The content of this topic has been archived between 19 Mar 2018 and 28 Mar 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.
Hello. I paid the cable company for 2 extra ip addresses. The thing is that you have to get the extra ips via dhcp, they do not give out static ips with their residential service.
I want to setup openwrt to retrieve the 2 extra ips so that the router will have 3 different ips on the wan interface via dhcp, then I can use them for 1:1 nat. Is this possible with interface aliases? Will I have to set different mac addresses on each alias, or is that not possible? Thanks!
Thanks for the link, it was very helpful. I had to load the 2.6 kernel version for my router tho, I think its wifi is still unreliable. I am testing it now. I am having a bit of trouble setting up the Static (1:1) Nat, how can I go about doing this? I have my main wan interface and wan1 and wan2 as the aliases. I want wan1 and wan2 to be used as static nat, while the main wan interface stay as the main dynamic nat interface.
at the end of the document 1:1 static nat. True, but the aliases will be similar configuration.
http://rpc.one.pl/index.php/lista-artyk … ch-openwrt
Thanks for the URL! It is very helpful, just have another question. The thing is that I get my ips via dhcp, so I do not know what they are before hand. I know I can just look them up on the router and just change the iptables if needed, but is there a way to make it so if the ip ever changes on the aliases that it will update the iptables, or will I just have to do it manual when it happens?
Basically what I want to do is setup where if I have a lan pc with an ip of 192.168.1.30, all of its outgoing traffic to the internet will go out on the 2nd alias's public ip address, instead of the main ip address. Then I will setup the other lan pc with the ip of 192.168.1.35 so that all of its outgoing traffic goes out on the 3rd alias's public ip address. I think you can actually use MASQ for this as well since I don't truly want to do 1:1 NAT. I am basically only wanting to route 2 lan ips to 2 public ips on the router. Basically so they have their own dedicated public ip.
(Last edited by mikeyman on 9 Sep 2010, 18:47)
If you use /etc/config/firewall the rules are updated automatically, if you use manual iptables you have to update the rules manually.
@jow: And we can do 1:1 NAT using /etc/config/firewall?
(Last edited by rpc on 9 Sep 2010, 21:07)
rpc, I introduced SNAT support recently, something like that should work:
config redirect
option src wan
option src_dip 89.78.67.56 # wan ip
option dest lan
option dest_ip 192.168.1.56 # internal mapped ip
option target DNAT # this is the implicit default
config redirect
option src lan
option src_ip 192.168.1.56 # internal mapped ip
option dest wan
option dest_ip 89.78.67.56 # wan ip
option target SNATthis is trunk revision?
this are static ip adress and dynamic wan ip adress ?
Ps. ok trunk backfire - found
(Last edited by rpc on 9 Sep 2010, 22:43)
The example above assumes static ips. However, you could put each macvlan iface into a dedicated zone, define masq=1 for - that will take care of the "SNAT" part. For input you can reuse the DNAT rule above with "src_dip" left out.
I can't think of a solution with a single zone and dynamic ips atm.
