OpenWrt Forum Archive

Topic: One-to-One NAT - PLEASE HELP!!!

The content of this topic has been archived on 23 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hi everyone,

Let me start off by saying that I know that this topic has been covered before, and I apologize;  I have used the search function here on the site as well as google.  I still can't get one to one nat to work.  Any help would be greatly appreciated. 

I have AT&T Uverse with a /28 of public address space, that I'd like use for 1 to 1 NAT for 3 hosts.  The remaining hosts, can simply use many to 1 translations.  I've tried configuring SNAT via the LuCI interface, but I lose Internet connectivity to the host machine that is supposed to be doing 1 to 1 NAT.  I tried manually adding iptables rules to the "Custom" section of the firewall tab in LuCI, but it doesn't appear to be working ( I don't see any packets hitting the ruleset ) Here are the rules I tried using as a test for one host:

iptables -t nat -A PREROUTING -d 1.2.3.4 -i eth0 -j DNAT --to-destination 192.168.10.12
iptables -t nat -A POSTROUTING -s 192.168.10.12 -o eth0 -j SNAT --to-source 1.2.3.4
iptables -A FORWARD -i eth0 -o eth1 -m state --state NEW -j ACCEPT
iptables -A FORWARD -t filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT


Would someone mind giving me a hand with this?  I'm assuming all of this can be done in LUCI, but I'm stuck at the moment.

Thanks in advance,

Mike

Maybe just this

iptables -t nat -A PREROUTING -d 1.2.3.4 -i eth0 -j DNAT --to-destination 192.168.10.12
iptables -t nat -A POSTROUTING -s 192.168.10.12 -o eth0 -j SNAT --to-source 1.2.3.4
iptables -A FORWARD -s 1.2.3.4 -j ACCEPT
iptables -A FORWARD -d 192.168.10.12 -j ACCEPT
webtron wrote:

Maybe just this

iptables -t nat -A PREROUTING -d 1.2.3.4 -i eth0 -j DNAT --to-destination 192.168.10.12
iptables -t nat -A POSTROUTING -s 192.168.10.12 -o eth0 -j SNAT --to-source 1.2.3.4
iptables -A FORWARD -s 1.2.3.4 -j ACCEPT
iptables -A FORWARD -d 192.168.10.12 -j ACCEPT

Thanks webtron.  Unfortunately, this doesn't work either.  Is one to one NAT even possible with OpenWRT and/or LEDE ?

Mike

After re-reading my initial post, I see that I've left out tons of information... my apologies.  Here's my setup:

My uVerse modem is setup in bridged/passthrough mode and passes it's DHCP WAN address to the WAN interface(eth0) on my linksys wrt1200AC.  The linksys serves as the default gw for the 192.168.10.0/24 private subnet, by way of the br-lan interface.  AT&T has given me a /28 of route-able address space, which I'd like to use to setup 1 to 1 NAT. Is there a way to accomplish this?

I think you're missing this bit to tie the public IP to your WAN interface

ifconfig <WAN_interface> <PUBLIC_IP> <subnet mask> broadcast <broadcast address>
ifconfig eth0 1.2.3.4 255.255.255.240 broadcast 1.2.3.15
webtron wrote:

I think you're missing this bit to tie the public IP to your WAN interface

ifconfig <WAN_interface> <PUBLIC_IP> <subnet mask> broadcast <broadcast address>
ifconfig eth0 1.2.3.4 255.255.255.240 broadcast 1.2.3.15

Thanks again webtron.  So are you saying to configure eth0 with the same public IP address that I want my rfc1918 host to translate to?  For example, if I want to NAT 10.10.10.15 to 206.13.28.15, do I configure eth0 with that or would I use 206.13.28.16 ?

Mike

Each one of the public IP's you want to 1 to 1 nat with attach them to the WAN(assuming eth0) interface with the ifconfig command. So assuming 206.13.28.15 is a fake public IP because it comes up as a broadcast address when I enter it here with 28 mask bits. www.subnet-calculator.com/subnet.php
ifconfig eth0 206.13.28.12 255.255.255.240 broadcast 206.13.28.15
ifconfig eth0 206.13.28.13 255.255.255.240 broadcast 206.13.28.15
ifconfig eth0 206.13.28.14 255.255.255.240 broadcast 206.13.28.15

webtron wrote:

Each one of the public IP's you want to 1 to 1 nat with attach them to the WAN(assuming eth0) interface with the ifconfig command. So assuming 206.13.28.15 is a fake public IP because it comes up as a broadcast address when I enter it here with 28 mask bits. www.subnet-calculator.com/subnet.php
ifconfig eth0 206.13.28.12 255.255.255.240 broadcast 206.13.28.15
ifconfig eth0 206.13.28.13 255.255.255.240 broadcast 206.13.28.15
ifconfig eth0 206.13.28.14 255.255.255.240 broadcast 206.13.28.15

I see what you mean. Now what about the fact that eth0 already pulls a wan address from the modem? Is that no longer needed, or do I just alias eth0 with the additional IP's. Sorry for all of the questions.

Thanks,

Mike

ok, I tried it and it's still not working correctly.. after following your instructions the internet  (via what's my ip) shows my host as coming from the DHCP assigned WAN address, instead of the public IP address that I want to do 1 to 1 with.  At one point during my testing, after removing the -i eth0 and -o eth0 flags from IPtables rules you suggested, what's my ip showed the correct IP address for about 3 minutes.. then it stopped.  Scratching my head at this point.

Mike

Whatsmyip may not be the best way to test a 1 to 1 nat setup. 1 to 1 nat passes traffic sent to that IP address through to your internal IP but that doesn't mean it will use the 1 to 1 nat IP for outgoing connections to websites. Put something like a web server or ssh server on the internal IP and test it from a different connection to see if you can access it via the 1 to 1 NAT Public IP

webtron wrote:

Whatsmyip may not be the best way to test a 1 to 1 nat setup. 1 to 1 nat passes traffic sent to that IP address through to your internal IP but that doesn't mean it will use the 1 to 1 nat IP for outgoing connections to websites. Put something like a web server or ssh server on the internal IP and test it from a different connection to see if you can access it via the 1 to 1 NAT Public IP

Thanks again. So basically, this isn't going to work in the way that a  Cisco  1 to 1 NAT configuration would; with static mappings.  I can live with that for now.  My last and most important 2 questions are in regards to setting up the eth0 interface with public IP's.  As I stated earlier, eth0 currently pulls a dynamically assigned IP address from my ISP via the Uverse modem.  My questions are:

1. Do I still need to have eth0 pull the dynamic WAN address from the upstream modem?
2. Do I need to create alias/sub-interfaces on eth0 (eth0:1, eth0:2, etc.) for each of the public IP's I'm going to assign?  It seems as though each 'ifconfig' statement would overwrite the previous addresses.

Thank you again so very much for all of your assistance.

Mike

duhhhh not sure..... tongue

mys5droid wrote:

duhhhh not sure..... tongue

It's working...

I just created multiple subifs for eth0 (eth0:1, eth0:2) and left the uVerse modem in Passthrough mode. Now all I need to do is figure out why my script won't work from rc.local or init.d wink  Thanks again for all of your help webtron.

Mike

The discussion might have continued from here.