Problems setting up multiple WAN IPs on DD-WRT on Comcast?

Comcast’s SMC Router to Multi IP Buffalo Router

Until IPv6 is fully implemented and supported, we’re still required to set up and use IPv4 addresses for our servers.  If you have multiple services running on your server through virtualization, you’ll want your employees to access each service easily and from anywhere (if you’re anything like my clients, that is).

So you call Comcast and order a /29 (a block of 5 usable IP addresses).  A week passes and they’re ready to install in your gateway.  You’re using DD-WRT because you don’t have a ton of users and you’re doing things on the cheap.  No problem.  Let’s make it work.

I’m not going to go into the complete setup here.  There are links at the bottom of this document that will take you there.  This post is specifically to address an issue I ran into and didn’t find a resolution to online.  After I had my script set up and apparently perfect, I couldn’t get in from outside.  None of my port forwarding rules were working.  I’ll post my code below in case it helps anyone find this page with the answer to this problem.

[accordion align=”” numbers=”false” first_one_open=”false”][pane title=”DD-WRT Multi WAN IP Script”]

#########################################

# STARTUP SCRIPT #

#########################################

 

### Adding IP addresses from Comcast ###

WANIF=`get_wanface`

ifconfig $WANIF:1 50.xx.xx.58 netmask 255.255.255.248 broadcast 50.xx.xx.63

ifconfig $WANIF:2 50.xx.xx.59 netmask 255.255.255.248 broadcast 50.xx.xx.63

ifconfig $WANIF:3 50.xx.xx.60 netmask 255.255.255.248 broadcast 50.xx.xx.63

 

#########################################

# FIREWALL SCRIPT #

#########################################

### 50.xx.xx.58 -> 192.168.16.8 (mail.) ###

iptables -t nat -I PREROUTING -d 50.xx.xx.58 -p tcp –dport 80 -j DNAT –to-destination 192.168.16.8

iptables -t nat -I PREROUTING -d 50.xx.xx.58 -p tcp –dport 443 -j DNAT –to-destination 192.168.16.8

iptables -t nat -I POSTROUTING -s 192.168.16.8 -j SNAT –to 50.xx.xx.58

iptables -I FORWARD -d 192.168.16.8 -p tcp –dport 80 -j ACCEPT

iptables -I FORWARD -d 192.168.16.8 -p tcp –dport 443 -j ACCEPT

 

 

### 50.xx.xx.59 -> 192.168.16.9 (remote.) ###

iptables -t nat -I PREROUTING -d 50.xx.xx.59 -p tcp –dport 80 -j DNAT –to-destination 192.168.16.9

iptables -t nat -I PREROUTING -d 50.xx.xx.59 -p tcp –dport 443 -j DNAT –to-destination 192.168.16.9

iptables -t nat -I PREROUTING -d 50.xx.xx.59 -p tcp –dport 3389 -j DNAT –to-destination 192.168.16.9

iptables -t nat -I POSTROUTING -s 192.168.16.9 -j SNAT –to 50.xx.xx.59

iptables -I FORWARD -d 192.168.16.9 -p tcp –dport 80 -j ACCEPT

iptables -I FORWARD -d 192.168.16.9 -p tcp –dport 443 -j ACCEPT

iptables -I FORWARD -d 192.168.16.9 -p tcp –dport 3389 -j ACCEPT

 

### 50.xx.xx.60 -> 192.168.16.6 (vpn.) ###

iptables -t nat -I PREROUTING -d 50.xx.xx.60 -p tcp –dport 80 -j DNAT –to-destination 192.168.16.6

iptables -t nat -I PREROUTING -d 50.xx.xx.60 -p tcp –dport 443 -j DNAT –to-destination 192.168.16.6

iptables -t nat -I POSTROUTING -s 192.168.16.6 -j SNAT –to 50.xx.xx.60

iptables -I FORWARD -d 192.168.16.6 -p tcp –dport 80 -j ACCEPT

iptables -I FORWARD -d 192.168.16.6 -p tcp –dport 443 -j ACCEPT

[/pane] [/accordion]

I was dealing with a Comcast SMC router and a Buffalo High Power router.  External traffic wouldn’t go through.  I thought I had an issue in the script and spent a good few hours tweaking, resetting, and retrying.  All that was in vain.  The problem was much more simple and I should have seen it earlier.

The Comcast router had its firewall turned on.

Log into the Comcast router (http://10.1.10.1, user: cusadmin, password: highspeed)
Click Firewall on the left
Make sure “Disable Firewall for True Static IP Subnet Only” checkbox IS CHECKED

I hope if you’re searching for a solution for a long time, you come upon this humble post and save yourself from a brain hemorrhage.

Relevant Links

  • The best tutorial: http://www.dd-wrt.com/wiki/index.php/One-to-one_NAT
  • If you need fuller SNAT: http://www.techenclave.com/guides-tutorials/multiple-public-ips-one-router-37283/
  • This guy had my same problem, I suspect: http://serverfault.com/questions/240054/dd-wrt-multiple-static-ips
Matt Albrecht

Written by

Matt Albrecht is the lead IT support technician for Parachute Technology and has over 16 years of experience working on computers and business networks. He started Parachute Technology in 2009 supporting small businesses that didn't have their own "IT Guy."