Ok I understand
That is enough
cat /etc/rc.local
ip link add link eth1 name eth2 address 01:23:45:67:89:01 type macvlan
ip link add link eth1 name eth3 address 01:23:45:67:89:02 type macvlan
ip link add link eth1 name eth4 address 01:23:45:67:89:03 type macvlan
ifup -acat /etc/config/network
config 'interface' 'wan'
option 'ifname' 'eth1'
option 'proto' 'dhcp'
config 'interface' 'wan1'
option 'ifname' 'eth2'
option 'proto' 'dhcp'
option 'defaultroute' '0'
option 'peerdns' '0'
option 'gateway' '0.0.0.0'
config 'interface' 'wan2'
option 'ifname' 'eth3'
option 'proto' 'dhcp'
option 'defaultroute' '0'
option 'peerdns' '0'
option 'gateway' '0.0.0.0'
config 'interface' 'wan3'
option 'ifname' 'eth4'
option 'proto' 'dhcp'
option 'defaultroute' '0'
option 'peerdns' '0'
option 'gateway' '0.0.0.0'root@OpenWrt:/etc/config# cat firewall
config 'defaults'
option 'syn_flood' '1'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
config 'zone'
option 'name' 'lan'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
config 'zone'
option 'name' 'wan'
option 'input' 'REJECT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'masq' '1'
option 'mtu_fix' '1'
config 'zone'
option 'name' 'wan1'
option 'input' 'REJECT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'masq' '1'
config 'zone'
option 'name' 'wan2'
option 'input' 'REJECT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'masq' '1'
config 'zone'
option 'name' 'wan3'
option 'input' 'REJECT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'masq' '1'
config 'forwarding'
option 'src' 'lan'
option 'dest' 'wan'
config 'forwarding'
option 'src' 'lan'
option 'dest' 'wan1'
config 'forwarding'
option 'src' 'lan'
option 'dest' 'wan2'
config 'forwarding'
option 'src' 'lan'
option 'dest' 'wan3'
config 'rule'
option 'src' 'wan'
option 'proto' 'udp'
option 'dest_port' '68'
option 'target' 'ACCEPT'
config 'rule'
option 'src' 'wan1'
option 'proto' 'udp'
option 'dest_port' '68'
option 'target' 'ACCEPT'
config 'rule'
option 'src' 'wan2'
option 'proto' 'udp'
option 'dest_port' '68'
option 'target' 'ACCEPT'
config 'rule'
option 'src' 'wan3'
option 'proto' 'udp'
option 'dest_port' '68'
option 'target' 'ACCEPT'
config 'rule'
option 'src' 'wan'
option 'proto' 'icmp'
option 'icmp_type' 'echo-request'
option 'target' 'ACCEPT'
config 'rule'
option 'src' 'wan1'
option 'proto' 'icmp'
option 'icmp_type' 'echo-request'
option 'target' 'ACCEPT'
config 'rule'
option 'src' 'wan2'
option 'proto' 'icmp'
option 'icmp_type' 'echo-request'
option 'target' 'ACCEPT'
config 'rule'
option 'src' 'wan3'
option 'proto' 'icmp'
option 'icmp_type' 'echo-request'
option 'target' 'ACCEPT'
config 'include'
option 'path' '/etc/firewall.user'
config 'rule'
option 'proto' 'tcp'
option 'dest_port' '22'
option 'target' 'ACCEPT'
config 'redirect'
'option' 'src' 'wan1'
'option' 'dest' 'lan'
'option' 'dest_ip' '192.168.1.101'
'option' 'target' 'DNAT'
config 'redirect'
'option' 'src' 'wan2'
'option' 'dest' 'lan'
'option' 'dest_ip' '192.168.1.102'
'option' 'target' 'DNAT'
config 'redirect'
'option' 'src' 'wan3'
'option' 'dest' 'lan'
'option' 'dest_ip' '192.168.1.103'
'option' 'target' 'DNAT'Thanks.
Already expanded the my description of these options. http://rpc.one.pl/index.php/lista-artyk … ch-openwrt
(Last edited by rpc on 11 Sep 2010, 10:51)
The example above assumes static ips. However, you could put each macvlan iface into a dedicated zone, define masq=1 for - that will take care of the "SNAT" part. For input you can reuse the DNAT rule above with "src_dip" left out.
I can't think of a solution with a single zone and dynamic ips atm.
I put the macvlan interfaces on their own zones (wan1 and wan2) and I did set masq on them. How could I set it up to where ip 192.168.1.30 would use only the wan1 zone and 192.168.1.35 would only use the wan2 zone?
@jow:
I objected that SNAT will always work properly.
Take for example:
config 'redirect'
option 'src' 'lan'
option 'src_ip' '192.168.1.104'
option 'dest' 'wan'
option 'dest_ip' '178.36.7.175'
option 'target' 'SNAT'In this context, it looks like the following:
Chain zone_lan_nat (0 references)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
SNAT tcp -- 192.168.1.104 anywhere to:178.36.7.175
SNAT udp -- 192.168.1.104 anywhere to:178.36.7.175So SNAT chains are placed for MASQUERADE
So these two SNAT entries will never be executed.
