Broadband provider
ISP/package: Unifi BIZ20
Location: PJ
Have you called your ISP's helpline?: No

Personal equipment
Modem: ZTE ZXDSL 931
Router: Asus RT-N13U
Firewall used: Customize Linux Box

Problem details
First occurence of problem: New Router
Problem frequency: New
Problem description:

Well, heard that the stock D-Link DIR-615 router has problem of VPN pass-through which we did face.
So, get a Asus RT-N13U to replace the DIR-615.

In DIR-615, the static-IP is aaa.bbb.ccc.153, and my Firewall connect to LAN-1 using public IP given which is aaa.bbb.ccc.154, set the gateway to aaa.bbb.ccc.153, which work perfectly fine except VPN.

Setting up RT-N13U (with unifi custom firmware) finally up and running, it has the same IP as DIR-615, which is .153.
But now, stuck here, my firewall with IP .154 not working anymore with any LAN ports (1~4). Only private IP 192.168.1.x work well.

Question: How can I use the public IP .154 like it worked in DIR-655 ?

Thanks a lot!

Post your router setup for DIR-615, RT-N13U and your Firewall WAN.

Previous:
LAN 192.168.x.x -- (switch) <=> Firewall WAN: aaa.bbb.ccc.154 --> (LAN1) DIR-615 WAN: aaa.bbb.ccc.153 (PPPoE) --> BTU (ZTE)

New:
LAN 192.168.x.x -- (switch) <=> Firewall WAN: aaa.bbb.ccc.154 --> (LAN1) Asus N13U WAN: aaa.bbb.ccc.153 (PPPoE) --> BTU (ZTE)

Everything exactly same, the problem is, Firewall .154 no longer able to use .153 as gateway.

Suspect: LAN ports in N13U no longers allow PublicIP, cause it is what it suppose to be, LAN port, only private IP allow.
(Yes, I test with a PC with private IP, connect at LAN1, able to access Internet)

Question: In DIR-615, they have:
1. Dual LAN Enable
2. IP Unnumbered Address, which is .153
3. IP Unnumbered Netmask, which is 255.255.255.252
4. LAN Start IP & LAN End IP, which is .154
above setting is under Internet PPPOE setting (not available in RT-N13U)
Under 'Advanced', got Port Mapping which map LAN Port 1~3 to WAN connection 1
This is what I think you can put your firewall with .154 at LAN Port 1~3

Unfortunately, Asus RT-N13U don't have similar 'advanced' setting, how can I make my firewall .154 work as before? Or at least, how to 'use' this public IP .154 since LAN ports only accept private IP (is it true?)

Or maybe nothing I can do, forget about the public IP .154, set my firewall WAN port to private IP, then set it as DMZ in N13U so that it forward EVERYTHING into my firewall ? Then can my firewall do a 2nd level of NAT (N13U NAT to my Firewall, my Firewall NAT into others servers in local network)


This post has been edited by YiQi: Jul 21 2011, 05:33 PM

you cant use .154 because your N13U is doing the outgoing NAT.

try this method
configure your N13U PPPoE connect as Dynamic IP it will automatically assign as .153 for you. Disable DHCP, all NAT and firewall. Change the N13U LAN IP to xxx.xxx.xxx.153 subnet 255.255.255.252.

It should work this way..

Thanks!

Just tried to set that, unfortunately, only private IP are allowed set as LAN IP.

ah.. i hate this kind of router! belkin also don't allowed to change IP!!

flash dd-wrt on your RT-N13U. you can configure VLAN 500 and static routing.

Yap! This is what I did since last Friday, flash DD-WRT firmware.
But the firmware is bugzy, some options appear/disappear unexpected, very annoying, especially Administrator's command..
Luckily can telnet into..
Still R&D on how to use my public IP, not successfully yet (internet OK).
(ifconfig, iptables...etc)
Once succeed, will post here.....

---

Added on July 25, 2011, 11:04 pmYes! I did it.
First of all, flash to DD-WRT firmware, and follow the instruction of K.L.Seet (Thanks a lot!)
Then, you may use the "Administration" => "Commands" to add the follwing:

ifconfig vlan2.500:0 aaa.bbb.ccc.ddd netmask 255.255.255.252

aaa.bbb.ccc.ddd is the public IP TM gave you, and set your netmask properly, and don't forget to "Save Startup".

iptables -t nat -I PREROUTING -d aaa.bbb.ccc.ddd -j DNAT --to www.xxx.yyy.zzz
iptables -t nat -I POSTROUTING -s aaa.bbb.ccc.ddd -j SNAT --to www.xxx.yyy.zzz

again, aaa.bbb.ccc.ddd is the public IP, www.xxx.yyy.zzz is the private IP where you want to NAT to. And don't forget to "Save Firewall".

That's all, to verify your setting, recommend to "telnet" into your DD-WRT box, and check with ifconfig & iptables if your setting is saved and set properly.

Just so simple, isn't it!
Now I have 2 DMZ servers, one is the default .153 and 2nd is the extra .154. Hurray!

(Will continue to test VPN tomorrow....)


This post has been edited by YiQi: Jul 25 2011, 11:04 PM

do you think this will work for any dd-wrt router? as I having the same problem as you