Customer has a comcast line (50/10) with 5 static IP addresses (/29 or .248, 1 IP used for the gateway) that they wanted to assign to various internal devices. I attempted to talk them into an actual firewall solution (either an ASA5505 or an Untangle system for roughly $400 plus my “fees”), but they were looking more into the sub-$100 range. After a bunch of options and a little bit of back and forth, they settled on buying a pair of refurbished E2000 Linksys Routers; one for the primary, and the second for a backup. Total cost for hardware: $85.
Unfortunately I needed to learn how to make their router work with additional public IPs. I’ve disliked the default (stock) interface of any home/small business router since the beginning of time, so I ended up installing dd-wrt on both of the routers. http://www.dd-wrt.com/wiki/index.php/One-to-one_NAT
Just set the router up as you would if you only had a single IP address. In my case I’ll use 173.x.x.0 as my public network:
173.x.x.0 network
173.x.x.1 Public 1
173.x.x.2 Public 2
173.x.x.3 Public 3
173.x.x.4 Public 4
173.x.x.5 Public 5
173.x.x.6 gateway
173.x.x.7 broadcast
And I’ll also use 192.168.1.0 as my internal private NAT network. My default configuration for the router then was a static WAN 173.x.x.1, with an internal IP of 192.168.1.1 (DHCP from 192.168.1.100-254)
From here, click on Administration, and then on the Commands tab.
In the text box, type the following (obviously I’m adding ALL other public IPs to my configuration. Edit as appropriate):
WANIF=`/sbin/get_wanface`
/sbin/ifconfig $WANIF:1 173.x.x.2 netmask 255.255.255.248 broadcast 173.x.x.7
/sbin/ifconfig $WANIF:2 173.x.x.3 netmask 255.255.255.248 broadcast 173.x.x.7
/sbin/ifconfig $WANIF:3 173.x.x.4 netmask 255.255.255.248 broadcast 173.x.x.7
/sbin/ifconfig $WANIF:4 173.x.x.5 netmask 255.255.255.248 broadcast 173.x.x.7
Now click on the Save Startup button. You should then see it after a page refresh. Basically this will add the vlan2:1 through vlan2:4 to your configuration.
Now that the virtual interfaces are configured, we need firewall rules to enable access. IPTables will enable this access. In that same box, type:
/usr/sbin/iptables -t nat -I PREROUTING -d 173.x.x.2 -j DNAT –to 192.168.1.x
/usr/sbin/iptables -t nat -I POSTROUTING -s 192.168.1.x -j SNAT –to 173.x.x.2
This will create the in and outbound rule to translate from public to private addresses. You can add the other pubic IP address if applicable. Click on Save Firewall and you should then see the configuration after a page refresh.
If you want to add specific port forwards to these new IP addresses, you must utilize the following template:
/usr/sbin/iptables -t nat -I PREROUTING -d 173.x.x.2 -j DNAT –to 192.168.1.x
/usr/sbin/iptables -t nat -I POSTROUTING -s 192.168.1.x -j SNAT –to 173.x.x.2
/usr/sbin/iptables -I FORWARD -d 173.x.x.2 -p tcp –dport 80 -j ACCEPT
/usr/sbin/iptables -I FORWARD -d 173.x.x.2 -p tcp –dport 22 -j ACCEPT
Then reboot your router.
After a reboot, you can telnet to your router and verify that you can see the iptables:
telnet 192.168.1.1 root/admin
iptables -t nat -L
This is exactly what I was looking for! Nice and simple. Just one other thing, how would I tell a range of DHCP clients to go out a certain virtual wan interface?