Or take another example:
I want to do something like this:
iptables -t nat -I zone_lan_nat -p tcp --src 192.168.1.0/24 --dst 192.168.1.10 --dport 5555 -j SNAT --to 192.168.1.1If you do this:
config 'redirect'
option 'src' 'lan'
option 'src_ip' '192.168.1.0/24'
option 'src_dport' '5555'
option 'src_dip' '192.168.1.1'
option 'dest' 'lan'
option 'dest_ip' '192.168.1.10'
option 'target' 'SNAT'you get the following result:
Chain zone_lan_nat (0 references)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
SNAT tcp -- 192.168.1.0/24 192.168.1.1 tcp dpt:5555 to:192.168.1.10
SNAT udp -- 192.168.1.0/24 192.168.1.1 udp dpt:5555 to:192.168.1.10And again, the chains SNAT have been placed for MASQUERADE
It is proposed to modify the file
/lib/firewall/uci_firewall.sh
on line MASQUERADE. Patch: uci_firewall.sh.diff
Index: package/firewall/files/uci_firewall.sh
===================================================================
--- package/firewall/files/uci_firewall.sh (wersja 22996)
+++ package/firewall/files/uci_firewall.sh (kopia robocza)
@@ -101,7 +101,7 @@
[ "${msrc#!}" != "$msrc" ] && msrc="! -s ${msrc#!}" || msrc="-s $msrc"
for mdst in ${masq_dest:-0.0.0.0/0}; do
[ "${mdst#!}" != "$mdst" ] && mdst="! -d ${mdst#!}" || mdst="-d $mdst"
- $IPTABLES -I zone_${zone}_nat 1 -t nat -o "$ifname" $msrc $mdst -j MASQUERADE
+ $IPTABLES -A zone_${zone}_nat -t nat -o "$ifname" $msrc $mdst -j MASQUERADE
done
doneAfter this change, everything looks correct
Chain zone_lan_nat (1 references)
target prot opt source destination
SNAT tcp -- 192.168.1.0/24 192.168.1.1 tcp dpt:5555 to:192.168.1.10
SNAT udp -- 192.168.1.0/24 192.168.1.1 udp dpt:5555 to:192.168.1.10
SNAT tcp -- 192.168.1.104 anywhere to:178.36.7.175
SNAT udp -- 192.168.1.104 anywhere to:178.36.7.175
MASQUERADE all -- anywhere anywhereYet the second question
What is unique string zone_lan_nat?
After all, this chain never fails unless we add
config 'zone'
option 'name' 'lan'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'masq' '1'Then we obtain
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
postrouting_rule all -- anywhere anywhere
zone_lan_nat all -- anywhere anywhere
zone_wan_nat all -- anywhere anywherebut it is logical
(Last edited by rpc on 10 Sep 2010, 10:36)
I'll look into it, thanks for testing. Yes the -I ... 1 is the culprit, I fixed it in trunk but not in backfire, will check that.
This patch also fixes the same problem as someone wants to use /etc/firewall_user and doing manual entries.
So far MASQUERADE was in first place now is at the end. That is as it should be.
At the same time it is repaired the same problem for the chain zone_wan_nat in fact, all zone_??? _nat
@jow:
I have another question.
In their present configuration, if we use
SNAT target option
We will do it two strings. One for the second TCP for UDP.
Chain zone_lan_nat (0 references)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
SNAT tcp -- 192.168.1.0/24 192.168.1.1 tcp dpt:5555 to:192.168.1.10
SNAT udp -- 192.168.1.0/24 192.168.1.1 udp dpt:5555 to:192.168.1.10Is it possible to configure SNAT to make the protocol icmp, or other?
for example, the equivalent
iptables -t nat -I POSTROUTING -p icmp --src 192.168.50.0/24 --dst 192.168.1.1 -j SNAT --to 192.168.1.2
iptables -I zone_lan_forward -p icmp --dst 192.168.1.1 -j ACCEPTthis is ?
config 'redirect'
option 'src' 'lan'
option 'src_ip' '192.168.50.0/24'
option 'src_dip' '192.168.1.1'
option 'dest' 'lan'
option 'proto' 'icmp'
option 'dest_ip' '192.168.1.2'
option 'target' 'SNAT'Ps.
