Multiple CPE/Public IPs? [Mods: Delete]

[Yuji Saeki]

My ISP leases me multiple IPv4 and IPv6, public IPs. I don't know of any router that can conveniently pass specific MAC's DHCP requests to the ISP and still allow LAN traffic, so I've settled for something that might be a bit easier:

I need to bridge together the traffic that WAN sees with one the LAN ports so they both see all the same traffic, EXCEPT that the LAN port can still talk to 192.168.1.X even though both WAN and the LAN port have their own public IPs (visible to world) (LAN port would be able to connect to the external WAN as well, AND internal LAN, and LAN could talk to the LAN port without having to go out through WAN and back (but wouldn't reach outside). If I attempt on the LAN port to access a LAN IP, it should go through the LAN not WAN.

Looking at my AC87, I've got:

Port 0 (WAN)
Port 1 (LAN Port 4)
Port 2 (LAN Port 3)
Port 3 (LAN Port 2)
Port 5 (LAN Port 1)

Port 3 and 5 (LAN Ports 2 and 1) are LAGed/LACP, switch-independent so everything is stock.

I'm attempting to achieve something similar with how many modern cable modems work. Everyone can see 192.168.100.1, even if they are on a hub and have a router hooked into the hub supplying a NAT LAN and one machine on the hub as an actual client and that NAT LAN could talk to the machine on the hub from its public IP. They can all see 192.168.100.1 from the modem, but only the LAN can see 192.168.1.1. This time, I'd like even the public to see 192.168.1.1.

 

[Etz]

Simple, put that LAN "special" port into same vlan as WAN port has.
And create separate NAT rule for it, so it would not traverse WAN but would have separate NAT between those interfaces.

RT-AC87U is tricky one, as one LAN port is not connected to Broadcom swittch, it is connected to QSR Wireless chipset, so it cannot be managed the way that all others could.

BTW, cable modems have secondary ip, and that 192.168.100.1 cannot talk to the internet, so that example would not do...
If that is the actual thing that you wish, just put that LAN port to same vlan as your WAN has and then assign a secondary private IP to it.
From network security standpoint I would personally not recommend it.

 

[Yuji Saeki]

I know how cable modems work, I worked on a few firmwares a few years ago, but I never did any of the work for vlan/bridging etc. Ignore everything to do with the modem, I must have worded things funny. >_> Happen to know what I'd need (cmds)?

Port 0 is WAN
Port 1235 are Phy Ports 4, 3, 2, 1 respectively), 2 and 1 (3 and 5) are for nic-teaming and they're switch-independent LACP.

To be clearer perhaps:

Modem has a LAN IP of 192.168.100.1 and any client hooked up gets a public WAN IP.
I'd like the AC87 to get its own public IP and use NAT for all wireless and the usual LAN ports 1 and 2 (for nic-teaming behind router, a NAS). For the remaining two ports, they'd get public WAN IPs too, and they could talk to 192.168.100.1 ;AND; the LAN of the AC87 (and each other as well) over the LAN half, without going out through WAN and back in (efficient/optimized). Every NATed machine could see the modem as well, and the two public IP machines and communicate with them too without going out through WAN. (Those two public machines could also access the router www panel, dlna, etc)

 

[Etz]

How does it get that IP?
Via DHCP?

If it is so are you sure, that you can get multiple IP`s from your provider?
ISP`s tend to limit DHCP IP`s per customer...

Anyway, this should work:

Simple, put that LAN "special" port into same vlan as WAN port has.
And create separate NAT rule for it, so it would not traverse WAN but would have separate NAT between those interfaces.

Still a bit more information is required, what do you plan to use this second public IP for?

And DLNA won`t work over NAT...thats by the protocol design, so this rules out from using it from public IP.
And for WEB GUI access, it would be a real bad idea to expose your router management to internet, which public IP`s actually are, unless you could apply some kind of access control and that means using static public IP´s.

Happen to know what I'd need (cmds)?

Unfortunately I don`t own RT-AC87U so I have no idea about it`s internal vlan allocations, I can only guess them, so it would be a bit hard to spit out the actual configuration for me.

 

[Yuji Saeki]

Yes I get multiple IPs (dynamic). My ISP charges $5 an IP, I receive 4 extra currently. I've been hosting everything via vmware all bridged but now I've moved two of those two a NAS. It needs public IPs but LAN speeds to LAN devices. It just is how it needs to be.

 

[Etz]

Wouldn`t it be just easier to dual-home those vmware machines and just have separate public and private vlan on them?
Would make more sense, easier to configure and actually more proper solution.

As for commands...you should use robocfg for vlan config.
NAT between interfaces could be done via simple iptables rules.

 

[Yuji Saeki]

Moving away from vmware. I appreciate your help/input, but I think my situation is a little more unique (about why I need it this way).

 

[Etz]

Moving away from vmware. I appreciate your help/input, but I think my situation is a little more unique. Thanks anyway. A Googling I must go.

I don`t think it is unique, only the goal is hard to understand.
Maybe you can put together a simple diagram, what should be accessible from where and how, helps to visualize actual problem.

Command:

robocfg show

output from your router would also help, to see how the vlans are allocated by default.

 

[Yuji Saeki]

Modem LAN: 192.168.100.X - Bridge to ISP, Passes along DHCP requests and I am leased up to 4 Public IP Addresses

Router WAN (Public IP) connected to Modem - I want this to continue getting a Public IP Address

Router WLAN (192.168.1.128-253) - I want this to continue being NAT routed for the Router WAN

Router LAN Ports 1 & 2 (87.X.X.X) - LACP - A NAS Team, I want to receive Public IP Addresses for the Client AND VMs from the ISP DHCP

Router LAN Port 3 (192.168.1.X) - I want this to continue being NAT routed for the Router WAN

Router LAN Port 4 (88.X.X.X) - I want to receive a Public IP Address from the ISP DHCP

================

I want every LAN device to still be able to talk to each other, by the Public IP or Private IP, without that traffic going through WAN:

LAN Port NAS Team should see everyone on the WLAN and LAN (including LAN Port 4) and be able to talk to them even though its IP is 87.X.X.X. *
LAN Port 4 should see everyone on the WLAN and LAN (including LAN Port NAS Team) and be able to talk to them even though its IP is 88.X.X.X. *
LAN Port 3 should see everyone on the LAN and be able to talk to LAN Port NAS Team and LAN Port 4. *
WLAN should see everyone on the LAN (including WLAN) and be able to talk to LAN Port NAS Team and LAN Port 4. *

* All without being routed through the WAN Port. They all can access the WAN Port if they wish too though. They all can also access 192.168.100.X. No traffic targeted for the Public IP Addresses should be seen by any LAN clients.

If LAN Client 192.168.1.66 (random LAN Port 3 machine) requests 87.X.X.X...it should go to the actual LAN Port NAS Team WITHOUT being routed out through the WAN and back from the ISP at 'WAN' speeds. Etc?

================

#robocfg show
Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 2 jumbo: on mac: ISP
Port 1: DOWN enabled stp: none vlan: 1 jumbo: on mac: 00:00:00:00:00:00
Port 2: DOWN enabled stp: none vlan: 1 jumbo: on mac: 00:00:00:00:00:00
Port 3: 1000FD enabled stp: none vlan: 1 jumbo: on mac: NAS
Port 4: 1000FD enabled stp: none vlan: 1 jumbo: on mac: 00:00:00:00:00:00
Port 8: DOWN enabled stp: none vlan: 1 jumbo: on mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
1: vlan1: 1 2 3 5 7t
2: vlan2: 0 7
1045: vlan1045: 2t 3
1046: vlan1046: 0t 1t 3 7t
1047: vlan1047: 0 1t 2t 3 4 5t 7t 8t
1099: vlan1099: 0 2t 3t 7 8u
1100: vlan1100: 1t 2t 3t 4t 8t
1101: vlan1101: 2t 4t 7t 8t
1102: vlan1102: 3t 7 8t
1103: vlan1103: 0 3 4 7

*Edit

Not exactly a diagram but I hope it is detailed enough to convey.

 

[Etz]

Not exactly a diagram but I hope it is detailed enough to convey.

Yep, it describes traffic flows in detail.
From your output I presume you don`t have LACP configured yet?
And I also presume, that 192.168.100.x has /24 prefix as usual?

Router WAN (192.168.1.1) connected to Modem - I want this to continue getting a Public IP Address

But why do your WAN interface has address 192.168.1.1?
What type of modem you actually have, maybe it is a router instead of modem?

 

[Yuji Saeki]

The LACP configuration is switch-independent (I can actually push the traffic, it is working). Yes, /24.

*Edit

I did forget to mention, but everything receives an IPv6 as well from my ISP, even machines behind NAT of course.


My WAN interface has a Public IP. The Router's LAN has 192.168.1.1. I made the typo of listing the Router IP as the WAN, my bad. I'm typing through migraines, nearly blind at the moment. (Dealing with a headache too, my apologies if I'm out of sorts in communicability.)

 

[Etz]

Unfortunately part of your request would be undoable, under current circumstances...

LAN Port NAS Team should see everyone on the WLAN and LAN (including LAN Port 4) and be able to talk to them even though its IP is 87.X.X.X. *
LAN Port 4 should see everyone on the WLAN and LAN (including LAN Port NAS Team) and be able to talk to them even though its IP is 88.X.X.X. *

Accessing public IP from LAN means NAT.
You cannot talk directly from Public IP to private LAN segment.
And as you have DHCP IP`s only, DNAT is unfortunately not an option.

ipv6 is actually lot easier, if you have native ipv6 from your provider, it is just a matter of setting up necessary iptables rules to permit/deny traffic, no NAT involved...everything is pretty much public.
And you have to actually protect yourself...

 

[Yuji Saeki]

Well modems seem to do it fine (192.168.100.1 on most modems) even with public IPs.

 

[Etz]

Well modems seem to do it fine (192.168.100.1 on most modems) even with public IPs.

It is a bit different situation and implementation, as you probably know...

I know how cable modems work, I worked on a few firmwares a few years ago, but I never did any of the work for vlan/bridging etc.

 

[Yuji Saeki]

Doesn't seem so hard to just push the traffic intended for private range from public ports to the LAN-side and vice-versa (so long as router saw the dhcp and knew to push those lan to public requests through the ports instead of wan). I think I might have more luck in a linux-distro IRC it seems. When a NAT client sends traffic to the gateway, it could just push it as-is to a PC, which'd respond right back to the same LAN IP as well. The effect I'm going for. Maybe a little tricky but eh.

If anyone knows how to go about bridging those LAN ports with WAN so they all see the same traffic (but aren't subject to the NAT), I'd appreciate it. I think it is a place to start. After that I could work on trying to get them to see LAN traffic (without subjectivity). I think that'd solve everything.

 

[Etz]

Doesn't seem so hard to just push the traffic intended for private range from public ports to the LAN-side and vice-versa (so long as router saw the dhcp and knew to push those lan to public requests through the ports instead of wan). I think I might have more luck in a linux-distro IRC it seems. When a NAT client sends traffic to the gateway, it could just push it as-is to a PC, which'd respond right back to the same LAN IP as well. The effect I'm going for. Maybe a little tricky but eh.

If anyone knows how to go about bridging those LAN ports with WAN so they all see the same traffic (but aren't subject to the NAT), I'd appreciate it. I think it is a place to start. After that I could work on trying to get them to see LAN traffic (without subjectivity). I think that'd solve everything.

Perhaps this will help:

View attachment 5051

What I would actually do is have both public and private network on those development machines (dual-homing them) via different vlan`s, then they have both IP`s and can talk to both networks. Of course you should have firewall on those, to restrict them to be used as attack platform to your LAN.
That would be a correct way to to it, from network design perspective as you cannot do DNAT due to your Public IP`s dynamic adressing.

Also, vlan config and cable modem access is real easy to implement and is not an problem.

What OS do they have and what network cards?
If they support vlan`s too, it would be quite easy to implement dual-homing.

 

[Yuji Saeki]

What you might do in your situation is yours, and I'm in my own situation. It must be as I am trying to get. Thank you for your advice but I've decided to just buy a managed Cisco switch and use the ASUS router for just wireless devices, with all the LAN ports inter-connected and just bridging it so the ASUS is just a nice 'wireless-only' solution with no web UI, and have Cisco do all the work since it seems so difficult for some reason to get a "here you go, and why this works" from anywhere on the net as if one network design/solution "should" fit all. Others networks don't suit me but thanks anyways.

Can a moderator delete the thread, no solution reached?

 

[asdfljkadsflkjasdf]

Why would you bother to do this on a home router? A MikroTik or Ubiquiti box costs much less can do it properly and reliably.

 

[Yuji Saeki]

Because I want to. I have my own reasons and I don't see any need to explain my reasons. Don't worry about it.

 

[asdfljkadsflkjasdf]

What you are trying to do is just a broken design to begin with. What you need is to get your ISP to route a prefix to you. In theory it is possible to have the wrt router to listen on multiple WAN IPs with subinterfaces and nat mapping the secondary public IPs to private IPs.

Any real router (hardware or virtual instance) can get the job done, even pfsense. You can have both the VM host running Mikrotik and wrt router connected directly to the ISP, and run a backbone link between them. Then you can do whatever you wish with virtual networks.