Route an IP from WAN to a host on LAN on OpenWRT

Question

EDIT: I know how to use NAT, I specifically want the server to be reachable on two IP's, one private, one public, with the firewall of the OpenWRT in between, if feasible.

At the office we have recieved a /29 from our ISP. The first address is reserved for their endpoint, so I'm free to use five addresses.

We run a local network, so of course there is a router in between running OpenWRT to provide all hosts with (W)LAN (dhcp from a private range).

However, we also have a server running OS X Server 10.6 (Snow Leopard) and I'd like that server to be accessible both from the LAN using a private IP as well as from the WAN on it's own public IP.

Point of note is that the server only has one network port, so multiple NICs is not an option, unfortunately.

How would I go about doing this?

score 4 · Accepted Answer · answered Nov 25 '11 at 20:33

While you certainly could use NAT to simply DNAT a public address to the OS X machine, there would be issues with protocols which are broken by NAT or with host interconnection as soon as you would want more than one machine on the "DMZ".

You could set up a "proper" DMZ by using a combination of some advanced networking techniques, namely

VLANs so your OS X server would not need additional physical NICs
ProxyARP to route IP packets between networks with the same network address / subnet mask characteristics

The basic outline:

define a new VLAN for the DMZ and a new virtual interface with the same IP address as your wan interface on your OpenWRT device
make sure the port where your OS X machine is connected to the OpenWRT router is defined as a tagged member (i.e. has a t appended in the VLAN definition line)
set up a virtual interface with the same VLAN ID as defined previously for the DMZ on your OS X server
set up the IP address from the address space you want to use on the OS X server's virtual DMZ interface and add a default route through the OpenWRT public address
set up routes accordingly and enable proxy arp on the OpenWRT machine
don't forget to set up filters for your newly-created DMZ

This will take some time and testing on your side and the ProxyARP part will need some basic scripting to get persistent as it cannot be configured with UCI.

So, if I understand correctly, using this without Proxy ARP would be the same as a DMZ via VLAN, right? — Zsub, Nov 25 '11 at 21:22
You can't use it without proxy arp if you need packet filtering / firewalling functionality for your DMZ. The simple reason is that your ISP's router is going to try to deliver IP packets to any host within your /29 subnet locally. If you want to do away with proxy arp, you would need to ask your ISP for another subnet assignment which would serve as a transit network between your ISP's router and your OpenWRT device. — the-wabbit, Nov 25 '11 at 22:14

score 0 · Answer 2 · answered Nov 25 '11 at 09:05

0

I've never used OpenWRT, but it's possible usin NAT forwarding:

http://wiki.openwrt.org/doc/uci/firewall#forwarding.ports.destination.natdnat

answered Nov 25 '11 at 09:05

dannymcc

2,717
10
48
72

Ah, I know how to do NAT :) I'd like to have the server on a DMZ of sorts, except that the main firewall on the OpenWRT would remain in place. – Zsub Nov 25 '11 at 09:11

Route an IP from WAN to a host on LAN on OpenWRT

2 Answers2