3/17/2023 0 Comments Ddwrt 3 firewall builder![]() Using this approach also means that you should be able to use all 8 IPs, should you have a need to. If there's a NAT configuration in place saying send IP X to interface Y then it will "just work". Your router will receive all eight of them on the PPP interface because they are routed to it. Ordinarily you don't need to bind IPs used for NAT to anything. I'm a bit confused by what you mean by "There's an interface vlan1, and I've bound all 6 usable IP addresses to that interface." Ip tunnel add sit0 mode sit remote local ttl Iptables -t nat -A PREROUTING -s 217.36.xx.yy/32 -p 41 -j ACCEPT Iptables -t mangle -A PREROUTING -s -p 41 -j NETMAP -to 217.36.xx.yy/32 # Map protocol 41 traffic to the HE endpoint from the router private IPv4 address as coming from the static IPv4 address Iptables -t nat -A PREROUTING -s -p 41 -j ACCEPT Iptables -t mangle -A PREROUTING -s -d 217.36.xx.yy/32 -p 41 -j NETMAP -to # Map protocol 41 traffic from the HE endpoint to the static IPv4 address as destined for the router's IPv4 address. the policy can be configured for logging via syslog or klogd and makes for some great (and voluminous) logs. it does DNAT, SNAT, MASQUERADE, routing, ipv4 and ipv6 policies, and supports bonds, trunked VLANs, and bridged interfaces. fwbuilder does a great job of dealing with the code for iptables and let me focus on policy. my getup is overly complex for home use, but its my mad scientist lab. my internet gateway is a box with 1 onboard NIC (ISP), and a 4 port NIC bonded, that has 7 or 8 VLANs trunked onto the bond. maintains (or at least used to) repos for other distros. I use fedora, and the latest release has fwbuilder in their main repos. ddwrt is definitely supported, though tomato might be a different story. You install fwbuilder on your pc, setup what kind of firewall device the policy will run on, create the policy, install the policy and activate it. the great folks at fwbuilder put together a great tool that allows one to work at an abstracted layer, developing a comprehensive policy without being burdened with the nuts/bolts/ins/outs of iptables. You likely wont get a more complex iptables policy than i have, but i haven't fried my brain trying to get a wrangle hold on it. The box I have doing routing is perfectly adequate, and I don't have-or want-spare Linux/FreeBSD/whatever boxes just lying around chock full of NICs, ready and waiting to be used as routers. One thing that won't be appreciated is "use ". I'm also not sure if this would need further firewall configuration.Īny pointers would be appreciated. I presume I can create routing rules to do this, but I'm not entirely sure how. To assign the public addresses to certain machines on the LAN, and have the router route to them no NAT, no rewriting. It would make sense to me to make the router, well, route. Next, I am wondering about the viability of doing things completely differently. But I'm not sure what to do to achieve that either. I don't know how to do or check that.įailing that I guess maybe I could forward or rewrite protocol 41 inbound on the static IP to the PPP IP. I presume that the best way to do this would be to make sure that the kernel's 6in4 stuff binds to all the IP addresses. The WAN IP address (the PPP one) is responding to protocol 41, and if I configure the tunnel to use the (dynamic) address temporarily, IPv6 traffic works fine. So I want to use one of the addresses in the /29 as the endpoint. That prefers a static IP at my end so it knows where to send inbound connections (there is a dynamic option using dynamic DNS but I would prefer not to use it). I use a 6in4 tunnel from Hurricane Electric. One thing I haven't been able to get working, however, is 6in4. Iptables -t nat -I POSTROUTING -p all -d 10.0.0.2 -j SNAT -to 217.36.xx.yy Iptables -I FORWARD -p udp -d 10.0.0.2 -dport domain -j ACCEPT Iptables -I FORWARD -p tcp -d 10.0.0.2 -dport domain -j ACCEPT Iptables -t nat -I PREROUTING -p all -d 217.36.xx.yy -j DNAT -to 10.0.0.2 I then have selective rules doing 1:1 rules DNAT on the way in, SNAT on the way out. There's an interface vlan1, and I've bound all 6 usable IP addresses to that interface. The Wi-Fi in the router is bridged to the switch ports.Īt the moment I've got things mostly working in a reasonable fashion, cobbled together from various guidelines on multi-IP configurations with dd-wrt and Tomato/Tomato USB. Most machines are DHCPed, but various servers are static IPed. But I also get a /29 that's routed to me. The actual WAN interface, ppp0, is PPPoE with a dynamically assigned IP (and it's very dynamic, new IP address every time). My new ISP's configuration strikes me as silly. It was easy enough to configure my Tomato USB router with this configuration, using NAT to use machines behind the router.īut now I have a new ISP. My old ISP provided a single DHCP-assigned static IP address.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |