Hello. I did a little research, but I still can not configure my device properly.

I have 1043ND and here is, what I would like to achieve:

Cable modem gives me 3 addresses. And I would like to use all 3... but that is not so important.
The 1043ND has 4 LAN and 1 WAN port. I would like to separate LAN 1,2,3 to behave like normal dumb switch (eg TL-SG1005D to be more clear).

Here is what I have for now. The aimed interface is at the bottom named UPCSwitch.

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config interface 'lan'
    option type 'bridge'
    option proto 'static'
    option ipaddr '10.0.0.1'
    option _orig_ifname 'eth0.1 wlan0'
    option _orig_bridge 'true'
    option ifname 'eth0.1 tap0'
    option netmask '255.255.255.0'

config interface 'wan'
    option ifname 'eth0.2'
    option proto 'dhcp'

config switch
    option name 'rtl8366rb'
    option reset '1'
    option enable_vlan '1'
    option enable_vlan4k '1'

config switch_vlan
    option device 'rtl8366rb'
    option vlan '1'
    option ports '4 5t'

config switch_vlan
    option device 'rtl8366rb'
    option vlan '2'
    option ports '0 5t'

config interface 'WiFree'
    option _orig_ifname 'wlan0-1'
    option _orig_bridge 'false'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'

config switch_vlan
    option device 'rtl8366rb'
    option vlan '11'
    option ports '1 2 3 5t'

config interface 'UPCSwitch'
    option ifname 'eth0.11'
    option _orig_ifname 'eth0.11'
    option _orig_bridge 'false'
    option proto 'static'
    option netmask '255.255.255.0'
    option ipaddr '192.168.30.1'

I'm not quite sure if I get what you aim at. Do you wish to separate 3 of the labelled LAN ports and have them working as an individual external switch, like if they were not a part of the 1043ND at all?

This depends whether those 3 addresses from your ISP are dynamic or static?

If static, http://wiki.openwrt.org/doc/uci/network … he.new.way

If they needs to be acquired dynamically by DHCP you should look into macvlan (kmod-macvlan). That enables udhcpc to obtain multiple addresses.

Thank you for the replay.  I need to distribute 3 public dynamic addresses from my cable modem and I do not want to buy a external switch. So I would like to make one from my 3 free LAN ports.
These 3 ports should act as individual external switch.

Topology: from cable modem-> 3 port LAN "external" 1043ND switch -> from one switch port it will go to WAN of 1043ND (get one of 3 public IP); from the last one port it will go somewhere else (with the two public IPs from cable modem left).

If making an "external" switch out of the 3 LAN ports was exclusively to solve the problem of acquiring 3 public dynamic addresses - if that's the case I would choose a different approach, and then you also save physical ports.

You can set up the labelled WAN port with macvlan to function as 3 individual interfaces (the original one plus two extra macvlan) and let the router acquire the 3 public addresses and DNAT the traffic.

I have the following in my network config;

config interface 'wanmacvlan0'
    option ifname 'macvlan0'
    option proto 'dhcp'
    option defaultroute '0'
    option metric '40'        #Needed to default traffic through non-macvlan interface
#    option hostname 'XXXX'

But if you prefer your "somewhere else" to request the two public IP addresses by itself, then I would go for your switch solution.

Hmm, the macvlan solution seems good. In this case I would be able to save two LAN ports -because the "somewhere else" to request the two public IP addresses is vital.

So the thing is: have two interfaces on the WAN port with macvlan. One acts like now- routes traffic to the LAN ports. With the macvlan setup it will route to only 3 LAN ports out of 4.
The second "WAN" interface has to be bridge, which pushes other two public dynamic IPs to the last 4th LAN port- and from here comes the cable (looong cable and wireless too) to two other clients.

Is that solution reliable? And one more thing- I have no idea, how to achieve it.
I have found this: http://www.bertera.it/index.php/2011/10 … interface/
and this: http://www.huggill.com/2012/08/22/confi … h-openwrt/
but I really do not know how actual it is. Thanks for your help.

You mean it's vital that "somewhere else" is getting the two remaining public IP addresses on its own? Or will one-to-one NAT'ing from WR1043ND be just as good?
Do you aim at a topology where "somewhere else" with the two public IP addresses are separated from the router, IP layer wise? Each way has it advantages/disadvantages.

