Dealing with ISP Masquerading

2026-Mar-30

I pay my ISP for a static IP address. This gives me an IP address I can run services on! But my router isn’t handed this IP address: it’s still going through IP Masquerating at the ISP. It’s a weird ISP.

T P R R S h u o o e e b u u r l t t v I i e e e n c r r r t e I - - - r P n 1 1 1 e - 0 9 9 t . 2 2 2 4 . . 8 8 1 1 . . 6 6 3 2 8 8 7 . . . . 1 1 1 1 8 . . 2 3 1 2 1 . ( ( 8 W L 4 A A N N ) ) L a p t o p - 1 9 2 . 1 6 8 . 1 . 1 0 3

When my laptop tries to get to the public IP address (28.37.121.84), my router decides that’s outside the LAN (which is true), so it sends it out to the ISP’s router. The ISP is supposed to route this, but it drops it.

This is arguably broken behaviour, and it’s possible I could eventually convince the ISP to fix this. Fixing it in my router is a better approach, though, since there’s no need to route that traffic over my slow ISP uplink and back.

The solution is DNAT on my router. I can do this pretty easily in OpenWRT, by adding masquerading to the lan zone, and adding a new DNAT rule to /etc/config/firewall:

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq '1' # Enable this for lan-lan DNAT
	list network 'lan'

config redirect
	option name 'DNAT public IP'
	option src 'lan'
	option src_dip '28.37.121.84'
	option dest 'lan'
	option dest_ip '192.168.1.2'
	option proto 'all'
	option target 'DNAT'

I’m mostly writing this down so I’ll have a chance of remembering it later. If this helps you somehow, dear reader, thats a pretty nice side-effect.

DHCP tricks

In order to obtain my static IP address, I have to send a DHCP request with a specific source MAC address and a specific DHCP Client-ID (option 61, I think: check the RFC). The Client-ID needs to be 0x01 + the 7-byte MAC address: 0x01 means “this is a MAC address”.

They’re expecting the MAC address of the router I had previous to this one. I’m keeping that address in the usual place for secrets.