 to 56.52.53.6
  • Your router then asks itself the "where do I send this?" question and the DNAT rules provide the answer.

To put this in my turms the other IP addresses don't need a physical connecter per se but any traffic destined to any of my /29 block, will ride on the "routers IP address".

Now we will look at how to implement this.

This is just a personal recommendation to use nano as a text editor rather than the default "vi" editor.

In order to implement this particular change, I recommend updating the software on the router

Then click on the “update list” and wait. You will need to be connected to the internet for this to work.

The default text editor that comes with OpenWRT “vi” is ok but I find it a bit clunky so I use the “nano” editor

So after the list is updated in the filter section type nano and click find

And click install.

If you're happy with CLI command-line interface
you can install "nano" with the following code.

opkg update; opkg install nano

7
You will need access to SSH by using an app such as PuTTY installed on your local computer

If you have not changed your router IP address enter the following into putty

Click on open and enter the router password

and you should see a screen similar to this:
image

Type the following

nano /etc/config/firewall
This will open up the firewall file
image

With the cursor keys use the down arrow to get to the end of the file now type in the rules that we created earlier.

When you are finished use “Ctrl + s” to save then “Ctrl + x” to exit nano.

Now we need to implement the changes by typing the following.

/etc/init.d/firewall restart

If all is well and your domain is pointing to the correct public IP address such as 56.52.53.2

Not only will you be able to ping the Web server with 56.52.53.2 which has the LAN address of 192.168.1.2 but you should also be able to reach any web services on there.

Many thanks to all the posts in this thread especially iplaywithtoys, who has been super patient and investigated the workings of OpenWRT to help me understand how this great bit of GNU software actually works and has taught me a great deal about networking.

As a side note that has been iterated several times. Security is key! For some, the update and monitoring of the security of any system like this are too time-consuming however, it is also paramount for it to run smoothly.
Also if you have to change your "domains glue address" it can take a few hours to a few days for it to propagate around the world.

I hope this solution was helpful to someone, have fun and keep safe.

2 Likes

I am glad that you finally make it work for you.

Thank you for posting your config, it will help others.

I have one question:
Do you need to assign multiple Public IP address to your Router's WAN interface for this setup to work?

(NATs is aware it established a 4-way pair and would be ESTABLISHED,RELATED. This is the same with an SNAT to any IP.)

Regarding the "steps", they solve; but seem more like notes to self and preferred programs to use on Windows...

Congrats!


To cover what was said by many others; and to others who may read the thread:

:notebook: This was the method the OP chose to use (adding IPs in the same subnet to the WAN interface is not needed).

I am sorry as it is still not obvious to me.

As in ppmm's post, there are method a) b) and c) .

I am not sure which one is being used.

1 Like

Indeed - I can see where not one single method as-written was applied (everyone does have their own mind)...the steps listed only seem to include the DNATs (which as long as the WAN had the correct IP with the ISP, the NAT would know to return the traffic).

...perhaps the OP may want to expound on that... (I won't push the matter by doing an @, though.)

1 Like

I really don't see the point in questioning something that has worked.

Surely the point of this thread was to implement a solution that worked for me!

I didn't mean to deflate the ego of anyone for not using their solution.

Please accept my apologies if I have upset anyone for not implementing their suggestion.

I used the knowledge and understanding that I have, and the uncomplicated and non-confusing information I was given and implemented a solution.

I can see where not one single method as-written was applied

See post #9

Regarding the "steps", they solve; but seem more like notes to self and preferred programs to use on Windows...

Yes, they are notes and steps and a method and tools that worked for me. Anyone else that comes to this solution can follow in the same way that I did. I don't see why this is even being mentioned.

I have absolutely no doubt most if not everyone who has contributed to this thread has a much greater understanding of networking than I. I used a method that OpenWRT documentation on Using Multiple public IP addresses on a WAN interface suggested. If you think the method I used was incorrect, then to help every one else that has a similar issue, then maybe you should take that up with the writers of the documentation for OpenWRT.

Do you need to assign multiple Public IP address to your Router's WAN interface for this setup to work?

Only in the config for the DNAT and SNAT.

perhaps the OP may want to expound on that

Expand on what exactly? Using a method that worked as opposed to one that I couldn't follow or understand.

Ummmm...that what was asked of you...all of the inquires are in his post. No need to ask me what you need to expound on. Glad you got it working. You seem to be making a huge effort to communicate [negatively] with me; yet others asking for your help (sound familiar?).

I think he asked you WHAT method was this...I didn't ask you.

I was able to 1.) read and 2.) know how to set it up before you made a list that doesn't explain WHAT it is...kinda like you wanted a step-by-step, he just wants to know WHAT it's a step-bt-step of (in my humble opinion). Saying "method that worked" doesn't really help others reference how to know what relevance your post has (making your post even more of just a private note-to-self).

No I'm not being negative, well not consciously anyway, I have already apologized if I have upset anyone, this includes you. I read your post, asking me to expand on something, but did not get what you wanted me to expand on. I did not see any requests for help, but I hope the solution I have posted has answered any quarries that might be left open.
I did answer the question of what method I was using when I stated post #9 in this thread, maybe I was not clear enough.

1 Like

No. It's an application of the basic principle of routing: "Where do I send this?"

From the outside world at large, that question is answered with, "I'll send this towards the target's ISP, and then the target's ISP can decide what to do from there."

From the target's ISP's point of view, that question is answered with, "I'll send this towards the customer's single WAN IP address, and then the customer's router can decide what to do with it from there."

From the target router's point of view, that question is answered with, "This came in for IP address .X, so I'll send this to the internal address defined in the associated DNAT rule."

5 Likes

Cool, it's all good! :smiley:

This depends on the ISP router settings.
It may be configured with just link-scope downstream routes.
So, it assumes the destination IP to be in the broadcast range.
When it sends an ARP probe and doesn't receive a reply, the result is destination unreachable.

5 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.