My initial thought was you could set up the WAN port with 3 MAC addresses and have a DHCP client running on each interface (the original + 2 macvlan) - thereby letting WR1043ND obtaining all three public IPs.
Then static leases for the two "somewhere else" which the public IPs were intended for. And then NAT'ing between those two public IPs and the static leased LAN IPs.

By the way which hardware version of WR1043ND do you have? And are you running trunk or AA?

I created image, which describes my idea: https://mega.co.nz/#!lkdwmAab!GF7eVhZGC … pQO4U5qZK0

Client 1 and 2 have to get their public IPs directly.

I have HW version 1.8 and I am running AA. Thanks

Is it possible (and perhaps easier to configure/manage) if you reconfigure the vlans to move 2 of the switch ports from eth0.1 (lan) to eth0.2 (wan) so that the cable modem can then have a layer 2 path to those other ports?  It raises the complexity of security, since you lose the ability to have OpenWRT doing all of your firewall management, but otherwise it would accomplish the desired functionality right?  I am new to OpenWRT vlan management so if this isnt possible then i am wrong...

edit:
After looking at the graphic, you would accomplish this by changing one port to the WAN vlan, run that port to your secondary "dumb switch" and you should not need any other configuration in OpenWRT.  And as one addendum to the security comment, you raise the security of your private LAN by not having those hosts on the same subnet at all so that is one advantage to the solution vs doing a DNAT and blanket port forwarding for whatever service they are going to provide.  Be careful what you open to the internet!

(Last edited by jeffmeden on 15 Apr 2014, 19:01)

Nice and clarifying illustration,
If you want to separate stuff and don't have the need for internal routing I would as well go for what jeffmeden suggested, very clean.
Remember to firewall the two long cable clients.

http://wiki.openwrt.org/toh/tp-link/tl-wr1043nd has a lot of notes regarding VLAN leaking and WAN port disable workaround. Didn't read it carefully enough to get if you are affected or not. No matter what, you might want to do some tests. I've encounter VLAN leaking on my WNDR3700v2 as well.

I think you suggest creating second WAN port from LAN port, right? But there is one thing- the picture is not accurate. I have only one cable which goes from cable modem. So this one cable carries all 3 public IPs.

Not exactly. Per default the switch in 1043ND is split 1 WAN and 4 LAN. You do make an extra WAN out of one of the labelled LAN ports as you say. But if you configure both the originally labelled WAN port and the extra to be in the same VLAN, you get a switch on the WAN side as well. If you then connect that extra WAN port ("LAN4") to Client 1 and Client 2 (via long cable and "dumb switch) they would be layer 2 connected all the way to your cable modem and able to request their own IPs.
No macvlan and extra bridging. Comparing to a vanilla configuration, the only thing you change is the "config switch_vlan" sections in network config file. Where you move one port from one VLAN to the other VLAN.

I have nothing to say jeffmeden, then THANK YOU! Your simple solution seems to work! Also thank you glenten for suggestions and the last clarification of what to do. I love these simple solutions. Thank you again. You saved my money and also all router ports.

One more question here: is it somehow possible reach device in LAN1-3 (my home network behind NAT)?
Could this be achieved by simple port forwarding for the WAN address obtained by the 1043ND device? My aim is force the data flow go only within the 1043ND device and not to the provider node and back again (or everywhere else) when I try to reach something behind NAT from Client 1,2. Thanks.

Yes, you will need a port forward to get services on your Lan ports from the other side that you created with the extra wan port.  what services are you trying to get? you want to be careful to keep them secure since a lot of lan services are not secure by default.

If Client1,2 is always getting a public address within the same range/ranges you could limit your port forwards to that.
You might look into MAC filtering as well.

Yes, port forwarding works, but unfortunately, it is limited by ISP upload. So the data has to go through cable modem and then back
Tried it directly from LAN and then portforwarded from the Client 1 (just switched cable of one PC from LAN1 to LAN4 for the test). 15MB/s vs. 1.5 MB/s (ISP limit) is noticable.

Ah, I was a bit too fast, mistakenly thinking it would be routed "in-house" because I'm used with my own ISP gateway includes routing. But you did write it was a modem, so no routing there :-/

I know I've asked before, but you really do need clients1&2 to obtain the public IPs by themselves?
Could you perhaps detail some more about your scenario and what kind of interaction and separation you need between LAN and client1&2.

