Gateway and Router mode setup to create multiple networks

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
DDE12
DD-WRT Novice


Joined: 09 May 2021
Posts: 9

PostPosted: Sun May 09, 2021 2:48    Post subject: Gateway and Router mode setup to create multiple networks Reply with quote
I have ISP modem connected to WAN port of Router 1 with IP address of 192.168.2.1. Routers A, B, C WAN ports are connected to LANs of Router 1. The IPs of these routers are 192.168.10.1, 192.168.11.1, 192.168.12. I'm trying to set this up so I can have 3 separate networks that can't see each other so I can experiment with 2 of them and not affect the third network and inconvenience the family. To avoid double NAT and other issues, should I set Router 1 to Gateway mode and the rest to Router mode in advanced setup or vice versa. Or am I off course and should be doing something different altogether? Thank you for taking a look at this.
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Sun May 09, 2021 3:44    Post subject: Reply with quote
IMO, the concern over being double NAT'd is usually overrated. In some specific cases, it can be a problem, mostly involving the need for NAT traversal (e.g., VOIP).

Router mode does disable NAT, but it also disables connection tracking. And that can cause other problems, esp. given the router is typically used as an applications platform, and NOT just as a pure router. It also assumes you can add static routes to the primary router to establish the routing back to the local network behind the secondary router. Many ISP provided devices do NOT offer that option.

So in general, you're usually better off to leave any secondary routers in Gateway mode unless you have a specific, known issue that makes that unworkable. And in some cases (as I described above), you made have no choice anyway.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Sun May 09, 2021 7:48    Post subject: Reply with quote
Entering static routes here will be no issue as they are put in Router 1 which is dd-wrt, not the ISP Modem.
DDE12
DD-WRT Novice


Joined: 09 May 2021
Posts: 9

PostPosted: Sun May 09, 2021 15:08    Post subject: Reply with quote
I do have VOIP, Plex does not like the double NAT and some of my Echo and smart home devices are not working either. Why some of them and why they were working fine for several days, I don't know. So if I'm understanding correctly, I should put Router 1 in Router mode and routers A-C in Gateway while setting static routes on Router 1 to routers A-C?
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Sun May 09, 2021 15:32    Post subject: Reply with quote
No, Router 1 in Gateway mode and routers A-C in Router mode.

Do Router 1 have the Public IP?
DDE12
DD-WRT Novice


Joined: 09 May 2021
Posts: 9

PostPosted: Sat May 15, 2021 22:15    Post subject: Reply with quote
I have the following settings but can't get an internet connection on Router A:

Router 1 (Buffalo WZR-600DHP2 DD-WRT v3.0-r44715 std (11/03/20))(Public IP)
Advanced Routing
Operation Mode Gateway
Static Routing
Masquerade Route unchecked
Destination LAN NET: 192.168.11.0
Subnet Mask: 255.255.255.0
Gateway: 192.168.1.111
Interface: Any

Administration > Commands > Firewall
iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT

Router A (Buffalo WZR-600DHP 22084 Idexx v1.0 (02/13/14))
Basic Setup > WAN Connection Type
Connection Type: Static IP
WAN IP Address 192.168.1.111
Subnet Mask: 255.255.255.0
Gateway: 192.168.1.1
Static DNS 1-3 are all blank.

What am I missing or have wrong?
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Sat May 15, 2021 22:50    Post subject: Reply with quote
Masquerade Route (NAT) must be ticked.
DDE12
DD-WRT Novice


Joined: 09 May 2021
Posts: 9

PostPosted: Sat May 15, 2021 23:28    Post subject: Reply with quote
I ticked it but that still did not allow me to connect to the internet.
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Sun May 16, 2021 7:27    Post subject: Reply with quote
Put this is Firewall of Router 1 to make sure everything is NAT'ed out the WAN.

iptables -t nat -A POSTROUTING -o `get_wanface` -j MASQUERADE


Begin with the basics.

Can you ping Router 1 from Router A?
Can you ping Router 1 from a client behind Router A?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12838
Location: Netherlands

PostPosted: Sun May 16, 2021 8:07    Post subject: Reply with quote
If there is no DNS set maybe a DNS problem?

Try 9.9.9.9 for static DNS 1

If possible I would not use static IP for WAN but use a static lease from the primary router.

That way you know what IP addresses are handed out
But that is just me Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
DDE12
DD-WRT Novice


Joined: 09 May 2021
Posts: 9

PostPosted: Fri May 21, 2021 16:27    Post subject: Reply with quote
I added the following to the firewall of Router 1.
iptables -t nat -A POSTROUTING -o `get_wanface` -j MASQUERADE

Ping testing:
Client on Router A can ping
192.168.11.1
192.168.1.111
Cannot ping
192.168.1.1
or a client on Router 1

Router A can ping
192.168.1.1
192.168.11.1
192.168.1.111
1.1.1.1
The WAN IP of Router 1
a client on Router 1

Client on Router 1 can ping
192.168.11.1
192.168.1.111
Cannot ping a client on Router A

Router 1 can ping
192.168.11.1
192.168.1.111
Cannot ping client on Router A

I tried a static DNS on Router A (9.9.9.9) but that did not help.
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Fri May 21, 2021 17:28    Post subject: Reply with quote
Quote:
Client on Router 1 can ping
192.168.11.1
192.168.1.111
Cannot ping a client on Router A


Change the default gateway on the Client on Router 1 from 192.1.1 to 192.1.111 and redo the test.

If it goes through, check the routes on router 1.

route 192.168.11.0/24 via 192.168.1.111
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12838
Location: Netherlands

PostPosted: Fri May 21, 2021 17:50    Post subject: Reply with quote
On what router is the following firewall rule set:
Quote:
Administration > Commands > Firewall
iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
DDE12
DD-WRT Novice


Joined: 09 May 2021
Posts: 9

PostPosted: Mon May 31, 2021 18:38    Post subject: Reply with quote
Setting the default gateway on client on Router 1 to 192.168.1.111 could not ping client on Router A and now client on Router 1 could no longer connect to the internet.
The following firewall command is on both routers.
iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6411
Location: UK, London, just across the river..

PostPosted: Mon May 31, 2021 21:13    Post subject: Reply with quote
just curious, is SPI firewall disabled on those in router mode ?

have a look on those links...

https://wiki.dd-wrt.com/wiki/index.php/Wireless_access_point

https://wiki.dd-wrt.com/wiki/index.php/Category:Linking_Routers

as well, follow the gurus guidance !

If i got you correctly...you want 3 separate networks...behind your router 1 ???
Your best bet is...if your router allows it,do a x3 separate Vlans...related to the router 1 LAN ports and than, all those routers will be on a different Vlan, either with net isolation or not, depends what do you need them for....
You may need to update to a newer build, as this build you have is old...sadly there is a lots of WIP on the newer builds especially Brodacom Vlans and ect.

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum