How to Utilize Multiple Static IPs Behind your WRT
Written by qix2k
This guide is ideally suited for people who have a multiple static IP package with their ISP, in particular people with "Static" IP addressing via PPPoE/A, aka "sticky" IPs. The goal is to let your machines have their own unique IP addresses through the use of NAT (Network Address Translation) on the router. We'll create a 1-to-1 mapping from the public IPs to a set of local IPs in the 192.168.x.x range. Another nice thing about this setup is that if you assign your local machines some other local IP not mapped to a public IP, it will use IP Masquerading and default to the gateway's IP address. WRT is so reliable it's been given a stamp of approval by users who tested it using O2 broadband. The simplest instructions below will leave your machines exposed to the internet, so be sure you have a software firewall installed on them!

Assumptions:

1. You have a DSL modem that supports "Bridged Mode", or at least "PPP is on the computer" if you know your ISP uses PPPoE.
2. You are using a firmware that allows telnet access to your Linksys router, or gives you some interface to the rc_firewall variable (e.g. HyperWRT). More info about this variable below...
3. The service you bought has given you 5 IPs for use. (The instructions should be easily modifiable if you have some other amount, though.)

(My own setup has a SpeedStream 5100 DSL Modem in bridged mode connected to my Linksys WRT54G v2.0's Internet port, and the other user machines plugged into the Linksys's LAN ports. For my firmware, I'm using DD-WRT.V22-prefinal3.2.)

Instructions:

1. Put your DSL modem into "Bridged Mode", or "PPP is on the computer" if you use PPPoE and don't have a "Bridged Mode" for some reason. (NOTE: You won't be able to access the modem anymore through the web interface after performing the rest of the instructions, without plugging directly into the modem itself. That's OK though, since you shouldn't have to touch the modem after this. There are other instructions on the web explaining more complicated setups for alternative ways of accessing the modem.)
2. Now access the Linksys Setup-->Basic Setup page. Change the Internet Connection Type to PPPoE and enter in your account's username and password. Remember your router IP and subnet mask. I have mine set to 192.168.1.253/255.255.255.0. Make sure your local machines are on the same subnet, and have this router set as their gateway.
3. Under the Setup-->Advanced Routing page, change your Operating Mode to Gateway.
4. Go to the Administration page, and enable the Telnet server.
5. Open a command prompt, and telnet to your router. E.g. 'telnet 192.168.1.253'. Log in using username:root , password:MyRouterPassword
6. Now add our own NAT rules that will route packets coming into a particular static IP to one of our LAN IPs and vice versa for outgoing packets. Modify the text below, and paste it into the command prompt of your telnet session. Just change the x.x.x to your public network address, and the letters a,b,c,d,e to the last digits of your 5 usable public IP addresses. Then change the internal IPs to something in the 192.168.x.x range, as long as its on the same subnet as your router.
   For example, since I'm using 192.168.1.253 for my router, I'll map all the public IPs to just 192.168.1.a-e for convenience. Since my ISP told me that my network's gateway IP ends in x.x.x.102, my router will get this IP address when it connects. That means the 5 IPs I still have available for use are: x.x.x.97-101.
   nvram set rc_firewall=" iptables -t nat -I PREROUTING -d x.x.x.a -j DNAT --to-destination 192.168.1.a
   iptables -t nat -I POSTROUTING -s 192.168.1.a -j SNAT --to-source x.x.x.a
   iptables -t nat -I PREROUTING -d x.x.x.b -j DNAT --to-destination 192.168.1.b
   iptables -t nat -I POSTROUTING -s 192.168.1.b -j SNAT --to-source x.x.x.b
   iptables -t nat -I PREROUTING -d x.x.x.c -j DNAT --to-destination 192.168.1.c
   iptables -t nat -I POSTROUTING -s 192.168.1.c -j SNAT --to-source x.x.x.c
   iptables -t nat -I PREROUTING -d x.x.x.d -j DNAT --to-destination 192.168.1.d
   iptables -t nat -I POSTROUTING -s 192.168.1.d -j SNAT --to-source x.x.x.d
   iptables -t nat -I PREROUTING -d x.x.x.e -j DNAT --to-destination 192.168.1.e
   iptables -t nat -I POSTROUTING -s 192.168.1.e -j SNAT --to-source x.x.x.e"
   nvram commit
   We've just added some commands that the router should run after it adds its own firewalling rules, by modifying the rc_firewall variable. The nvram commit command makes it reboot-proof. You can run iptables -t nat -L at the telnet prompt to verify the rules were added. Check that your local machines have their own public IP, for example by going to www.whatsmyip.org.
   NOTE: Some firmwares may let you edit rc_firewall directly through their web interface, avoiding telnet. If so, just copy and paste all the iptables commands above, without the quotes or nvram stuff.
7. Optional: Go to the Linksys's Security panel in the web interface and disable Firewall Protection. See below for more info if you're going to do this.
8. You're done! Don't forget to disable the telnet server if you don't need access anymore.

More about the firewall

I'm using this setup to share a DSL connection with my roommates, and find that good firewall rules on the router that apply to everyone are harder to set. Rather, I'll leave most of it up to their software firewalls. If you do leave the firewall on, you'll have to do more work through the web interface involving port forwarding/triggering.

For more advanced use, you may want to learn about iptables. You can set all sorts of custom rules on the router and let that do all your firewalling. The NAT work above uses iptables. See the iptables tutorial, and maybe Firewall Builder for more info.

If you do disable the firewall, it makes your router itself more visible to the public, which is NOT something we want. I recommend adding the following commands to the above block of text in that case:

The above should make your router much stealthier. Make sure these rules are inside the quotes. This was taken from the /tmp/.ipt file on the router, which contains a bunch of rules and commands. Some of these commands were generated through the web interface.