Configuring Netgear Nighthawk R7000 router with DD-WRT
Configuring Netgear Nighthawk R7000 router with DD-WRT Configure NAT and Firewall
In Administration > Commands:
Startup section:
##STARTUP WANIF=`get_wanface` ifconfig $WANIF:1 xxx.xxx.xxx.227 netmask 255.255.255.248 broadcast xxx.xxx.xxx.231 # ifconfig $WANIF:2 xxx.xxx.xxx.228 netmask 255.255.255.248 broadcast xxx.xxx.xxx.231 ifconfig $WANIF:3 xxx.xxx.xxx.229 netmask 255.255.255.248 broadcast xxx.xxx.xxx.231 ifconfig $WANIF:4 xxx.xxx.xxx.230 netmask 255.255.255.248 broadcast xxx.xxx.xxx.231
Firewall section:
### Firewall ## NAT # WAN xxx.xxx.xxx.229 -> LAN 192.168.1.2 (host.example.com) iptables -t nat -I PREROUTING -i vlan2 -d xxx.xxx.xxx.229 -j DNAT --to 192.168.1.2 iptables -t nat -I POSTROUTING -o vlan2 -s 192.168.1.2 -j SNAT --to xxx.xxx.xxx.229 # WAN xxx.xxx.xxx.227 -> LAN 192.168.1.7 (host.example.com) iptables -t nat -I PREROUTING -i vlan2 -d xxx.xxx.xxx.227 -j DNAT --to 192.168.1.7 iptables -t nat -I POSTROUTING -o vlan2 -s 192.168.1.7 -j SNAT --to xxx.xxx.xxx.227 # WAN xxx.xxx.xxx.228 -> LAN 192.168.1.8 (host.example.com) # iptables -t nat -I PREROUTING -i vlan2 -d xxx.xxx.xxx.228 -j DNAT --to 192.168.1.8 # iptables -t nat -I POSTROUTING -o vlan2 -s 192.168.1.8 -j SNAT --to xxx.xxx.xxx.228 ## Failed attempts at loopback NAT # iptables -t nat -A POSTROUTING -o vlan2 -s 192.168.1.0/24 -d 192.168.1.0/24 -j MASQUERADE # iptables -t mangle -A PREROUTING -i ! `get_wanface` -d `nvram get wan_ipaddr` -j MARK --set-mark 0xd001 # iptables -t mangle -A PREROUTING -j CONNMARK --save-mark # iptables -t nat -A POSTROUTING -m mark --mark 0xd001 -j MASQUERADE ## Port-forwarding ## mono.oneeyedman.net # SSH iptables -I FORWARD -d 192.168.1.2 -i vlan2 -p tcp --dport 22 -j ACCEPT # DNS (UDP) iptables -I FORWARD -d 192.168.1.2 -i vlan2 -p udp --dport 53 -j ACCEPT # DNS (TCP) iptables -I FORWARD -d 192.168.1.2 -i vlan2 -p tcp --dport 53 -j ACCEPT # HTTP iptables -I FORWARD -d 192.168.1.2 -i vlan2 -p tcp --dport 80 -j ACCEPT # IMAPS iptables -I FORWARD -d 192.168.1.2 -i vlan2 -p tcp --dport 143 -j ACCEPT # HTTPS iptables -I FORWARD -d 192.168.1.2 -i vlan2 -p tcp --dport 443 -j ACCEPT # SMTP-STARTTLS iptables -I FORWARD -d 192.168.1.2 -i vlan2 -p tcp --dport 587 -j ACCEPT # IMAPS-SSL/TLS iptables -I FORWARD -d 192.168.1.2 -i vlan2 -p tcp --dport 993 -j ACCEPT # SMTP iptables -I FORWARD -d 192.168.1.2 -i vlan2 -p tcp --dport 25 -j ACCEPT ## Port-forwarding for host.example.com # SSH iptables -I FORWARD -d 192.168.1.7 -i vlan2 -p tcp --dport 22 -j ACCEPT # HTTP iptables -I FORWARD -d 192.168.1.7 -i vlan2 -p tcp --dport 80 -j ACCEPT # HTTPS (Tor) iptables -I FORWARD -d 192.168.1.7 -i vlan2 -p tcp --dport 443 -j ACCEPT # DirPort (Tor) iptables -I FORWARD -d 192.168.1.7 -i vlan2 -p tcp --dport 9030 -j ACCEPT # SMTP #iptables -I FORWARD -d 192.168.1.7 -i vlan2 -p tcp --dport 25 -j ACCEPT # DNS (UDP) #iptables -I FORWARD -d 192.168.1.7 -i vlan2 -p udp --dport 53 -j ACCEPT # DNS (TCP) #iptables -I FORWARD -d 192.168.1.7 -i vlan2 -p tcp --dport 53 -j ACCEPT # SMTP-STARTTLS #iptables -I FORWARD -d 192.168.1.7 -i vlan2 -p tcp --dport 587 -j ACCEPT # IMAPS-SSL/TLS #iptables -I FORWARD -d 192.168.1.7 -i vlan2 -p tcp --dport 993 -j ACCEPT ## Port-forwarding for host.example.com # HTTP iptables -I FORWARD -d 192.168.1.8 -i vlan2 -p tcp --dport 80 -j ACCEPT # HTTPS (Tor) iptables -I FORWARD -d 192.168.1.8 -i vlan2 -p tcp --dport 443 -j ACCEPT # DirPort (Tor) iptables -I FORWARD -d 192.168.1.8 -i vlan2 -p tcp --dport 9030 -j ACCEPT ## Port-forwarding for host.example.com # Gnutella iptables -I FORWARD -d 192.168.1.10 -i vlan2 -p tcp --dport 6346 -j ACCEPT iptables -I FORWARD -d 192.168.1.10 -i vlan2 -p udp --dport 6346 -j ACCEPT
Set up internal (LAN) DNS
Enable JFFS support (Source: https://unfinishedbitness.info/2013/02/24/enabling-jffs-on-dd-wrt/)
- Login to the router web page.
- Click "Administration".
- Look for the "JFFS2 Support" section.
- For the JFFS2 option, click the "Enable" radio button.
- Click "Save" at the bottom. Wait a few seconds. Â Once the screen refreshes, click "Apply" at the bottom and wait again. Look for the "JFFS2 Support" section again.
- For the "Clean JFFS" option, click the "Enable" radio button.
- DO NOT click "Save" at the bottom! Instead, click "Apply" at the bottom. The router will format the available space. Â Wait until the web GUI is back which may take a minute or two.
- Look for the "JFFS2 Support" section again.
- For the "Clean JFFS" option, click the "Disable" radio button.
- Click Save at the bottom. Click the "Administration" tab.
- Click the "Maintenance" tab. Click "Reboot Router" at the bottom.
After the boot is complete there will be a "/jffs" filesystem present. It will have a "tmp/ipkg" directory in it which you can ignore. Just leave it there.
Populate Persistent Data:
Now you can create a storage location(s) in the JFFS filesystem to hold those things you want to preserve across boots (ie: hosts file, startup scripts, web pages, etc). Login via ssh as root, then create the directories. I created these:
cd /jffs mkdir etc mkdir bin mkdir web
Now you can scp the files you need into those directories, or use vi and create them manually.
Set up DHCP and DNS (follow the directions at https://unfinishedbitness.info/2013/03/26/using-dd-wrt-for-local-dns-and-dhcp/)
The content of /jffs/etc/hosts.home:
root@jackpot:/jffs/etc# cat hosts.westnet 192.168.1.2 xxxxx example.com example.com www.example.com 192.168.1.7 yyyyy host.example.com