OpenWrt Forum Archive

Topic: Routed (not NATted) public subnet

The content of this topic has been archived on 28 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hi all,

My provider provides IPv4 over PPPoE (that can be used to NAT the br-lan network), but in ADDITION they provide a subnet (/29) public IP addresses. Packets for this subnet are sent over the same PPPoE link but, instead of being used for NATting, these packets should just be sent to a different subnet.

I'm by no means an expert on OpenWRT's IPchains and certainly not when combined with the OpenWRT configuration mechanism.

How would I set up a configuration like this?

Thanks,

Geert Jan

It is fairly straightforward. I assume a default config here with pppoe wan, a dmz with public ip space and lan with private address space. Only thing you will need is add the masq_src option from zone wan in firewall config. This will only nat private range ip's.

option 'masq_src' '10.0.0.0/8,172.16.0.0/12,192.168.0.0/16'

You will still need to configure firewall rules to allow sessions. If you wish you could allow all traffic by simply adding:

config forwarding
    option src        dmz
    option dest    wan

config forwarding
    option src        wan
    option dest    dmz

Edit: Allthough this will work, with this method you will lose 3 usable ip addresses (network- broadcast- and gateway address) as you configure the public /29 to an ethernet interface. If you were to use nat, you can nat all 8 addresses to private address ip's and thus create more useable space.

(Last edited by Adze on 10 Mar 2015, 20:12)

Thanks for the answer. I will try later this week (make is currently running).

As to the missing 3 addresses, I have an idea I want to try:
I got a /29.
I will assign the network a /27, overlapping the /29.
The clients will have a default route to a broadcast  IP outside of my /29, with the MAC-address hardcoded to the OpenWRT box.

Systems will have a default route, and two static routes, one for the /29 I do not have, one for the /28 I do not have.
Since "longest prefix wins", packets to these addresses will follow these routes and not ARP on my own network.
This way, I should be able to use all 8 addresses - I've done something similar with NetBSD a long time ago.

If it works, I'll put the info on the wiki for people to share.

Thanks for the config example - strange as it may sound, I could not work that out and earlier attempts didn't work for me.

Geert Jan

It took longer than expected, but I have it working, and added a twist that may be interesting enough to post about it.

In brief, my provider  provides (for a surcharge) a /29 subnet of public IP addresses, So it is possible to connect servers
and other kit (like RIPE ATLAS probes) and have them use real public IP addresses..

While the receipt above did work (and work well - thanks!), one remaining problem was that of the 8 addresses in the /29,
I'd loose 3 (network number, broadcast number, IP for the router), and the loss of 37% address space seemed excessive.
So I did a few tricks documented here.

It is important to realize that only the 8 IP addresses themselves need to be public IP addresses; the broadcast and network number
do not, they have no real significance off-subnet (directed subnet broadcasts don't really exist anymore, these days) and obviously
the router IP doesn't need to be reachable either. While it is possible to overlay a local plan and squat addresses not belonging to me
(belonging to other *DSL customers), the aim is to have real, full IP connectivity w/o holes.

The approach sketched earlier did not work well: it required changes in the systems connected to the network and the network,
broadcast, and router IP's would still be holes. I considered spoofing ARP responses, but found that the proxy-ARP implementation
in Linux really wants an address on-network and besides, since the VDSL modem firmware does not support mini-jumbograms
and the IP uses PPPoE, my MTU was slightly reduced and having an IP to send PMTU packets was desirable.
More work was required.

A few years back I had a chat with one of the techs there (hi, maarten!) and he explained that, for backward compatibility reasons
with broken IP stacks of old Windows systems, they didn't allocate IP's where the last octet was either 0 or 255. Indeed, there were
no PTR records for these, and there were for other IP's.

I decided that if I would configure the subnet network-interface to be a /23, that the network and broadcast IP's would now
overlay the addresses not used by the ISP. And there were 2 IP's in the middle that were not used either (/23, remember?),
which I could abuse for an IP for a router.

I would need to add routes for the address space not mine, back to the provider ('pppoe-wan'),
and enable proxy-ARP on the interface. A client ARP-ing for an address in the encapsulated space that's not mine,
would get an ARP response to the OpenWRT router, the router would send it to the ISP, job done!

Example, to make things clear. Unfortunately publishing a single IP address attracts network scans these days,
so  have substituted the first two octets of my address with the illegal 654.321.

My subnet:      654.321.100.88/29
Overlay subnet: 654.321.100.0/23  (hence: network: 654.321.100.0, bcast 654.321.101.255)
Router IP:      654.321.101.0
ISP iface:      pppoe-wan
subnet iface:   br-vas


# cat /etc/hotplug.d/iface/31-vashack
#!/bin/sh

[ "$ACTION" == "ifup" ] || exit 0

[ "$INTERFACE" = "wan" ] && {
        ip route replace 654.321.100.0/26   dev pppoe-wan
        ip route replace 654.321.100.64/28  dev pppoe-wan
        ip route replace 654.321.100.80/29  dev pppoe-wan
        ip route replace 654.321.100.96/27  dev pppoe-wan
        ip route replace 654.321.100.128/25 dev pppoe-wan
        ip route replace 654.321.101.0/24   dev pppoe-wan
        sysctl -w net.ipv4.conf.br-vas.proxy_arp=1
}

The cool thing is that I can even set up DHCP for these 8 public IP addresses,
and the right thing happens, no client configuration required.

This is still a hack, and the proper fix is just to run IPv6, but if I've amused someone
then I'm happy.

Geert Jan

PS: should this be in wiki or is it better left undocumented?

Hi

Sorry to bump an old  thread but I'm facing a similar situation and could use some tips

I received a /28 (255.255.255.240) block from ISP, and wish to assign public IPs directly to machines in my LAN (losing network/broadcast/gateway addresses is fine, I just need to use 1 public IP).

My router has a static IP connection (not PPPOE):

config interface 'wan'
        option proto 'static'
        option ipaddr '213.13.203.162'
        option netmask '255.255.255.252'
        option gateway '213.13.203.161'
        option delegate '0'
        option ifname 'eth1'
        option ipv6 '0'
        option dns '8.8.8.8 8.8.4.4'

I setup a lan with the public IP space:

config interface 'public'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option ipaddr '213.13.203.160/28'
        option netmask '255.255.255.240'

.. and made sure firewall rules are correct

config forwarding
        option src 'public'
        option dest 'wan'

config forwarding
        option src 'wan'
        option dest 'public'

I also added the masq_src:

option masq_src '!213.13.203.160/28'

Now on the server, when I statically assign an IP from the public block, I can't get online, I can't ping the gateway ..etc.
What am I missing?

(Last edited by ash on 12 Jan 2017, 09:28)

The discussion might have continued from here.