Static Routing - Cisco homelab

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
TheDood
DD-WRT Novice


Joined: 22 Jan 2022
Posts: 11

PostPosted: Sat Jan 22, 2022 22:29    Post subject: Static Routing - Cisco homelab Reply with quote
Hello all,

New to the forums and kind of newish advanced networking concepts. Full disclosure, I am not a networking guru but I got most of this equipment to help me study for the CCNA routing and switching cert and help with work related networking needs. Home LAN router/AP is the Asus RT-AC66U.

So anyways, for work I was given an older Cisco 3650 L3 switch and a Cisco 2921 ISR. I have configured both the switch and the router following this convenient YouTube video. Seems like a fairly straightforward setup.

So I was able to successfully setup VLANs on the switch and I am able to access the internet and my LAN (192.168.X.X) from the VLANs but I cannot access the VLANs from my LAN machines.

I think I need to setup some static routes on my LAN router, but they do need appears to be applying. I followed the guide on the Wiki, but I think it is out of date. Anyways, attached is a network of the Cisco homelab, one of the static route configurations and the iptables config.



Anyone have any ideas or advice on how get the staic routing to work? Or how to enable my LAN devices to communicate with the VLANs? I can also post the Cisco configs if needed.
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sun Jan 23, 2022 12:47    Post subject: Reply with quote
Welcome to the forum Smile

If you post it is recommended to always state router model (The AC66U has two versions A1 and B1 which are very different) but also build number.

Currently we are on build 48141

See the forum guidelines with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

Are those Cisco routers only routing or also NATting?

For routing you need to be very precise (iptables are smarter, a LAN net ends in 0 and not 1

I would make a route to the Cisco router e.g.
ip route add 10.10.10.0/24 via 192.168.1.2 dev br0

Check the routes with:
ip route show

That Cisco router should probably do the same and route to 192.168.100.2

You do not need any firewall rules to do this on the DDWRT router (if there is no NAT from the Cisco router you might need some NAT rules to allow traffic out of the router or NAT traffic out of br0 if your local LAN clients have a firewall which blocks other than local traffic).

But the Cisco router should allow traffic coming from 192.168.1.0, so that firewall might need some ACCEPT rules

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
TheDood
DD-WRT Novice


Joined: 22 Jan 2022
Posts: 11

PostPosted: Sun Jan 23, 2022 14:28    Post subject: Reply with quote
egc wrote:
Welcome to the forum Smile


Thanks Smile so far you guys are already a lot more friendly then the other support forums I have been nagging for some guidance.

egc wrote:
If you post it is recommended to always state router model (The AC66U has two versions A1 and B1 which are very different) but also build number.

Currently we are on build 48141

Did not think to post the version, so thank you! I just upgraded to the latest version from two days ago. Now I am running
Code:
 DD-WRT v3.0-r48141 giga (01/21/22)



See the forum guidelines with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

Quote:
Are those Cisco routers only routing or also NATting?

Right now, I think the router is doing both, I have a NAT from the inside interface (GE 0/1) to the outside interface (GE 0/0). But it also has some routing. Again, I could be wrong since I am kind of a noob.

Quote:
For routing you need to be very precise (iptables are smarter, a LAN net ends in 0 and not 1

I would make a route to the Cisco router e.g.
ip route add 10.10.10.0/24 via 192.168.1.2 dev br0


So I think I made the correct change, switched it from 10.10.10.1/24 to 10.10.10.0/24 on my DDWRT router. But I don't see the option for the dev br0 interface, which I am assuming is a bridge? All I see is:
    LAN/WAN
    WAN
    ANY
    ETH0
    ETH1
    ETH2
    Vlan1


***EDIT*** I changed the route to the 10.10.10.0/24 and switch the interface to WAN/LAN and now I can ping the 10.10.10.1 IP address but I am getting some TTL expired in transit and a traceroute shows this:
Code:
Tracing route to 10.10.10.1 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.1.1
  2    <1 ms    <1 ms    <1 ms  192.168.1.2
  3     5 ms     1 ms     1 ms  192.168.1.2
  4    <1 ms    <1 ms    <1 ms  192.168.100.1
  5    11 ms     1 ms     1 ms  192.168.1.2
  6    <1 ms    <1 ms    <1 ms  192.168.100.1
  7    15 ms     1 ms     1 ms  192.168.1.2
  8     1 ms    <1 ms    <1 ms  192.168.100.1
  9     1 ms     1 ms     1 ms  192.168.1.2
 10     1 ms    <1 ms    <1 ms  192.168.100.1
 11    16 ms     1 ms     1 ms  192.168.1.2
 12     1 ms     1 ms     1 ms  192.168.100.1
 13    18 ms    12 ms     9 ms  192.168.1.2
 14     1 ms     1 ms     1 ms  192.168.100.1
 15     2 ms     1 ms     1 ms  192.168.1.2
 16     1 ms     1 ms     3 ms  192.168.100.1
 17     2 ms     1 ms     1 ms  192.168.1.2
 18     1 ms     1 ms     1 ms  192.168.100.1
 19    15 ms     6 ms     2 ms  192.168.1.2
 20     1 ms     1 ms     1 ms  192.168.100.1
 21     2 ms     2 ms     2 ms  192.168.1.2
 22     1 ms     1 ms     1 ms  192.168.100.1
 23     2 ms     2 ms     2 ms  192.168.1.2
 24     2 ms     1 ms     1 ms





