Routing Public LAN block

telcojosh · January 15, 2023, 5:31am

I could probably figure this out on my own with enough time, but I’ve been working through a bunch of VoIP problems and my brain is tired.

My ISP gave us a public LAN block that is pointed at a single IP and I’m trying to figure out how to route it without NAT.

Currently I set the single IP on the WAN interface and programmed the router as a normal NAT router (eth1-50.233.xxx.xxx/30>>NAT>>eth2-192.168.88.1).
Then I added the first address of the Public/29 to eth2 (eth2-50.238.xxx.xx1/29), and then I’m using the other addresses in the /29 for my public devices connected to the bridged interfaces (50.238.xxx.2=first device, 50.238.xxx.3=second device). With a “accept” firewall rule to forward all traffic to the /29 devices.

For the most part everything works great with the exception of all outbound traffic from the /29 devices go out to the internet as the WAN address (50.233.xxx.xxx)

??? what would be the easiest way to route this traffic so all the /29 traffic goes out to the internet as its own /29 address (50.238.xxx.xxx)???

It would be great if I can keep the private LAN (192.168.88.1/24) also, but not absolutely necessary.

Oh and if it helps this is on a hAP ac²

Thanks…Josh

mkx · January 15, 2023, 11:26am

If addresses are routed towards you, you can route them forward, e.g. to client. And interface address on your router facing client doesn’t have to be in same subnet (to save precious public addresses), but that complicates things a bit.

As to internet-going NAT: you probably have a SRC-NAT rule (or even masquerade) targeting out-interface … you should change this to target both out-interface and src-address (belonging to your private address space).

telcojosh · January 16, 2023, 12:34am

I figured it out

Just had to go into the default masquerade rule and add a source address of the private LAN so the router doesn’t NAT the public LAN block.

Now all is working great… Thanks