Ok working 
Chain zone_lan_nat (1 references)
target prot opt source destination
SNAT icmp -- 192.168.50.0/24 192.168.1.2 to:192.168.1.1
MASQUERADE all -- anywhere anywhere(Last edited by rpc on 10 Sep 2010, 13:07)
rpc, could you try the patch below? I have no backfire install around atm. It should always enable the zone_*_nat chain regardless of whether .masq has been set or not.
I have everything setup up on my router, but I can not seem to get source ip 192.168.1.30 to go through the wan1 iface instead of wan. how can I fix this?
I have tried to set masq_src in the zone config, but thats not working.
(Last edited by mikeyman on 10 Sep 2010, 17:28)
@jow:
Is NO OK.
Is problem
yet but I'll do some tests
lost access to the Internet.
That is, the router has a client but there is no internet.
cat /etc/config/firewall
config 'defaults'
option 'syn_flood' '1'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
config 'zone'
option 'name' 'lan'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
config 'zone'
option 'name' 'wan'
option 'input' 'REJECT'
option 'output' 'ACCEPT'
option 'forward' 'REJECT'
option 'masq' '1'
option 'mtu_fix' '1'
config 'forwarding'
option 'src' 'lan'
option 'dest' 'wan'
config 'rule'
option 'src' 'wan'
option 'proto' 'udp'
option 'dest_port' '68'
option 'target' 'ACCEPT'
config 'rule'
option 'src' 'wan'
option 'proto' 'icmp'
option 'icmp_type' 'echo-request'
option 'target' 'ACCEPT'
config 'include'
option 'path' '/etc/firewall.user'
config 'rule'
option 'proto' '41'
option 'target' 'ACCEPT'
config 'rule'
option 'dest_port' '3740'
option 'target' 'ACCEPT'
config 'rule'
option 'proto' 'tcp'
option 'dest_port' '22'
option 'target' 'ACCEPT'
config 'redirect'
option 'src' 'wan'
option 'src_dport' '5500'
option 'dest' 'lan'
option 'dest_ip' '192.168.1.126'
option 'dest_port' '5500'
option 'proto' 'tcp'
config 'redirect'
option 'src' 'lan'
option 'src_ip' '192.168.1.0/24'
option 'dest' 'wan'
option 'dest_ip' '178.36.178.76'
option 'target' 'SNAT'
config 'redirect'
option 'src' 'lan'
option 'src_ip' '192.168.1.0/24'
option 'src_dport' '5555'
option 'src_dip' '192.168.1.1'
option 'dest' 'lan'
option 'dest_ip' '192.168.1.10'
option 'target' 'SNAT'
config 'redirect'
option 'src' 'lan'
option 'src_ip' '192.168.50.0/24'
option 'src_dip' '192.168.1.1'
option 'dest' 'lan'
option 'proto' 'icmp'
option 'dest_ip' '192.168.1.2'
option 'target' 'SNAT'/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
ipatbles -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
zone_wan_prerouting all -- anywhere anywhere
zone_lan_prerouting all -- anywhere anywhere
prerouting_rule all -- anywhere anywhere
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
zone_wan_nat all -- anywhere anywhere
zone_lan_nat all -- anywhere anywhere
postrouting_rule all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain postrouting_rule (1 references)
target prot opt source destination
Chain prerouting_lan (1 references)
target prot opt source destination
Chain prerouting_rule (1 references)
target prot opt source destination
Chain prerouting_wan (1 references)
target prot opt source destination
Chain zone_lan_nat (1 references)
target prot opt source destination
SNAT tcp -- 192.168.1.0/24 anywhere to:178.36.178.76
SNAT udp -- 192.168.1.0/24 anywhere to:178.36.178.76
SNAT tcp -- 192.168.1.0/24 192.168.1.1 tcp dpt:5555 to:192.168.1.10
SNAT udp -- 192.168.1.0/24 192.168.1.1 udp dpt:5555 to:192.168.1.10
SNAT icmp -- 192.168.50.0/24 192.168.1.1 to:192.168.1.2
Chain zone_lan_prerouting (1 references)
target prot opt source destination
prerouting_lan all -- anywhere anywhere
Chain zone_wan_nat (1 references)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
Chain zone_wan_prerouting (1 references)
target prot opt source destination
prerouting_wan all -- anywhere anywhere
DNAT tcp -- anywhere anywhere tcp dpt:5500 to:192.168.1.126:5500
DNAT tcp -- anywhere anywhere tcp dpt:8010 to:192.168.1.126:8010/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
syn_flood tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
input_rule all -- anywhere anywhere
