It took longer than expected, but I have it working, and added a twist that may be interesting enough to post about it.
In brief, my provider provides (for a surcharge) a /29 subnet of public IP addresses, So it is possible to connect servers
and other kit (like RIPE ATLAS probes) and have them use real public IP addresses..
While the receipt above did work (and work well - thanks!), one remaining problem was that of the 8 addresses in the /29,
I'd loose 3 (network number, broadcast number, IP for the router), and the loss of 37% address space seemed excessive.
So I did a few tricks documented here.
It is important to realize that only the 8 IP addresses themselves need to be public IP addresses; the broadcast and network number
do not, they have no real significance off-subnet (directed subnet broadcasts don't really exist anymore, these days) and obviously
the router IP doesn't need to be reachable either. While it is possible to overlay a local plan and squat addresses not belonging to me
(belonging to other *DSL customers), the aim is to have real, full IP connectivity w/o holes.
The approach sketched earlier did not work well: it required changes in the systems connected to the network and the network,
broadcast, and router IP's would still be holes. I considered spoofing ARP responses, but found that the proxy-ARP implementation
in Linux really wants an address on-network and besides, since the VDSL modem firmware does not support mini-jumbograms
and the IP uses PPPoE, my MTU was slightly reduced and having an IP to send PMTU packets was desirable.
More work was required.
A few years back I had a chat with one of the techs there (hi, maarten!) and he explained that, for backward compatibility reasons
with broken IP stacks of old Windows systems, they didn't allocate IP's where the last octet was either 0 or 255. Indeed, there were
no PTR records for these, and there were for other IP's.
I decided that if I would configure the subnet network-interface to be a /23, that the network and broadcast IP's would now
overlay the addresses not used by the ISP. And there were 2 IP's in the middle that were not used either (/23, remember?),
which I could abuse for an IP for a router.
I would need to add routes for the address space not mine, back to the provider ('pppoe-wan'),
and enable proxy-ARP on the interface. A client ARP-ing for an address in the encapsulated space that's not mine,
would get an ARP response to the OpenWRT router, the router would send it to the ISP, job done!
Example, to make things clear. Unfortunately publishing a single IP address attracts network scans these days,
so have substituted the first two octets of my address with the illegal 654.321.
My subnet: 654.321.100.88/29
Overlay subnet: 654.321.100.0/23 (hence: network: 654.321.100.0, bcast 654.321.101.255)
Router IP: 654.321.101.0
ISP iface: pppoe-wan
subnet iface: br-vas
# cat /etc/hotplug.d/iface/31-vashack
#!/bin/sh
[ "$ACTION" == "ifup" ] || exit 0
[ "$INTERFACE" = "wan" ] && {
ip route replace 654.321.100.0/26 dev pppoe-wan
ip route replace 654.321.100.64/28 dev pppoe-wan
ip route replace 654.321.100.80/29 dev pppoe-wan
ip route replace 654.321.100.96/27 dev pppoe-wan
ip route replace 654.321.100.128/25 dev pppoe-wan
ip route replace 654.321.101.0/24 dev pppoe-wan
sysctl -w net.ipv4.conf.br-vas.proxy_arp=1
}
The cool thing is that I can even set up DHCP for these 8 public IP addresses,
and the right thing happens, no client configuration required.
This is still a hack, and the proper fix is just to run IPv6, but if I've amused someone
then I'm happy.
Geert Jan
PS: should this be in wiki or is it better left undocumented?