Quote:

Check the routes with:
ip route show

That Cisco router should probably do the same and route to 192.168.100.2


I think I have the Cisco router configured properly to route from all of my VLANS based off the config:
Gateway of last resort is 192.168.1.1 to network 0.0.0.0

Code:
S*    0.0.0.0/0 [1/0] via 192.168.1.1
      10.0.0.0/24 is subnetted, 4 subnets
S        10.10.10.0 [1/0] via 192.168.100.2
S        10.10.20.0 [1/0] via 192.168.100.2
S        10.10.30.0 [1/0] via 192.168.100.2
S        10.10.40.0 [1/0] via 192.168.100.2
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, GigabitEthernet0/0
L        192.168.1.2/32 is directly connected, GigabitEthernet0/0
      192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.100.0/24 is directly connected, GigabitEthernet0/1
L        192.168.100.1/32 is directly connected, GigabitEthernet0/1


Quote:

You do not need any firewall rules to do this on the DDWRT router (if there is no NAT from the Cisco router you might need some NAT rules to allow traffic out of the router or NAT traffic out of br0 if your local LAN clients have a firewall which blocks other than local traffic).


Good deal. I will go ahead and remove the iptable rules from DDWRT then. I checked the Wiki again and it looks like the guide for deleting iptable rules is also kind of old. Any idea how to clear them all out? Unless its same as a GNU/Linux system.

Quote:
But the Cisco router should allow traffic coming from 192.168.1.0, so that firewall might need some ACCEPT rules
[/quote]
Which I think it does seeing as I am able to SSH into the router from my LAN. But I could be wrong.[/list]
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sun Jan 23, 2022 16:38    Post subject: Reply with quote
br0 is indeed LAN/WLAN so the route should be good to reach your Cisco but of course the Cisco should take care of the downstream routing

Iptables is a standard Linux implementation, you can delete with:
iptables -D .......

But if you add them via the CLI then rebooting the router will also work

I do not have my Cisco certificates so can not help you with that, but being able to SSH does not mean anything can pass

I am not sure about your subnetting, you can divide a 10.10.10.0/24 subnet into 4 but not how you are doing it this subnet has addresses from 10.10.10.1 - 10.10.10.255.
So your routing can only connect to those addresses, I think

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
TheDood
DD-WRT Novice


Joined: 22 Jan 2022
Posts: 11

PostPosted: Sun Feb 06, 2022 16:44    Post subject: Reply with quote
Hello all,

I apologize for bumping a super old thread but I wanted to shed some guidance on how I was able to connect my L3 Cisco switch to my DD-WRT home router in-case someone were to find themselves in a situation similar to my own.

So following the advice of setting the gateway of last resort of the switch. In this case, I used one dedicated interface on the switch (GigabitEthernet 0/4Cool and set it to have an IP address of 192.168.1.2. Then I set-up all of my VLANs on the switch to use 192.168.1.2 as the next hop. Finally I set the gateway of last resort to its dedicated IP address (192.168.1.2).

Next I went into DD-WRT and setup static routes to all of the VLANs (10.10.10.1/24, 10.10.20.1/24 etc). The issue I ran into was that my LAN could communicate with my VLANs and vice-versa but my VLANs could not communicate out to the internet. I realized that I did not have NAT enabled on the staitc routes, checked the NAT option on the static route configuration page. Applied, saved and it worked.

My LAN can now freely talk with my VLANs and my VLANs can talk to both my LAN and the greater internet.

Thank you all so much for all of the help. I had a lot of fun learning.
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Sun Feb 06, 2022 19:22    Post subject: Reply with quote
You could have use one aggregate route 10.10.0.0\16 that would have covered all the VLANs.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum