I recently purchased a block of 8 Static IP addresses for use with my U-Verse plan. U-Verse has always been a very stable and reliable ISP for me the last two years and their price of $15/month was pretty good so I jumped. This gives me 5 usable IPs that I can use to host various websites.

I want to host websites on a machine on my internal LAN in the 192.168.x.x block, but use port forwarding on my firewall so that port 80 can be sent on through. The reason for this is mostly so that I can access the server machine on the internal LAN, host print servers, etc… while still using it as a secured internet webserver.

Normally, ISPs give you a block of IP addresses, you assign them in your router and send them on where you want to go. Not so with U-Verse. Each static IP is actually dynamically assigned via DHCP from the U-Verse gateway router box. Each IP address pulled dynamically off the gateway MUST have a different mac address. Unfortunately, most off the shelf firewall routers don’t support this capability. They have one, maybe two, mac addresses that they use. Normally, the uplink port has a single mac address that it pulls a dhcp ip address from.

I’m using a D-Link DIR-615 rev. C that I had laying around and noticed that OpenWRT listed it as a supported device. OpenWRT is custom firmware flash for routers that runs a small version of the Linux operating system on it. I figured if I could get Linux running on the device, then I’d be able to accomplish what I wanted…namely, pull all 5 usable IP addresses off the U-Verse gateway, and forward certain traffic on a per-IP/port basis to particular internal LAN machines.

I first downloaded an OpenWRT package (http://downloads.openwrt.org/snapshots/trunk/ar71xx/openwrt-ar71xx-dir-615-c1-squashfs.uni) for my router. I then held in the reset switch for 30 seconds while plugging in the power. This puts the router into recovery mode. I manually set my computer’s ip address to 192.168.0.2 and navigated to http://192.168.0.1 which brings up the recovery flash page of router where I could apply the .uni flash file for OpenWRT.

I reset my computer’s ip to dynamic and restarted the router. After all the lights stopped blinking, made sure I had a valid 192.168.1.x IP address and did

telnet 192.168.1.1

This brought me up to the linux shell of the router. I ran the passwd command to set my root password for the device and then exited the shell. Once the password for root is set, telnet becomes disabled, but SSH is enabled. I then used putty to connect to 192.168.1.1 again.

Next, I installed the packages ip and kmod-macvlan. These packages allow you to create virtual ethX adapters with separate mac addresses.

opkg update
opkg install ip
opkg install kmod-macvlan
opkg install hostapd-mini
opkg install luci-admin-full  
opkg install luci-fastindex
opkg install luci-app-firewall

I modified /etc/rc.local to create the virtual adapters.

# Put your custom commands here that should be executed once
# the system init finished. By default this file does nothing.

#AMW edits
ip link add link eth1 eth2 type macvlan
ifconfig eth2 hw ether 00:24:01:f5:1b:84

ip link add link eth1 eth3 type macvlan
ifconfig eth3 hw ether 00:24:01:f5:1b:85

ip link add link eth1 eth4 type macvlan
ifconfig eth4 hw ether 00:24:01:f5:1b:86

ip link add link eth1 eth5 type macvlan
ifconfig eth5 hw ether 00:24:01:f5:1b:87

ip link add link eth1 eth6 type macvlan
ifconfig eth6 hw ether 00:24:01:f5:1b:88

ifup -a

route add default gw 75.30.80.1 dev eth1

ntpclient -c 1 -s -h ntp1.dlink.com

exit 0

eth0 is my local LAN interface. eth1 is my main outgoing public internet interface. eth2-6 are virtual macvlan interfaces that will each hold one of the static ip addresses. I also modified the file /etc/config/network so that the new virtual adapters would be included in dhcp setup.

