BACKGROUND: I have a device that must use a real IP address. Currently, my ISP uses DHCP and I can have up to 4 real IP address assigned. However, the cable modem only have 1 ethernet port and it's connected to my router (running Tomato, but can run DD-wrt or other Openwrt if required). Question stems from how I can connect the additional device, requiring a real IP?

EASY SOLUTION: would be to get a switch and connect to the CM, Router, and Device. But alas, I want to avoid this route, since:

  • my wiring cabinet in my home is drawing lots of power and heat already
  • Device will be unprotected by any firewall
  • unable to monitor the traffic to/from device.
  • Besides, what would be the FUN in that? =)

IDEA: So what I want to do is to configure the router, so that one of the switchport is removed from the normal br0 bridge. Instead, I want to make it behave like a switch on the WAN port.

What's the best way of doing this? Should I create another bridge on the WAN & the device port? Can a single port belongs to two bridges? or would I need to create a subinterface first? Would I need a DHCP-relay? Am I expecting too much from my poor cheapie router?

   |  CM  |
|   /    \      Router |
| BR1?   BR0           |
|  |       \           |
|  |       {NAT}       |
|  |     / |  | \      |
  • Why did you connect the router's WAN port to your cable modem's LAN port? That doesn't make sense. Commented Apr 10, 2016 at 22:01

4 Answers 4


Personally, I found DD-WRT best from the choice I had and use it on a 50/50 line on 250MHz router.

The setup you have stated is good and possible, if the br0 and br1 is "bridge interface", not the "bridge" itself. Depends on the words, so you could actually meant it that way.

You would like to use 2 virtual wlan interfaces, I guess one with NAT and one without, and assign specific ports to the {NAT} interface and br1 interface.

The {NAT} actually is NAT + LAN interface, because the NAT is just a layer os say kind of a bridge between the br0 and actual LAN.

It is possible at least with DD-WRT, and I would switch to it, or at least try. But the thing is, that even if it is possible through Web interface, it would be wise to do it through IPTABLES itself by a person, who is fluent with IPTABLES, which I m not, and hence sorry not to help with actual link.

  • 1
    I agree - DD-WRT supports mapping specific network paths through specific network ports. The "uplink" port and all the switch ports can be made to route between each other arbitrarily. Good advice on using IPTABLES to do this. I think the GUI offers this feature but I don't know how good it is. Commented Feb 2, 2011 at 3:44

I actually just went through this last week. You can look up my question related to getting my verizon network extender device to work.

I finally had to settle on using a switch between the DD-WRT router and the cable modem.

I think a better place to ask may be on the DD-WRT forums. However, unless DMZ is suitable (which it sounds like it isn't), I doubt there is a way to pass through one IP from the cable modem to one of the switch ports. I did a lot of reading last week and never saw any capabilities like this.


I'm pretty sure your router will support a demilitarized zone (DMZ) for at least one device, as most do.

Putting a device in the DMZ puts it outside the firewall, effectively on the WAN side.

Here's a page with some info on setting up the DMZ in Tomato.

Hope that helps...

  • No go... with DMZ, the device will get assigned an internal IP addr. Besides, this will kill all the port forwarding on rest of network.
    – fseto
    Commented Sep 17, 2010 at 3:32
  • Yeah, I think you're out of luck without a better routing device then. :) Commented Sep 17, 2010 at 3:50

Easiest way to do this is VLAN. The problem I'm having is that you want your device to have a static IP address, and sit behind a firewall (Device will be unprotected by any firewall) according to your list. I would recommend a Juniper SSG 5. It'll be the firewall you want, offer the wireless you need, and give you VLANS. You may be able to find a 5GT for sale somewhere (older version of the SSG5). I don't work for Juniper, but thought this may help.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .