This note explains how to add new public IP addresses, in excess of the first static IP address, to the WAN interface of a DD-WRT router. All public addresses are assigned to computers that reside within the LAN network served by the router. Therefore, network address translation (NAT) is performed between the public addresses and the addresses assigned internally. This notes is written after it was successfully performed on:
When enquiring to receive a new static IP address from my ISP, I found out that a subnet could be leased for a monthly fee. I selected a subnet containing two IP addresses which was assigned to my internet service. The new addresses were communicated using a slash notation: XXX.XXX.XXX.XXX/30.
Although a /30 subnet might suggest that four distinct addresses are available, there are only two. In fact, each subnet contains two addresses that have special meaning: the first, which is the subnet identifier; and, the last, which is the subnet broadcast address. Therefore, the first address available for assignment in a subnet is the one after the subnet identifier. For example, if the assigned subnet was 220.127.116.11/30, then the subnet identifier would be 18.104.22.168, the broadcast address would be 22.214.171.124 and the available addresses would be 126.96.36.199 and 188.8.131.52.
For simplicity in the following examples, we will assume that the assigned subnet is 184.108.40.206/30. Also, it will be assumed that the public address 220.127.116.11 is assigned to a computer that is manually set with the LAN address 192.168.1.40.
The solution is two-fold. First, assign one of the new public IP addresses to the router’s WAN interface. Then, use firewall rules to route packets to and from the desired computer within the LAN.
Although the solution calls for entering commands through the router’s web interface, I suggest you test those commands by entering them at the command line using a telnet or SSH session to your router. Once this works well, transcribing the commands to the web interface is a good way to save those changes in case the router is rebooted.
Assign Public Address
Using a web browser, open the web interface to your router. This is usually done by directing your browser to an address similar to: 192.168.1.1.
Direct your browser by selecting the “Administration” tab, followed by the “Commands” sub-tab.
In the text box titled “Commands” under “Command Shell”, enter the commands to assign the public address to the WAN interface. Use the example below as a template and substitute the addresses according to your situation:
/sbin/ifconfig $WANIF:1 18.104.22.168 netmask 255.255.255.252 broadcast 22.214.171.124
Once this is entered in the text box, save the changes by pressing the button titled “Save Startup”.
To assign the firewall rules, the text box mentioned in the previous step is used. However, when saving the content of the firewall rules, the button titled “Save Firewall” is used instead.
In the firewall rules, one command is used to map the public address to the internal address; one command is used to map the internal address to the public address, and; one command is used to accept each port that should be forwarded.
Use the following template and substitute the appropriate addresses and ports:
/usr/sbin/iptables -t nat -I PREROUTING -d 126.96.36.199 -j DNAT --to 192.168.1.40
/usr/sbin/iptables -t nat -I POSTROUTING -s 192.168.1.40 -j SNAT --to 188.8.131.52
/usr/sbin/iptables -I FORWARD -d 192.168.1.40 -p tcp --dport 80 -j ACCEPT
/usr/sbin/iptables -I FORWARD -d 192.168.1.40 -p tcp --dport 22 -j ACCEPT
The above example forwards HTTP (port 80) and SSH (port 22) requests to the internal computer.
For the changes to take effect, the router must be rebooted. Using the router’s web interface, navigate to “Administration” tab and the “Management” sub-tab. Finally, press the button titled “Reboot Router” at the bottom of the page.