Utilising 8 Public IP's

get rid of these port forwards... and all other port forwards!

  • From the OP's description, they have a subnet of
  • There would be no firewall - but the OP seems to want to actually have one network (I don't want to term this LAN nor WAN), it will be the network facing the ISP and the machines in question.
  • This will allow the OP to assign IPs directly to the machines as seems to be desired.
  • A router is not needed in a non-NAT scenario, this may be the source of the OP's confusion.

I don't advise this, as you loose the opportunity to filrewall.

Yeah, one option might be to make WAN a bridge, and turn on bridge firewalling, or just do host firewalling directly on the public facing server machines.

1 Like

If I do that my server cannot get accesses to the internet

no, it gets access to the internet through the fact that you are doing 1:1 NAT for the entire IP address that it's using:


That went right over my head...


You may need to research the term "SNAT" then. With an SNAT, you assign an internal IP to use a Public IP....basically it's the opposite of a PORT FORWARD. :wink:

So you would use normal LAN IPs for the machines, then SNAT each one to the desired public address(es) for outbound traffic.


Imagine you have just 5 machines all of which should have a public IP... Then you simply plug in a switch to your ISP's connection, and put each machine with a static public IP... and list the ISP's router as your gateway, and voila, you're on the network...

but then you have to have host firewalls on each machine, or you need to do some firewalling "in the switch". (note, for servers on public IPs I suggest host firewalls EVEN IF you have an upstream firewall as well)

This all becomes problematic if you have some additional machines that don't have static public IPs... so you make one of the "public IPs" be assigned to your OpenWrt router... and put a LAN under NAT behind it.. like a default config for your OpenWrt router.


SNAT is Source Network Address Translation. It involves altering the packet header to change its source address. The recipient sees the translated address, not the real address.

DNAT is Destination Network Address Translation. It involves altering the packet header to change its destination address. The sender never knows about the translation.

Here's a quick and dirty diagram I knocked up in draw.io just now. It illustrates the concept.


Here's the alternative concept:


I totally agree, but the sad truth is that this is a rather uncommon setup - and -worse- in practice always ends up as a hybrid setup (even if you get 8 IPs, you tend to have more devices in your LAN, so you'll practically always end up with NAT as well, and here it gets ugly). Chances are better for IPv6 to take over and push out the need for IPv4, at least one would hope so...


If your ISP is not peering with you on 56.52.53.* network you should be able to use all eight IP addresses.

I think the minimum for one's own AS is a /24. :smiley:

At least, it was the last time I checked.

Within your own domain/AS it's up to you. So ISP can give you /29 while advertising /24 or bigger to outside of their domain/AS.

1 Like

Thank you for all the input you given its very much apprised.

So I tried resetting and starting from scratch.

Setup it BT Home hub 5 A running OpenWrt connected to my ISP via the BTHH built-in DSL.

Connection to the internet via WiFi is possible and is operating with DHCP

I have tried implementing this guide which uses SNAT and DNAT

But still cannot get access to my server from any of the other addresses in my address block

Could someone please clear up two things from the guide for me, please

config interface 'wan3' <<< Is this just a name given to another wan or is it actually pointing to another device
option proto 'static'
option ifname 'eth1' <<<<is this another interface or just a given name ?
option ipaddr ''
option netmask ''
option gateway '' <<< Should this be my router address or the GW of my address block?

Do I need to set up another VLAN to get this to work?
I cannot see or understand how OpenWrt is able to connect to the internet via the above config

This should be the same name as used in your regular WAN. So it might be eth0.2 or eth1 or whatever

As for wan2 that's just a name you're giving to the new openwrt interface... Whatever you like

1 Like

...you know, the OP could also make a VLAN or use the LAN...I advise a new one...and route /32's to it...hence using them. :smiley:

:bulb: Or better yet, route the whole /29 - as the router is smart enough to know it has one of the IPs assigned to it!

I am curious to know if the ISP uses another IP and gateway in another subnet...if so the OP can use all of the IPs on that subnet (using one [.1] as the VLAN's IP on the router) and simply route it there.

:notebook: ...and in this scenario, the firewall works (if setup properly, that is).

Yes, that's the config I was thinking of when I said:

The issue comes when you need to do masquerading from say VLAN1 (where you have say but want to not masquerade from say VLAN5 (where the whole /29 is)

it's not hard, but it requires some custom firewall rules I think.

1 Like

An SNAT rule will accept any valid IP. :wink:

I have a /24, I actually have it subnetted...I use the network and broadcast barriers for SNATs on the router. :smiley:

If the OP wanted to assign IPs to the devices anyways, this should not be an issue...otherwise, they need to make sure they Port Forward and SNAT the correct ports if used for another service in another network (that just make its convoluted - I'd reserve an IP I don't use in the new VLAN for such a purpose).

Also, each zone can has:


So yea, it can be done...but if the network has those IPs, a masquerade would not occur, the router has been given a (specific) route. :wink:

oh nice that GUI for restricting masquerade is exactly what's needed... at that point I think you're right it's just make a VLAN, connect all the "public" devices in that VLAN, give them static IPs, and then for the "private" vlan do masquerade on wan with restricted to just the (or whatever) subnet. voila

1 Like