I have an Asus WL-500W running Kamikaze.  I am about to purchase an additional IP (making two) from my ISP to help alleviate some connectivity issues with a particular game when both my roomate and I try to play together (it likes to have particular ports open...and if we're both playing one of us can have a hard time connecting to others).  The ISP has recommended connecting a switch to the cable modem, then the computers to the switch.  Should work...but is there a way to do this from within my router, to provide some additional security in the form of not automatically making all of the computers ports directly open to the internet....

I really don't know where to begin since I've never dealt with a connection that has more than one IP assigned to it.

Edit: Ok so I've spent the last 3 hours trying to figure it out on my own...

having never had a reason to do this, I discovered that in a traditional linux distro it's possible to create a sub interface, which will allow a single interface to be assigned multiple IP's.  From there it appears that it would be a simple (kinda) matter of iptables to forward the correct ports to the correct computer.

Problem is I can't seem to figure out how to handle a subinterface in openwrt...let alone be able to start beating away at the correct iptables.

This is my current network config file...not sure if that's where I set up the sub interfaces.

config switch eth0
        option vlan0    "0 1 2 3 4 5u"

#### Loopback configuration
config interface loopback
        option ifname   "lo"
        option proto    static
        option ipaddr   127.0.0.1
        option netmask  255.0.0.0

#### LAN configuration
config interface lan
        option type     bridge
        option ifname   "eth0 wl0"
        option proto    static
        option ipaddr   192.168.1.1
        option netmask  255.255.255.0

#### WAN configuration
config interface        wan
        option ifname   "eth1"
        option proto    dhcp

(Last edited by Druidjaidan on 18 Sep 2007, 20:45)

In the old days you might have need to have multiple interfaces to handle multiple ip addresses.  Not so currently. I am not sure how to do it with the openwrt configuration. but from the command line (create a script ?)

install the ip package this give you access to the new interface into the kernel - its a super set of ifconfig  and some of route.

ip address ( ip a) - gives you access to the addressing information
ip link (ip li) - give you access to the link information - mtu queue length etc

you probably only need ip a, try ip a help, but something like this to add an address

ip  addres add dev <devname> aaa.bbb.ccc.ddd/<netmask>

should do it.

Ok I've added the package ip...however I'm at a loss for how to use it in my situation and I'm struggling to find any documentation on it.

My ISP is providing me with two dynamic IP's so I don't know the IP, is there a way to tell it to get teh ip via dhcp?.  What is supposed to go into <devname>?

edit ok so I've found some documentation http://linux-ip.net/gl/ip-cref/node1.html ...but I'm still not terribly clear though I'm getting closer.  I can't figure out (is it possible) to have the dev pull the ip from DHCP?

edit2: ok so I've figured out some more I think...So I need to do this all in a script where I use udhcpc (I think...and I don't have a friggin clue how to use it) to grab an ip address from my ISP.  Then use "ip addr add $ipaddr dev eth1 label eth1:0"  Is that somewhere close to correct?  Anything more anyone can provide to help me get this set up.

played with it some more...ok so I figured out that is I do udhcpc -i eth1 then it triggers a respons from my ISP's dhcp server to issue me an ip....unfortunatly it always issues me the same one, so not sure how to work around that.

(Last edited by Druidjaidan on 19 Sep 2007, 12:45)

Ok...So I've made a ton of progress.  In order to get the second IP I do as follows:

ip addr add dev eth1 label eth1:1 0.0.0.0
udhcpc -i eth1:1

With that I get two different ip's assigned to the interface and subinterface of eth1.  Next step figure out how to get the correct IP's forwarded to the correct computers.

Strange there are giving you dhcp 2 ips - don't they have static ... any way.

I would suggest that you use a different mac address.  This is how the dhcp server keeps track of which ip is assigned to which machine.

Keep you routers mac for your machine and use your 2nd computer mac for eth1:1 ( do not place it on the same eth port as the machine as you will have a max address clash).

So when you make a request with the eth1:0 mac you assign that to you machine and when you make a request with the other you assign that to your other machine.

A script in the udhcp - where you capture the ip address can setup iptables rules - but remember to remove the old ones and remember the nat table is only looked at, at the start of a conversation, ie if you can a tcp connection open for say 10 min and you ip address changes, only the first syn packet hits the nat table the rest of the packets on hit the filter table - this can cause some problems....

