What's new

Advanced DMZ, bridge WAN to LAN, route WAN IP to LAN ports

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

docbob

New Around Here
Hello everyone! I have a need to route the WAN IP to a LAN port and at the same time still use the NAT IPs.
The script I found does work on Shibby Tomato but the VLANs don't work for the ISP. Also tried DD-WRT, but it won't work with the ISP either. And... I have also tested that google project firmware (Padavan) but it just keeps locking up. So, here I am :) The VLAN on Merlin does work, yeah! But does this script?? Please see the script below. Not sure if the ports are named the same or have the same order or if the firmware is based on the same version of Linux. Any help, Ideas??? Asus RT-AC66U.
#!/bin/sh -x
WIF=$(nvram get wan_iface)
WIP=$(nvram get wan_ipaddr)
WNM=$(nvram get wan_netmask)
WGW=$(nvram get wan_gateway)
LIF=$(nvram get lan_ifname)
LIP=$(nvram get lan_ipaddr)
LNM=$(nvram get lan_netmask)
IFCONFIG=/sbin/ifconfig
ROUTE=/sbin/route
IPTABLES=/usr/sbin/iptables
# remove WAN IF IP
$IFCONFIG $WIF 0.0.0.0 up
# replace default route to Gateway through WIF
$ROUTE add -host $WGW dev $WIF
$ROUTE add default gw $WGW
# add route to WAN IP through LAN iface
$ROUTE add -host $WIP dev $LIF
# enable proxy_arp so can use WGW s gateway on LAN device
echo "1" >/proc/sys/net/ipv4/conf/$WIF/proxy_arp
echo "1" >/proc/sys/net/ipv4/conf/$LIF/proxy_arp
# replace MASQ on WIF with SNAT
$IPTABLES -t nat -D POSTROUTING -o $WIF -j MASQUERADE
$IPTABLES -t nat -I POSTROUTING -s $LIP/$LNM -o $WIF -j SNAT --to-source $WIP
# add a bit of extra firewall
$IPTABLES -t nat -I PREROUTING -i $WIF -d ! $WIP -j DROP
 
Update: Created script and ran it, and this is what I got:
+ nvram get wan_iface
+ WIF=
+ nvram get wan_ipaddr
+ WIP=0.0.0.0
+ nvram get wan_netmask
+ WNM=
+ nvram get wan_gateway
+ WGW=0.0.0.0
+ nvram get lan_ifname
+ LIF=br0
+ nvram get lan_ipaddr
+ LIP=192.168.2.1
+ nvram get lan_netmask
+ LNM=255.255.255.0
+ IFCONFIG=/sbin/ifconfig
+ ROUTE=/sbin/route
+ IPTABLES=/usr/sbin/iptables
+ /sbin/ifconfig 0.0.0.0 up
ifconfig: SIOCGIFFLAGS: No such device
+ /sbin/route add -host 0.0.0.0 dev
BusyBox v1.20.2 (2015-03-06 14:48:00 EST) multi-call binary.

Usage: route [{add|del|delete}]

Edit kernel routing tables

-n Don't resolve names
-e Display other/more information
-A inet{6} Select address family

+ /sbin/route add default gw 0.0.0.0
route: SIOCADDRT: Invalid argument
+ /sbin/route add -host 0.0.0.0 dev br0
./admz.sh: line 20: can't create /proc/sys/net/ipv4/conf//proxy_arp: nonexistent directory
+ echo 1
+ echo 1
+ /usr/sbin/iptables -t nat -D POSTROUTING -o -j MASQUERADE
Bad argument `MASQUERADE'
Try `iptables -h' or 'iptables --help' for more information.
+ /usr/sbin/iptables -t nat -I POSTROUTING -s 192.168.2.1/255.255.255.0 -o -j SNAT --to-source 0.0.0.0
Bad argument `SNAT'
Try `iptables -h' or 'iptables --help' for more information.
+ /usr/sbin/iptables -t nat -I PREROUTING -i -d ! 0.0.0.0 -j DROP
Bad argument `0.0.0.0'
Try `iptables -h' or 'iptables --help' for more information.
 
WIF=$(nvram get wan_iface)

there's no nvram variable called "wan_iface" on this router, so WIF is null, which causes the ifconfig and route commands to fail.

replace that line with

Code:
WIF=$(nvram get wan0_ifname)

similarly, you need to replace

Code:
WNM=$(nvram get wan_netmask)

with

Code:
WNM=$(nvram get wan0_netmask)
 
New error, but much much better:

$IPTABLES -t nat -D POSTROUTING -o $WIF -j MASQUERADE
iptables: No chain/target/match by that name

Does Merlin have the "nat table kernel module" loaded and the "MASQUERADE module" loaded ?? How do I test this? Thanks again!
 
I understand MASQUERADE allows one to route traffic without disrupting the original traffic route. i.e. I want to send the WAN IP to a LAN port while still using NAT, yes?

Eric the firmware guy was kind enough to help and said:
Check the content of your iptables. The rule is normally there in normal router mode (although not with the syntax you are trying to match against in your delete request).
i.e.
/tmp/home/root# iptables -t nat -L POSTROUTING -vn
Chain POSTROUTING (policy ACCEPT 120 packets, 14995 bytes)
pkts bytes target prot opt in out source destination
108K 12M MASQUERADE all -- * eth0 !198.42.1.81 0.0.0.0/0
0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0xb400

Still not sure how to proceed, anyone?
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top