config 'interface' 'loopback'
        option 'ifname' 'lo'
        option 'proto' 'static'
        option 'ipaddr' '127.0.0.1'
        option 'netmask' '255.0.0.0'

config 'interface' 'lan'
        option 'ifname' 'eth0'
        option 'type' 'bridge'
        option 'proto' 'static'
        option 'ipaddr' '192.168.1.1'
        option 'netmask' '255.255.255.0'

config 'interface' 'wan'
        option 'ifname' 'eth1'
        option 'proto' 'dhcp'

#First static IP
config 'interface' 'wan1'
        option 'ifname' 'eth2'
        option 'proto' 'dhcp'
        option 'defaultroute' '0'
        option 'peerdns' '0'
        option 'gateway' '0.0.0.0'

#second static IP
config 'interface' 'wan2'
        option 'ifname' 'eth3'
        option 'proto' 'dhcp'
        option 'defaultroute' '0'
        option 'peerdns' '0'
        option 'gateway' '0.0.0.0'

#third static IP
config 'interface' 'wan3'
        option 'ifname' 'eth4'
        option 'proto' 'dhcp'
        option 'defaultroute' '0'
        option 'peerdns' '0'
        option 'gateway' '0.0.0.0'

#fourth static IP
config 'interface' 'wan4'
        option 'ifname' 'eth5'
        option 'proto' 'dhcp'
        option 'defaultroute' '0'
        option 'peerdns' '0'
        option 'gateway' '0.0.0.0'

#fifth static IP
config 'interface' 'wan5'
        option 'ifname' 'eth6'
        option 'proto' 'dhcp'
        option 'defaultroute' '0'
        option 'peerdns' '0'
        option 'gateway' '0.0.0.0'

I made sure to set the gateway option on all of the virtual adapters to 0.0.0.0 so that the regular default gateway of eth1 would be used instead of the static IP default gateways.

After re-booting the router, I navigated to the U-Verse gateway and configured each of my new mac addresses so they mapped to the static IP addresses instead of internal 10.0.0.x ones.

After rebooting the router one last time, I now had all of my static IPs assigned on the router and could install and utilize the LuCI interface for configuring routing and port forwarding.



Post to Twitter

Posted by Andrew, filed under Linux, security. Date: January 6, 2010, 11:41 am | 16 Comments »

16 Responses

  1. FlexJunk.com has moved | Says:

    [...] you followed my previous post, you know I dug into some serious networking in order to get myself some static IP addresses. As of [...]

  2. John Says:

    Great Post!

    Would you be willing to share your routing configuration and port forwarding?

    Thanks!

  3. Andrew Says:

    @John I added a screenshot with my traffic redirection screen at the end of the post. You can send the traffic to multiple internal servers, or one internal server if you turn on Apache name-based virtual hosting.

  4. Is it possible to have multiple virtual interfaces that are set for DHCP? - Page 2 - Untangle Forums Says:

    [...] to get OpenWRT to do it, maybe we can find someone to use the same procedure to work on Untangle. http://www.flexjunk.com/2010/01/06/u…-with-openwrt/ As far as SonicWall, I do not have any at my disposal right now. Got some Nokia and NetScreens [...]

  5. Andrew Q Says:

    Did you ever get SNAT to work with this? When I tried it I got DNAT working but SNAT isn’t. All new outbound connections from my servers are being mapped to the common IP not their static IP, but static IP to the servers is working, and thank you for that.

  6. Andrew Says:

    @Andrew Q – I don’t think I ever got the server to use SNAT. I don’t do a lot of outgoing traffic from my server and as long as the response to a http request on the outside looks like it’s coming from the correct IP, I haven’t worried about it.

  7. Andrew Q Says:

    Ok, I’ve been struggling getting the SNAT part to work. I run a outgoing mail server and a PBX behind the uverse IPs. Incoming works, but the new connections from the servers don’t have the right IP which is messing up the SPF settings I’ve had. If I figure it out I’ll post again to share.

    Again thank you for sharing this workaround the the Uverse modem limitation, I would have had to cancel my Business Uverse and go back to my slow DSL line just to get the IPs working again.

