2012
06.25

This note explains how to add new public IP addresses, in excess of the first static IP address, to the WAN interface of a DD-WRT router. All public addresses are assigned to computers that reside within the LAN network served by the router. Therefore, network address translation (NAT) is performed between the public addresses and the addresses assigned internally. This notes is written after it was successfully performed on:

  • ASUS RT-N16 Wireless Router
  • DD-WRT v24-sp2 (08/07/10) mega (SVN revision 14896)
  • ISP: TekSavvy

References:

When enquiring to receive a new static IP address from my ISP, I found out that a subnet could be leased for a monthly fee. I selected a subnet containing two IP addresses which was assigned to my internet service. The new addresses were communicated using a slash notation: XXX.XXX.XXX.XXX/30.

Although a /30 subnet might suggest that four distinct addresses are available, there are only two. In fact, each subnet contains two addresses that have special meaning: the first, which is the subnet identifier; and, the last, which is the subnet broadcast address. Therefore, the first address available for assignment in a subnet is the one after the subnet identifier. For example, if the assigned subnet was 1.2.3.4/30, then the subnet identifier would be 1.2.3.4, the broadcast address would be 1.2.3.7 and the available addresses would be 1.2.3.5 and 1.2.3.6.

For simplicity in the following examples, we will assume that the assigned subnet is 1.2.3.4/30. Also, it will be assumed that the public address 1.2.3.5 is assigned to a computer that is manually set with the LAN address 192.168.1.40.

Solution

The solution is two-fold. First, assign one of the new public IP addresses to the router’s WAN interface. Then, use firewall rules to route packets to and from the desired computer within the LAN.

Although the solution calls for entering commands through the router’s web interface, I suggest you test those commands by entering them at the command line using a telnet or SSH session to your router. Once this works well, transcribing the commands to the web interface is a good way to save those changes in case the router is rebooted.

Assign Public Address

Using a web browser, open the web interface to your router. This is usually done by directing your browser to an address similar to: 192.168.1.1.

Direct your browser by selecting the “Administration” tab, followed by the “Commands” sub-tab.

In the text box titled “Commands” under “Command Shell”, enter the commands to assign the public address to the WAN interface. Use the example below as a template and substitute the addresses according to your situation:

WANIF=`/sbin/get_wanface`
/sbin/ifconfig $WANIF:1 1.2.3.5 netmask 255.255.255.252 broadcast 1.2.3.7

Once this is entered in the text box, save the changes by pressing the button titled “Save Startup”.

Firewall Rules

To assign the firewall rules, the text box mentioned in the previous step is used. However, when saving the content of the firewall rules, the button titled “Save Firewall” is used instead.

In the firewall rules, one command is used to map the public address to the internal address; one command is used to map the internal address to the public address, and; one command is used to accept each port that should be forwarded.

Use the following template and substitute the appropriate addresses and ports:

/usr/sbin/iptables -t nat -I PREROUTING -d 1.2.3.5 -j DNAT --to 192.168.1.40
/usr/sbin/iptables -t nat -I POSTROUTING -s 192.168.1.40 -j SNAT --to 1.2.3.5
/usr/sbin/iptables -I FORWARD -d 1.2.3.5 -p tcp --dport 80 -j ACCEPT
/usr/sbin/iptables -I FORWARD -d 1.2.3.5 -p tcp --dport 22 -j ACCEPT

The above example forwards HTTP (port 80) and SSH (port 22) requests to the internal computer.

Reboot Reouter

For the changes to take effect, the router must be rebooted. Using the router’s web interface, navigate to “Administration” tab and the “Management” sub-tab. Finally, press the button titled “Reboot Router” at the bottom of the page.

1 comment so far

Add Your Comment
  1. hi there,

    shouldn’t the forward rules use the internal ip, i.e. 192.168.1.40, as the destination?
    i set it up according to http://www.dd-wrt.com/wiki/index.php/One-to-one_NAT , works great for me

    all the best