Advanced DMZ, bridge WAN to LAN, route WAN IP to LAN ports

[docbob]

Hello everyone! I have a need to route the WAN IP to a LAN port and at the same time still use the NAT IPs.
The script I found does work on Shibby Tomato but the VLANs don't work for the ISP. Also tried DD-WRT, but it won't work with the ISP either. And... I have also tested that google project firmware (Padavan) but it just keeps locking up. So, here I am The VLAN on Merlin does work, yeah! But does this script?? Please see the script below. Not sure if the ports are named the same or have the same order or if the firmware is based on the same version of Linux. Any help, Ideas??? Asus RT-AC66U.
#!/bin/sh -x
WIF=$(nvram get wan_iface)
WIP=$(nvram get wan_ipaddr)
WNM=$(nvram get wan_netmask)
WGW=$(nvram get wan_gateway)
LIF=$(nvram get lan_ifname)
LIP=$(nvram get lan_ipaddr)
LNM=$(nvram get lan_netmask)
IFCONFIG=/sbin/ifconfig
ROUTE=/sbin/route
IPTABLES=/usr/sbin/iptables
# remove WAN IF IP
$IFCONFIG $WIF 0.0.0.0 up
# replace default route to Gateway through WIF
$ROUTE add -host $WGW dev $WIF
$ROUTE add default gw $WGW
# add route to WAN IP through LAN iface
$ROUTE add -host $WIP dev $LIF
# enable proxy_arp so can use WGW s gateway on LAN device
echo "1" >/proc/sys/net/ipv4/conf/$WIF/proxy_arp
echo "1" >/proc/sys/net/ipv4/conf/$LIF/proxy_arp
# replace MASQ on WIF with SNAT
$IPTABLES -t nat -D POSTROUTING -o $WIF -j MASQUERADE
$IPTABLES -t nat -I POSTROUTING -s $LIP/$LNM -o $WIF -j SNAT --to-source $WIP
# add a bit of extra firewall
$IPTABLES -t nat -I PREROUTING -i $WIF -d ! $WIP -j DROP

 

[docbob]

Update: Created script and ran it, and this is what I got:
+ nvram get wan_iface
+ WIF=
+ nvram get wan_ipaddr
+ WIP=0.0.0.0
+ nvram get wan_netmask
+ WNM=
+ nvram get wan_gateway
+ WGW=0.0.0.0
+ nvram get lan_ifname
+ LIF=br0
+ nvram get lan_ipaddr
+ LIP=192.168.2.1
+ nvram get lan_netmask
+ LNM=255.255.255.0
+ IFCONFIG=/sbin/ifconfig
+ ROUTE=/sbin/route
+ IPTABLES=/usr/sbin/iptables
+ /sbin/ifconfig 0.0.0.0 up
ifconfig: SIOCGIFFLAGS: No such device
+ /sbin/route add -host 0.0.0.0 dev
BusyBox v1.20.2 (2015-03-06 14:48:00 EST) multi-call binary.

Usage: route [{add|del|delete}]

Edit kernel routing tables

-n Don't resolve names
-e Display other/more information
-A inet{6} Select address family

+ /sbin/route add default gw 0.0.0.0
route: SIOCADDRT: Invalid argument
+ /sbin/route add -host 0.0.0.0 dev br0
./admz.sh: line 20: can't create /proc/sys/net/ipv4/conf//proxy_arp: nonexistent directory
+ echo 1
+ echo 1
+ /usr/sbin/iptables -t nat -D POSTROUTING -o -j MASQUERADE
Bad argument `MASQUERADE'
Try `iptables -h' or 'iptables --help' for more information.
+ /usr/sbin/iptables -t nat -I POSTROUTING -s 192.168.2.1/255.255.255.0 -o -j SNAT --to-source 0.0.0.0
Bad argument `SNAT'
Try `iptables -h' or 'iptables --help' for more information.
+ /usr/sbin/iptables -t nat -I PREROUTING -i -d ! 0.0.0.0 -j DROP
Bad argument `0.0.0.0'
Try `iptables -h' or 'iptables --help' for more information.

 

[buddyp]

WIF=$(nvram get wan_iface)

there's no nvram variable called "wan_iface" on this router, so WIF is null, which causes the ifconfig and route commands to fail.

replace that line with

WIF=$(nvram get wan0_ifname)

similarly, you need to replace

WNM=$(nvram get wan_netmask)

with

WNM=$(nvram get wan0_netmask)

 

[docbob]

Wonderful. I'll try that and post the results. Best Regards, Bob

 

[docbob]

New error, but much much better:

$IPTABLES -t nat -D POSTROUTING -o $WIF -j MASQUERADE
iptables: No chain/target/match by that name

Does Merlin have the "nat table kernel module" loaded and the "MASQUERADE module" loaded ?? How do I test this? Thanks again!

 

[docbob]

I understand MASQUERADE allows one to route traffic without disrupting the original traffic route. i.e. I want to send the WAN IP to a LAN port while still using NAT, yes?

Eric the firmware guy was kind enough to help and said:
Check the content of your iptables. The rule is normally there in normal router mode (although not with the syntax you are trying to match against in your delete request).
i.e.
/tmp/home/root# iptables -t nat -L POSTROUTING -vn
Chain POSTROUTING (policy ACCEPT 120 packets, 14995 bytes)
pkts bytes target prot opt in out source destination
108K 12M MASQUERADE all -- * eth0 !198.42.1.81 0.0.0.0/0
0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0xb400

Still not sure how to proceed, anyone?