Adding an additional routable subnet to router

2

I have commercial cable modem running Tomato 1.28 by shibby. It currently has a static IP address assigned via DHCP and works fine. I was assigned some additional routable IPs but they are in a different subnet. 

**WAN**
addr:1.2.3.10  Bcast:1.2.3.255  Mask:255.255.255.0 
**LAN**
inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0 

**Additional WAN block info:**
Network:        2.2.3.120/29
Subnet Mask:    255.255.255.248
Start:          2.2.2.121
End:            2.2.2.126

I plan on assiging the new 5 addresses to 192.168.1.x hosts and then mapping them to the public addresses.

**LAN**            **WAN** 
192.168.1.121 ->  2.2.2.121
192.168.1.122 ->  2.2.2.122
...
192.168.1.126 ->  2.2.2.126

Should this be done with firewall rules or static routes?

Instructions from the ISP: ...you stated that you will be routing your additional block here is a basic example of what will need to be done to your equipment

Routing: I will need you to configure an IP from this block to an INTERNAL interface; I would suggest using the first usable IP of 2.2.2.121. This IP will then act as the gateway for the subnets traffic.

user456717

Posted 2015-06-09T00:33:44.593

Reputation:

Answers

1

Should this be done with firewall rules or static routes?

If, by static routes, you mean iproute2's suite, then you are right, it can be done both ways, and I have been unable so far to perceive a performance difference.

A NIC will accept UNICAST traffic only under two circumstances:

  1. It has the IP address the UNICAST traffic is directed to;

  2. It is in promiscuous mode.

Promiscuous mode is considered a security hazard. Thus you should assign the new set of public IP addresses to the WAN port on your router.

NETFILTER option

You could redirect all traffic to the appropriate pc by means of this single iptables command:

 iptables -t nat -A PREROUTING -d 2.2.2.121 -j DNAT --to-destination 192.168.1.121

but this leaves a small hole: netfilter NAT does not cause the kernel to answer ARP requests for the NATted IP, see here. I thus suggest you use two redirects as follows:

 iptables -t nat -A PREROUTING -d 2.2.2.121 -p tcp -j DNAT --to-destination 192.168.1.121
 iptables -t nat -A PREROUTING -d 2.2.2.121 -p udp -j DNAT --to-destination 192.168.1.121

This does not re-route non TCP/UDP traffic, so that ICMP/ARP traffic reaches the router's kernel, which acts accordingly.

Likewise for your other IPs and servers.

iproute2 option

This way, you do not touch iptables at all, and ARP traffic is correctly accounted for. The commands to issue are:

 ip route add nat 2.2.2.121 via 192.168.1.121
 ip rule add nat 2.2.2.121 from 192.168.1.121

The first rule applies to INBOUND traffic, the second one to OUTBOUND traffic. The first rule redirects the traffic to your local server by rewriting the destination address. The second rule rewrites the source address to make it look like the reply is coming from the public IP 2.2.2.121 instead of the local IP 192.168.1.121.

Enjoy. And, BTW,

It currently has a static IP address assigned via DHCP and works fine

what does this mean???

MariusMatutiae

Posted 2015-06-09T00:33:44.593

Reputation: 41 321

It currently has a static IP address assigned via DHCP and works fine what does this mean??? That means that although I have a static IP address, it is assigned via DHCP. Thanks for the info, i'll give the iproute2 option and see how things go. – None – 2015-06-10T12:36:53.603

Asked: 2015-06-09T00:33:44.593

Viewed: 211 times

Active: 2015-06-09T08:06:01.240