Setting up dd-Wrt, Public Sub-Net Over Dynamic WAN

This article describes how to set up dd-Wrt to provision a public CIDR routed over a dynamic WAN connection and a private IP space served by DHCP.

BACKGROUND
The reason for developing this procedure was two-fold.

1. The way public IP space is delivered by my ISP as described above.
2. Having many TCP and UDP connections because of operations going on in the public CIDR space. The older dd-Wrt builds using the 2.4 kernel support 4096 maximum connections of which only 512 can be alive at any give time. The 512 live hashsize storage is a compile time parameter that can not be changed. The 2.6 kernel allows the number of connections to be set at run time and the size of the hashtable to store live connections to be modified in the /proc system table, hence my reqirement for a 2.6 kernel.
see this forum thread for more information on that subject K2.6 Increase Maximum Connections ip_conntrack_max hashsize

HARDWARE, FIRMWARE
The assumption for this HOWTO is that you know how to flash your router with dd-Wrt.

I developed this procedure on a WRT54G-TM Linksys/T-mobile router. The router is flashed with dd-wrt.v24_mega with a kernel 2.6 kernel, build 13972. This procedure should work with other 2.6 kernel builds however I have not verified this.

ISP public CIDR delivery
The network configuration has a either a static or dynamic IP address on the WAN side that is not in the same range as the routed subnet. This is a common way provision static sub-nets in the US for AT&T and Sonic.net (probably others as well). Other providers may use similar methods of delivering service using PPOE.

BASIC SETUP
Hard resetting the router to its initial state is recommended before configuring using this procedure. 30/30/30 reset (read the WIKI).

Set up the connection for the WAN and LAN as you would if there were not a routed public CIDR block. The WAN connection should be set up per the ISP's directions for static, dynamic, or PPOE connection.

The LAN connection should likewise be set up as static or with DHCP to suit your network needs.

Stock dd-wrt is pre-configured so that the WAN is connected to vlan1 and the private network (LAN) and WIFI are connected to the internal bridge br0. In the case of WRT-54G-TM, this is port 5 for WAN and ports 1-4 for the LAN, respectively.

We will create a new vlan by splitting off two of the LAN ports for our routed public CIDR block.

WARNING: The port used for TFTP is port 1. This MUST remain on vlan0 so if you brick your router you can re-flash if after a hard reset.

To create vlan2, open the web interface to the router.

click SETUP
click VLANs
on line 0, unclick port's 3 and 4
on line 2, click port's 3 and 4
leave the bridge assigment on None
click Apply Settings

The next step is to set up the IP space for vlan2.

click Networking
Port Setup menu, Network Configuration vlan2, click Unbridged
Multicast Forwarding, click Disable
Masquerade / NAT, click Disable

To finish the configuration we must add iptables rules for vlan2. First click Advanced Routing and verify that the router is in Gateway mode.

click Administration
click Commands
      and enter this script in the command box



# gateway mode, vlan2 nat disabled

PUBCIDR="66.55.44.0/28"
MYIP="66.55.44.1"
# optional BASTION host
BASTION="66.55.44.2"
LANET="192.168.0.0/24"
WANIP=`ifconfig vlan1 | awk '/dr:/{gsub(/.*:/,"",$2);print$2}'`

# drop obvious spoof attempts
iptables -t nat -N chkspoof
iptables -t nat -A chkspoof -s 192.168.0.0/16 -j DROP
iptables -t nat -A chkspoof -s 172.16.0.0/12 -j DROP
iptables -t nat -A chkspoof -s 10.0.0.0/8 -j DROP

iptables -t nat -I PREROUTING -i vlan1 -j chkspoof
iptables -t nat -I PREROUTING -i vlan2 -j chkspoof

# disable NAT for PUBCIDR => WAN
iptables -t nat -I POSTROUTING -s $PUBCIDR -j ACCEPT

# NAT private lan to PUBLIC net
iptables -t nat -I POSTROUTING -o vlan2 -s $LANET -j SNAT --to-source $MYIP

# allow access to routed PUBLIC net
# block access to GUI from internet, allow from bastion host
iptables -I FORWARD -d $PUBCIDR -j ACCEPT
iptables -I FORWARD -d $MYIP -j DROP
iptables -I FORWARD -s $BASTION -d $MYIP -j ACCEPT

# block PUBCIDR -> LAN, allow LAN -> PUBCIDR
iptables -I FORWARD -i vlan2 -o br0 -j DROP
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# block access to GUI from PUBLIC net, allow from bastion host
iptables -I INPUT -s $PUBCIDR -d $MYIP -j DROP
iptables -I INPUT -s $BASTION -d $MYIP -j ACCEPT

# block access to WAN IP from PUBLIC net
iptables -I INPUT -s $PUBCIDR -d $WANIP -j DROP



click Save Firewall

The first section drops spoof attempts from private network addresses that would pass through section three (below) to the public CIDR unfiltered.
The second section disables NAT for the public CIDR
The third section NAT's the private network to the public CIDR
The forth section forwards traffic from the internet to the public CIDR. It also blocks access from the internet to the public CIDR router interface and allows optional access to that interface from a bastion host in the public CIDR address space.
The fifth section blocks access from the public CIDR to the LAN and allows access from the LAN to the public CIDR
The sixth section blocks access by the public CIDR to the router public CIDR interface but allows it from the bastion host (telnet, etc...).
The seventh section blocks access to the WAN IP from the public CIDR .

Done! reboot the router.

ACKNOWLEDGEMENTS
The original idea for this came from a procedure written by Odel Arbel at:

setting-up-dmz-with-multiple-static-ips-on-an-office-lan-using-dd-wrt.

The procedure I developed worked on 2.4 kernels but was awkward to say the least. When the requirement for a larger hash table size came up I posted to the dd-wrt forum in this thread:

ddwrt locks up with high active connection count

and with the help of "phuzi0n, DD-WRT Guru" the procedure in this HOWTO was generated.

enjoy, Michael Robinton, michael(at)bizsystems.com