  8. Jon Strabala Says:

    So far this writeup is the best solution I have seen for U-verse RGs (3800HGV or 3600HGV). I got 64 public IPs but the firewall on the RG is worthless.

    Can OpenWRT be used to route and protect the public IP’s? If so any tips / changes to your configuration.

    I could buy the same D-Link DIR-615 rev. C as you used, but will OpenWRT also run on a PC with 2-4NICs?

    Thanks in Advance

    Jon

  9. Andrew Says:

    @Jon, You can probably get it to run on a pc, although I’ve never tried. If you’re using a pc, you should be able to run just about any small Linux distribution to route the IP’s using macvlan.

  10. Randall Says:

    If I understand your post, the key is that you create virtual interfaces, each with its own fake MAC address, to fool the RG into thinking there is one and only one MAC per IP. This requires that the actual machines have different addresses, such as 192.168.x.x, and you use NAT or at least bi-NAT to translate packets inbound and outbound, and further direct all outbound packets via the matching virtual interface. This allows you to have internal machines change IP address or have multiple IP addresses, without the RG realizing it and throwing a hissy.

    I’ve got U-Verse with a block of 64 statics, with my actual machines assigned a public address, and a Soekris running OpenBSD acting as an Ethernet bridge, but I run into problems with the RG getting into a tizzy.

    I hate the idea of going back to private addresses and NAT/bi-NAT, but I also hate my current setup.

    In theory, it should be possible to fool the RG by having something intercept all ARP packets and faking replies, so the RG thinks there is one unique IP per MAC, but I’m not aware of anything that would do that.

  11. bobh Says:

    Did you ever get the NAT problems solved? I think this is great and I am ready to try it, but I need to have the correct static IP referred to on outbound traffic as well.

  12. Randall Says:

    I’m not sure who bobh is addressing, but my setup is more-or-less OK: each machine has one of the 64 static public IPs from my U-Verse block. I have an OpenBSD system as a router/bridge which blocks DHCP to/from the RG and any other firewall rules I desire. The key to this setup is that the OpenBSD box has a bridge, which fools the RG into thinking there is no other router. This way there is no NAT, no private address. I have another system as my own DHCP server, but I could easily have the OpenBSD box do that as well. My DHCP server hands out static public IPs to my devices.

  13. Victor Orly Says:

    Any idea how to get this working with a Soncwall TZ190?

    I’m about to throw the Uverse 2wire gateway in the trash.

  14. Randall Says:

    Victor — there are only two ways to get this to work:

    (1) use a bridge instead of a router. In OpenBSD at least (and probably for other Unix/Linux as well) you can mostly treat bridges and routers the same, and can filter or apply rules as desired. The key difference is that bridges preserve the Ethernet frame, including source/destination MAC address, fooling the RG into thinking there is no other router, and allowing it to continue to map static IP addresses 1:1 to MAC addresses;

    (2) Use the virtual interface and NAT trick as above. This also results in the RG maintaining a 1:1 mapping between static IP and MAC address, the difference is that your router must then NAT or bi-NAT between the static IPs and private IPs, and each of your machines must use a private IP instead of a public static.

  15. kalle Says:

    Thanks!

  16. RiskFactor Says:

    Was wondering if anyone has used this configuration with a TP-LINK TL-WR1043ND. I have installed the macvlan package and tried to set it up but I’m experiencing some difficulty because of the way the internal switch is configured. From the web insterface it shows that the lan (eth0.1) and the wan (eth0.2) are configured based on the internal ethernet switch (eth0). They are derived using VLAN interfaces. When I setup the macvlan interfaces and apply my port forwarding, etc. It never hits the correct internal server. Not sure if the vlan interfaces on the eth0 are causing the problem and if I need to bind the macvlan interfaces to the eth0 instead of the eth0.1. Any help would be appreciated because I’m a bit out of my depth on this one.

Leave a Comment

 
Your comment

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.