Utilising 8 Public IP's

No masquerade needed in your (our) example - the router knows the route:

well, I'm assuming that there are two groups of machines, one group have public IPs (servers), and a separate group have private only (a home LAN). So the private only machines need masquerade.

This was the only thing keeping me from recommending just putting a VLAN in. But now that I see you can masq based on source address subset without too much manual config... Here's what I'd suggest: @mrbronz61

VLAN1) Your home LAN
VLAN2) Your WAN (typical but could also be say eth1)
VLAN3) Your DMZ/Server Farm

put on eth0.1 and use that like regular OpenWrt out of the box config for the home LAN.

put on the WAN interface (for sake of argument suppose it's eth0.2).

Create a custom routing rule that routes to dev eth0.3

Connect your server/public devices to vlan3 ports on your switch

Static IP each of the public devices in their operating system

put eth0.3 in the WAN firewall zone or in its own firewall zone with rules for forwarding from/to WAN

select masquerade on the WAN interface and use only from source


1 Like

It sounds like the ISP has given a single block of Public IP instead of a WAN block and a LAN block to OP.

In this case, I think the simple way of assign the Public IP to other machines connecting to the Router is to use Layer2 switching.

By default, WAN port is VLAN 2 in OpenWrt. So just assign another port to VLAN2 (untagged), connect the host server to it, and assign IP address in exactly the same way as the Router - just with a different IP address in the block.

In this configuration, the OpenWrt router is just a VLAN switch to the Host Server - so the Host will have full access to the Public Internet and must be running a Host Firewall.

Personally, my ISP give me two set of Dynamic IPs (each set having both IPv4 and IPv6), I am using VLAN trunking to allow one of my Virtual Guest running inside Fedora to use the second set of Public IPs.

But I am interested to to learn how to use the second set of Dynamic IPs in the layer3 way as well.

May be I should create another topic about that.


Yes. Please do.

1 Like
1 Like

My head hurts :worried:

So which solution is correct?

Do I try and implement dlakenlan or sampson's solution??????

More to the point how do I do this with OpenWrt?

My knowledge of OpenWrt is not great hence my posting in this forum.

A step by step guide would be greatly appreciated or a commented config, to help with the understanding.

This greater input folks and I'm sure others will also find this subject of use.

Just spotted this. With a subnet mask of /24 or higher (yours is /29), .0 can't be a gateway address; it's a subnet address.

1 Like

When I try to assign another untagged port to VLAN 2 I get an error
" * LAN 1 is untagged in multiple VLANs!"

[Edit] Never mind I worked that one out.
However, how do I assign a Public IP address to that Port

iplaywithtoys Yes that is correct.

I did say that earlier in the post I will restate it here for convenience

The block of addresses I have been given can be assumed to be : ---*Cannot use ---Assigned to the router --- To my server --- To NS1 --- To NS2 ---*Cannot use

What should my upstream subnet mask be for this block of IP addresses. I was under the impression it should be
However, its showing which in my limited knowledge is only one single public IP address.

How does your ISP provide your /29 block? Do you have a separate /32 along with the /29?

As an example, my ISP provides me with a single static /32 which is the WAN (PPPoE) interface of my router.

In addition, my ISP provides a static /29 for me to use as I wish. From my ISP's perspective (and therefore the perspective of the rest of the world), the routing for that /29 goes via the /32.

So, if you're seeing a subnet mask of /32, is that for an address which is in the /29 block, or is it for a separate address entirely?


As far as I am aware they are only providing by block with /29 I don't know how to work out if the router address is /32... but I do know the upstream SNM is 255 and not 248

Which as I have already stated it is a single IP address

So, if you're seeing a subnet mask of /32, is that for an address which is in the /29 block, or is it for a separate address entirely?

The answer is yes it is within the assigned block
As this IP my router assigned address

I am nearly sorted with this... I think...

I have successfully created 3 new interfaces and assigned them to eth0.1 --- To my Webserver --- To NS1 --- To NS2

I can ping them externally and internally but cannot access them ie no traffic on port 80 or 443 is reaching my Webserver. I have tried with and without port forwarding but still nothing.

The web server is able to ping itself and other external public IP addresses, but not the internal addresses eg this is what I would expect.