input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
zone_wan_MSSFIX all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
forwarding_rule all -- anywhere anywhere
forward all -- anywhere anywhere
reject all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
output_rule all -- anywhere anywhere
output all -- anywhere anywhere
Chain forward (1 references)
target prot opt source destination
zone_lan_forward all -- anywhere anywhere
zone_wan_forward all -- anywhere anywhere
Chain forwarding_lan (1 references)
target prot opt source destination
Chain forwarding_rule (1 references)
target prot opt source destination
Chain forwarding_wan (1 references)
target prot opt source destination
Chain forwarding_wan (1 references)
target prot opt source destination
Chain input (1 references)
target prot opt source destination
ACCEPT ipv6 -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:3740
ACCEPT tcp -- anywhere anywhere tcp dpt:22
ACCEPT tcp -- anywhere anywhere tcp dpt:3740
zone_lan all -- anywhere anywhere
zone_wan all -- anywhere anywhere
Chain input_lan (1 references)
target prot opt source destination
Chain input_rule (1 references)
target prot opt source destination
Chain input_wan (1 references)
target prot opt source destination
Chain output (1 references)
target prot opt source destination
zone_lan_ACCEPT all -- anywhere anywhere
zone_wan_ACCEPT all -- anywhere anywhere
Chain output_rule (1 references)
target prot opt source destination
Chain reject (5 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain syn_flood (1 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
DROP all -- anywhere anywhere
Chain zone_lan (1 references)
target prot opt source destination
input_lan all -- anywhere anywhere
zone_lan_ACCEPT all -- anywhere anywhere
Chain zone_lan_ACCEPT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain zone_lan_DROP (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain zone_lan_MSSFIX (0 references)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
Chain zone_lan_REJECT (1 references)
target prot opt source destination
reject all -- anywhere anywhere
reject all -- anywhere anywhere
Chain zone_lan_forward (1 references)
target prot opt source destination
ACCEPT icmp -- 192.168.50.0/24 192.168.1.1
ACCEPT udp -- 192.168.1.0/24 192.168.1.1 udp dpt:5555
ACCEPT tcp -- 192.168.1.0/24 192.168.1.1 tcp dpt:5555
zone_wan_ACCEPT all -- anywhere anywhere
forwarding_lan all -- anywhere anywhere
zone_lan_REJECT all -- anywhere anywhere
Chain zone_wan (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:68
ACCEPT icmp -- anywhere anywhere icmp echo-request
input_wan all -- anywhere anywhere
zone_wan_REJECT all -- anywhere anywhere
Chain zone_wan_ACCEPT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain zone_wan_DROP (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain zone_wan_MSSFIX (1 references)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
Chain zone_wan_REJECT (2 references)
target prot opt source destination
reject all -- anywhere anywhere
reject all -- anywhere anywhere
Chain zone_wan_forward (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere ubuntu.lan tcp dpt:8010
ACCEPT tcp -- anywhere ubuntu.lan tcp dpt:5500
forwarding_wan all -- anywhere anywhere
zone_wan_REJECT all -- anywhere anywhere(Last edited by rpc on 10 Sep 2010, 18:26)
@jow:
I found the difference
original string is as follows:
Chain POSTROUTING (policy ACCEPT 2 packets, 144 bytes)
pkts bytes target prot opt in out source destination
9 656 postrouting_rule all -- any any anywhere anywhere
9 656 zone_lan_nat all -- any any anywhere anywhere
9 656 zone_wan_nat all -- any any anywhere anywhereand in your patch looks like this:
Chain POSTROUTING (policy ACCEPT 4 packets, 288 bytes)
pkts bytes target prot opt in out source destination
16 984 zone_wan_nat all -- any pppoa-wan anywhere anywhere
14 2084 zone_lan_nat all -- any br-lan anywhere anywhere
4 288 postrouting_rule all -- any any anywhere anywhereadmit I do not know what is not so
apart from the rest of this difference is identical
but after inserting the patch no internet
Pissed off and cleared all the chains.