Actually the ip package is not necessary.  ifconfig will add IPs to an interface:

ifconfig eth0:1 192.168.5.1 netmask 255.255.255.0

Truthfully...if I asked I'm sure I could buy static ip's but they probably charge crazy amounts for them.

ok So I managed to get it set up like this

eth1      Link encap:Ethernet  HWaddr 00:1A:92:BB:6D:66
          inet addr:72.200.95.130  Bcast:72.200.95.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:225710 errors:0 dropped:0 overruns:0 frame:0
          TX packets:65479 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:40643973 (38.7 MiB)  TX bytes:4890913 (4.6 MiB)
          Interrupt:5

eth1:0    Link encap:Ethernet  HWaddr 00:1A:92:BB:6D:66
          inet addr:70.171.223.136  Bcast:70.171.223.255  Mask:255.255.252.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:5

so I have my two IP's.  However I'm pretty new to all this networking (quite in over my head in all reality).  So I have no idea how to capture the IP when I run udhcpc, and from there I think if I look it up I should be able to write the portion that makes the iptables rules...but really this stuff is quickly getting beyond my knowledge.

Thats the fun all the learning.

This is a cut from my /etc/udhcpc.user (this is from white russian I am in the process of moving over to kamikaze)

============
#!/bin/sh

[ -z "$1" ] && echo "Error: should be run by udhcpc" && exit 1

RESOLV_CONF="/tmp/resolv.conf"

BSA=/var/run/multigw.cable

## ENV
#router=141.168.16.1
#subnet=255.255.252.0
#HOME=/root
#dhcptype=5
#domain=nsw.bigpond.net.au
#interface=vlan2
#dns=61.9.195.193 61.9.194.49 61.9.134.49
#serverid=172.18.18.80
#broadcast=255.255.255.255
#PATH=/bin:/sbin:/usr/bin:/usr/sbin
#ip=141.168.18.35
#lease=3600
#mask=22
#PWD=/root
#
## ARG
#bound

echo $interface >$BSA
echo $ip >$BSA.iplocal
echo $router >$BSA.ipremote

case "$1" in
                renew|bound)
                        echo "search lan1.hme1.samad.com.au hme1.samad.com.au samad.com.au" > /etc/resolv.conf
                        echo "nameserver 192.168.11.10" >> /etc/resolv.conf
                        echo "nameserver 192.168.11.11" >> /etc/resolv.conf

                        while route del default gw $router dev $interface 2>/dev/null 1>&2 ; do :; done
                        while route del tab default default gw $router dev $interface 2>/dev/null 1>&2 ; do :; done

                        /usr/sbin/ip route replace tab default default via $router dev $interface metric 30 src $ip

                        /usr/sbin/ip route replace 61.9.128.0/17 via $router dev $interface src $ip
                        /usr/sbin/ip route replace 144.135.0.0/16 via $router dev $interface src $ip
                        /usr/sbin/ip route replace 144.140.0.0/16 via $router dev $interface src $ip
                        /usr/sbin/ip route replace 165.228.0.0/16 via $router dev $interface src $ip
                        /usr/sbin/ip route flush cache
                           
                        /root/scripts/multidgw.sh
                           
                ;;         
esac                       
                           
exit 0                     
===========

if you want to see what it is doing (ie debug your own one try add this near the top)

exec > /tmp/debug.txt 2>&1
set -x

that tells it to redirect stdout and stderr to the file /tmp/debug.txt, the set -x tells sh to show each command before it runs it, it can help.

Off the top of my head for the nat'ing. 
on the inbound
you will nead a line on the INPUT table, I would suggest (this is a bit of a hack and will eventually over flow).  But grab the ip address from the above scripts, determine with interface - and thus which destination ip to go to and then iptables

iptables -t nat -I INPUT  -d <dst ip> -j DNAT --to

Sorry don't remember the full syntax of the top of my head.  This will redirect all traffic to the inside (probably not want you want to do !) - you can limit it by port or/and protocol - but this is only if you want an outside machine to initiate connections to that machine.

for outboud you can do something similar - you have the ip and which machine it is mean to be so

iptables -t nat -I FORWARD -s <you local ip address> -j SNAT --to <the dhcp'ed address>

now the problem with the lines above is they continually add more lines (but at the top of the table).

You could also add a line something like this to delete the lines below
iptables -t nat -D FORWARD 3

That should help

Hi, can this command be replaced with uci set relevant command, I want to take effect at /etc/config/network after system reboot.

https://forum.openwrt.org/viewtopic.php … 36#p203936