I have made sure /etc/resolv.conf has a DNS of

I have confirmed that the Webserver eth0 is up and the correct public IP is assigned.

I'm now lost for what to try next.

How can I open up the router to see my webserver?

I'm not familiar with the tagging/untagging on the OpenWrt switch.

Maybe someone could tell me if this is correct.

LAN1 = N/A
LAN2 = NS1
LAN3 = NS2

Any suggestions would be welcome.

It sounds like the router is responding because of an improper config.

  • What does this mean???
  • Create three interfaces where/and why? :confused:

Doesn't sound like anything suggested. It seems perhaps you're unfamiliar with the use a a subnet?

  • I'd make a VLAN 3 (or eth0.3). Bridged if you need WiFi
  • Add to new firewall zone
  • Then set as that networks router IP
  • Config DHCP as desired (I guess you want it disabled)
  • The subnet mask for /29 is - see: https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#IPv4_CIDR_blocks
  • Change Switch by adding a 3rd like
    • number it 3
    • change the untagged ports on VLAN 1/LAN that you want on the new network VLAN 3
    • turn them off on VLAN 1! :warning:
  • Set new firewall zone from network3 to WAN

Many thanks for the input

Like I have been trying to say Networking is not my strongest subject nor is OpenWrt

So how would I do the above mentioned, in a step by step processes, please


That was the step-by-step. Visit Network > Interfaces > Add - as I surmise you did when creating the incorrect interfaces.

1 Like

I believe this will work. Replace <wan> <ns#.ip> with your setup where appropriate. Rest is about converting these lines to /etc/config/network and /etc/config/firewall or uci.

ip add add dev <wan>
ip add add dev <wan>
ip add add dev <wan>
ip add add dev <wan>
ip add add dev <wan>
iptables -t nat -A zone_wan_prerouting -i <wan> -d -p udp -m udp --dport 53 -j DNAT --to-destination <ns1.ip>:53
iptables -t nat -A zone_wan_prerouting -i <wan> -d -p udp -m udp --dport 53 -j DNAT --to-destination <ns2.ip>:53
  • Since you insist on using non-OpenWrt commands, methods and syntax with OpenWrt, I won't be able to assist you.
  • This is not how the Wiki, manuals, etc. setup an OpenWrt device.
  • Also, user created rules are not recommended to be added to OpenWrt-created firewall chains.
  • This rule can be added using OpenWrt syntax (or just simply using the GUI)...so that it's added correctly
  • Why are you still improperly assigning all IPs to the router...I thought I also read you're assigning IPs to the devices...this is incorrect as I already noted


Why don't you use the web GUI as noted in the "step-by-step" instructions you requested yourself?

I'm confused why you asked for steps, then persist on undertaking other steps not suggested by anyone in the thread.

EDIT: I realize the post wasn't the OP. @ppmm your config (i.e. addining IPs to the router) is what caused the OP's issue.

I do think your example will open services for the OP on the desired IPs, though. :wink:

1 Like

Those commands are intended as PoC only.

Not sure how to configure multiple static IPs under one interface. I've looked here [OpenWrt Wiki] Network basics /etc/config/network

The two iptables rules translate into following according to [OpenWrt Wiki] Firewall configuration /etc/config/firewall

config redirect
	option	name		'NS1'
	option	src		    'wan'
	option	src_dip		''
	option	proto		'udp'
	option  src_dport   '53'
	option	target		'DNAT'
	option	dest		'lan'
	option  dest_ip     <ns1.ip>
config redirect
	option	name		'NS2'
	option	src		    'wan'
	option	src_dip		''
	option	proto		'udp'
	option  src_dport   '53'
	option	target		'DNAT'
	option	dest		'lan'
	option  dest_ip     <ns2.ip>
1 Like

For tagged VLANs to work, CPU must be enabled with tagged for that VLAN.

To which port is your WAN connection connected?

For me my setup:

VLAN1, CPU LAN1-4 all tagged, WAN off
VLAN2, CPU LAN1-3 all tagged, LAN4 WAN untagged

As my ISP is giving me DHCP, when I connect my machine to port 4, and enable DHCP, it will got the DHCP IP directly from ISP.