Sure. These two clients are not in my hands. They are other people, who I want to give them their own public IP, so they can run their own services to the internet then. Only a bonus would be the connection Clients to my services running inside LAN with higher speeds, but it is not that important.

In that case I get that you went for the separation :- )
Are clients1&2 routers or PCs?
If you add a routing entry directly on client1&2 specifying the public WAN IP of 1043ND the traffic won't go to the cable modem but "stay" in 1043ND.

On second thought, forget what I wrote, I think I made a false assumption, and don't have a setup right now to try it out.

OK, thanks- if you find something, that will improve this setup, please, let me know here.

One other question: will QoS on 1043ND work for Clients too (eg high priority for port 80)? Thanks.

Regarding improving speeds between clients1&2 and the LAN of 1043.. My guess is that the 3 public IP addresses handed out by your ISP are not in the same subnet? Therefore e.g. "client1" never sends out ARP requests and learn that it's locally connected to 1043. One workaround would be to add an extra IP address to the WAN interfaces of 1043 and both "clients". Private/rfc1918 addresses within the same small subnet, in a range not already in use. That should make "clients" send out ARP request to "find" 1043.
Or perhaps you might be able to release and renew your public IPs until you get some within the same subnet :-) maybe ask your ISP first to find out what the chances of success are.

Are "clients" PCs or routers? If PCs, which OS?

Could you post what your obtain from ISP by DHCP (address, netmask, gateway) in both 1043 and one of the clients that can't connect to 1043 directly?

And the default unaltered routing tables in both 1043 and a Client (from the the same Client as above)?

You might want to conceal (e.g. substitute with letters) the left part of your public IPs, but in a manner that keeps the pattern between them.

Regarding QoS.. as the packets from Client1&2 never pass through the 1043 (only its switch) I don't think you are left with any option for QoS.
So be aware in this setup Client1&2 might be able to consume the complete Internet bandwidth unless the ISP is doing some kind of splitting between your public IPs.
If you need to gain some control of client1&2 you might look into bridge/"transparent" firewalling or the macvlan+NAT combo.

First
Address: x.x.236.41
Netmask: 255.255.252.0
Gateway: x.x.236.1

Second
Address: x.x.229.224
Netmask: 255.255.252.0
Gateway: x.x.228.1

Third
Address: x.x.237.91
Netmask: 255.255.252.0
Gateway: x.x.236.1

I am not sure, if they are on the same subnet. My ISP sucks, I can not expect some relevant info on their tech support

Routing table from /etc/iproute2/rt_tables

#
# reserved values
#
255    local
254    main
253    default
0    unspec
#
# local
#
#1    inr.ruhep

Clients are PCs now. But they will be probably substitued with routers (to make another subnet)- client´s choice.

And about QoS- it seems like my ISP somehow distribute bandwidth to all. I have TOR node using full speed on one public IP and on second public IP the measured speed is pretty OK (better than in my LAN subnet). I do not exactly know, if it is caused by QoS in my 1043ND, or by ISP setup- but it works as I would like to. So QoS is SOLVED

Good to hear that QoS is not a concern :-)

Is x.x representing identical numbers in all cases?

If so, first and third are on the same subnet and you could test between them. But remember to pay attention to whether the IPs change. Here's a convenient website where one can punch in the numbers to check if they belong to the same subnet, http://www.meridianoutpost.com/resource … etwork.php

You can also try to add the IP aliases which should work despite of what your ISP is handing out.
If the PCs are running Linux or OS X it should be a simple matter. I haven't tried on Windows. Judging from a quick search it seems more cumbersome.

On OpenWrt it's described here http://wiki.openwrt.org/doc/uci/network … he.new.way
Be aware that the alias doesn't show with the ifconfig command, but ip address show do if you have that installed. Or just ping the alias from the router itself.

After a successful "local connection" you should be able to verify by checking the ARP tables, that would show the IP and MAC of the other end.

The routing table you get with route -n on OpenWrt/Linux and netstat -nr on OS X. I think route print on Windows.

Thank you for your suggestions. In fact that my ISP does not give me addresses on the same subnet, I will not do anything else, than what I have now (WAN switch), at least at the moment. It is not that important to spend another week studying network stuff which might work .