Configuring multiple static wan IPs through one to one NAT?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

blizeH

New Around Here
Hi,

I'm having some problems configuring my router (understatement...) and sinshiva kindly suggested that I use Asuswrt-Merlin - after a little bit of research it seems perfect for me, since it adds functionality, and fixes bugs, without doing anything overly drastic.

Since this is now specifically related to Merlin and the configuration I thought it best to continue the discussion on here, and frankly I'm still very unsure on what exactly I have to do.

I understand that I will have to manually define the IP address for my machines that I want to have their own WAN IP and then map it like so:

ifconfig eth0:0 WANIP0 netmask WANMASK0 up
ifconfig eth0:1 WANIP1 netmask WANMASK1 up
But is that it? Once the IP on the machine is fixed, and this rule is added to the router, the WAN IP will automatically change for that machine?

Also, please pardon my ignorance, but how would I ensure those rules are in the start scripts?

Many thanks
 

sinshiva

Very Senior Member
when everything is set, all internet traffic destined for one of the additional WAN IPs is configured via iptables to only go to a specific LAN IP and vice-versa. so no, the LAN clients do not take on the WAN IP itself. Then, with iptables, you'd enable port forwarding for the assigned LAN clients so they can be represented by the different IP via the firewall's NAT table.

like thus;

1) eth0 WAN IP 1, connection shared by the LAN
2) eth0:0 WAN IP 2, connection assigned to LAN IP 2
3) port forward 80 to LAN IP 2

then, when you try to access port 80 (web server) from the internet via WAN IP 2, that traffic goes to LAN IP 2 behind the scenes.

also, i responded to your other thread; http://forums.smallnetbuilder.com/showpost.php?p=103759&postcount=8
 

blizeH

New Around Here
Can I just say a huge thanks to sinshiva for helping me sort this out!

The guy took a considerable amount of time out of his day yesterday to help me get everything configured and it's now working perfectly. Such a relief, thank you!
 

sinshiva

Very Senior Member
np; you should post the config, sanitized of your (wan) addresses. i didn't think to keep a copy lol
 
Last edited:

blizeH

New Around Here
Great idea! Hopefully someone else will find it useful too :)

Code:
#!/bin/sh
#
# to restore this configuration, it needs to be saved to /jffs/scripts/nat-start
# on the router.
#
ifconfig ppp0:0 WanIP1 netmask 255.255.255.248 up
iptables -t nat -A PREROUTING -i ppp0 -d WanIP1 -j DNAT --to-destination 192.168.1.10
iptables -t nat -I POSTROUTING -s 192.168.1.10 -j SNAT --to WanIP1
#
ifconfig ppp0:1 WanIP2 netmask 255.255.255.248 up
iptables -t nat -A PREROUTING -i ppp0 -d WanIP2 -j DNAT --to-destination 192.168.1.11
iptables -t nat -I POSTROUTING -s 192.168.1.11 -j SNAT --to WanIP2
#
ifconfig ppp0:2 WanIP3 netmask 255.255.255.248 up
iptables -t nat -A PREROUTING -i ppp0 -d WanIP3 -j DNAT --to-destination 192.168.1.12
iptables -t nat -I POSTROUTING -s 192.168.1.12 -j SNAT --to WanIP3
#
# Port forwards, in case the webui doesn't work, but i think it will.  uncomment below if needed.
# iptables -A FORWARD -p tcp --dport 80 -d 192.168.1.10 -j ACCEPT
Replace WanIP1, WanIP2 etc with your own IP

Once again, thank you so much! :)
 

sinshiva

Very Senior Member
thanks;

two things to note. at the bottom of the script, i forgot to add the '-i ppp0' to the commented iptables port forward example, sorry about that.

second thing is that he's using ppp0 because he's on a PPPoE connection, otherwise you'd use eth0

[edit/] and a third thing, he left his wans' subnetmasks unchanged; if you use this script, be sure it's set accordingly

and of course, be sure to use
Code:
chmod a+rx /jffs/scripts/*
after saving the script

oh, and the aliased interfaces use the extra IPs whereas you manually configure the main IP in the webui
 
Last edited:

blizeH

New Around Here
Thank you! I'll make sure to update my notes accordingly too when I get home tonight.

BTW you still need to let me know what I owe you!! :)
 

marcnz

New Around Here
Hi,

I apologize to join late and ask questions on how to do this.
I have installed the Asus merlin firmware on a new RT-AC66U. I have enabled and formatted the JFFS following the instructions.

My question:

I have a total of 8 public IP addresses such as (example):

20.20.20.21 -> Network (not usable)
20.20.20.22 -> Asus Router Public IP PPOE Static
255.255.255.248 Subnet Mask
20.20.20.23
20.20.20.24
20.20.20.25
20.20.20.26
20.20.20.27
20.20.20.27 -> Broadcast (not usable)

Current internal LAN:
192.168.1.1/24

Current ASUS LAN IP: 192.168.1.1

I have been instructed by my ISP provider to set up the router ASUS LAN IP PPOE as static to 20.20.20.22, with Subnet mask 255.255.255.248

I would like to set up:
MAIL SERVER:
Internal LAN: 192.168.1.200 (vmware virtual machine)
PUBLIC IP: 20.20.20.23

I have public domain such as:
mailserver.com pointing to public IP 20.20.20.23

How do I set it up using the nat-start script for:
Any request to mailserver.com to come directly to my LAN mail server 192.168.1.200
Any packet out of the mail server 192.168.1.200 to be seen as coming from 20.20.20.23
This for any port for the domain mailserver.com:
PING mailserver.com should receive the response 20.20.20.23 from the mail server 192.168.1.200

Once I have this set up I will be able to add more servers following the same template.

I am not a network guru as you can see, although I have a fair understanding of most IT aspects.

I tried to use the template provided by another user with the following, a file called nat-start:

#!/bin/sh
#
# to restore this configuration, it needs to be saved to /jffs/scripts/nat-start
# on the router.
#
#
######################################
#ISPWAN IP BLOCK:
#20.20.20.21 = NETWORK
#20.20.20.27 = BROADCAST
#20.20.20.22 = ROUTER PPOE STATIC IP
#
#SUBNET MASK:
#255.255.255.248
#
#INTERNAL LAN: 192.168.1/24
#ROUTER LAN: 192.168.1.1
#ROUTER DHCP INTERNAL LAN: 192.168.1.50 -> 192.168.1.100
#
#PUBLIC SERVER IPS:
#maill server: 20.20.20.23 -> 192.168.1.200
#
ifconfig ppp0:0 20.20.20.23 netmask 255.255.255.248 up
iptables -t nat -A PREROUTING -i ppp0 -d 20.20.20.23 -j DNAT --to-destination 192.168.1.200
iptables -t nat -I POSTROUTING -s 192.168.1.200 -j SNAT --to 20.20.20.23
##########################################

Will this be correct?

I see ppp0:0, ppp0:1, etc... How many can be? Are they reflecting the LAN port on the router (4)?

I used to have a PFSense device that blew from an electric outage. I used Domain forewarder, but I could not send out as an IP address. As a secondary question, how can I do a domain forewarder with the Asus merlin on RT-AC66U the same way it worked with the PFSense device?

I had entries like
domain1.com going to 192.168.1.210
domain2.com going to 192.168.1.211
etc...

I appreciate your help.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top