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
12 1624 ACCEPT all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
11 1640 ACCEPT all -- any any anywhere anywhere
Chain PREROUTING (policy ACCEPT 5 packets, 298 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 10 packets, 1271 bytes)
pkts bytes target prot opt in out source destination
9 593 MASQUERADE all -- any pppoa-wan anywhere anywhereand what's interesting is not the internet on computers
do not know what the patch changed the behavior but at least strange.
Original uci_firewall.sh restored with my patch.
Standard firewall restart
And the internet is.
miracles
(Last edited by rpc on 10 Sep 2010, 21:54)
cat /etc/rc.local ip link add link eth1 name eth2 address 01:23:45:67:89:01 type macvlan up ip link add link eth1 name eth3 address 01:23:45:67:89:02 type macvlan up ip link add link eth1 name eth4 address 01:23:45:67:89:03 type macvlan up
Should you seperate each "ip link" command into two lines?
ip link add link eth1 name eth2 address 01:23:45:67:89:01 type macvlan
ip link set eth2 uproot@OpenWrt:~# ip link add help
Usage: ip link add link DEV [ name ] NAME
[ txqueuelen PACKETS ]
[ address LLADDR ]
[ broadcast LLADDR ]
[ mtu MTU ]
type TYPE [ ARGS ]
ip link delete DEV type TYPE [ ARGS ]
ip link set DEVICE [ { up | down } ]
[ arp { on | off } ]
[ dynamic { on | off } ]
[ multicast { on | off } ]
[ allmulticast { on | off } ]
[ promisc { on | off } ]
[ trailers { on | off } ]
[ txqueuelen PACKETS ]
[ name NEWNAME ]
[ address LLADDR ]
[ broadcast LLADDR ]
[ mtu MTU ]
[ netns PID ]
[ alias NAME ]
ip link show [ DEVICE ]
TYPE := { vlan | veth | dummy | ifb | macvlan }thanks, I did not pay any attention been corrected.
ifup -aenough after all
(Last edited by rpc on 11 Sep 2010, 10:52)
What firewall rule do I need to use in order to forward ip 192.168.1.30 to wan1 and 192.168.1.35 to wan2 so they can use the corresponding wan interfaces? That is all that I have left to setup?
Would this work? Or will I have to have a forward rule?
config rule
option src lan
option dest wan1
option src_ip 192.168.1.30
option target ACCEPT
config rule
option src lan
option dest wan2
option src_ip 192.168.1.35
option target ACCEPT(Last edited by mikeyman on 11 Sep 2010, 17:46)
@jow:
The change in r23025 uci_firewall.sh works perfectly.
https://dev.openwrt.org/changeset/23025
Tell me what has previously resulted in the lack of transfer?
I made a rule manually, and still there was no traffic packages. It looked as if FORWARD has been blocked, or lack of MASQUERADE.
@mikeyman:
it should work. See below is all about
Chain zone_lan_forward (1 references)
pkts bytes target prot opt in out source destination
0 0 zone_wan2_ACCEPT udp -- any any 192.168.1.35 anywhere
0 0 zone_wan2_ACCEPT tcp -- any any 192.168.1.35 anywhereEven so, it all depends on what you have given previously chains
Ps.
I've updated my wiki about SNAT and DNAT: http://rpc.one.pl/index.php/lista-artyk … ch-openwrt
(Last edited by rpc on 12 Sep 2010, 12:36)