Posted: Sat Jan 22, 2022 22:29 Post subject: Static Routing - Cisco homelab
Hello all,
New to the forums and kind of newish advanced networking concepts. Full disclosure, I am not a networking guru but I got most of this equipment to help me study for the CCNA routing and switching cert and help with work related networking needs. Home LAN router/AP is the Asus RT-AC66U.
So anyways, for work I was given an older Cisco 3650 L3 switch and a Cisco 2921 ISR. I have configured both the switch and the router following this convenient YouTube video. Seems like a fairly straightforward setup.
So I was able to successfully setup VLANs on the switch and I am able to access the internet and my LAN (192.168.X.X) from the VLANs but I cannot access the VLANs from my LAN machines.
I think I need to setup some static routes on my LAN router, but they do need appears to be applying. I followed the guide on the Wiki, but I think it is out of date. Anyways, attached is a network of the Cisco homelab, one of the static route configurations and the iptables config.
Anyone have any ideas or advice on how get the staic routing to work? Or how to enable my LAN devices to communicate with the VLANs? I can also post the Cisco configs if needed.
Joined: 18 Mar 2014 Posts: 12922 Location: Netherlands
Posted: Sun Jan 23, 2022 12:47 Post subject:
Welcome to the forum
If you post it is recommended to always state router model (The AC66U has two versions A1 and B1 which are very different) but also build number.
Currently we are on build 48141
See the forum guidelines with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Are those Cisco routers only routing or also NATting?
For routing you need to be very precise (iptables are smarter, a LAN net ends in 0 and not 1
I would make a route to the Cisco router e.g.
ip route add 10.10.10.0/24 via 192.168.1.2 dev br0
Check the routes with:
ip route show
That Cisco router should probably do the same and route to 192.168.100.2
You do not need any firewall rules to do this on the DDWRT router (if there is no NAT from the Cisco router you might need some NAT rules to allow traffic out of the router or NAT traffic out of br0 if your local LAN clients have a firewall which blocks other than local traffic).
Thanks so far you guys are already a lot more friendly then the other support forums I have been nagging for some guidance.
egc wrote:
If you post it is recommended to always state router model (The AC66U has two versions A1 and B1 which are very different) but also build number.
Currently we are on build 48141
Did not think to post the version, so thank you! I just upgraded to the latest version from two days ago. Now I am running
Code:
DD-WRT v3.0-r48141 giga (01/21/22)
See the forum guidelines with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Quote:
Are those Cisco routers only routing or also NATting?
Right now, I think the router is doing both, I have a NAT from the inside interface (GE 0/1) to the outside interface (GE 0/0). But it also has some routing. Again, I could be wrong since I am kind of a noob.
Quote:
For routing you need to be very precise (iptables are smarter, a LAN net ends in 0 and not 1
I would make a route to the Cisco router e.g.
ip route add 10.10.10.0/24 via 192.168.1.2 dev br0
So I think I made the correct change, switched it from 10.10.10.1/24 to 10.10.10.0/24 on my DDWRT router. But I don't see the option for the dev br0 interface, which I am assuming is a bridge? All I see is:
LAN/WAN
WAN
ANY
ETH0
ETH1
ETH2
Vlan1
***EDIT*** I changed the route to the 10.10.10.0/24 and switch the interface to WAN/LAN and now I can ping the 10.10.10.1 IP address but I am getting some TTL expired in transit and a traceroute shows this:
Code:
Tracing route to 10.10.10.1 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.1.1
2 <1 ms <1 ms <1 ms 192.168.1.2
3 5 ms 1 ms 1 ms 192.168.1.2
4 <1 ms <1 ms <1 ms 192.168.100.1
5 11 ms 1 ms 1 ms 192.168.1.2
6 <1 ms <1 ms <1 ms 192.168.100.1
7 15 ms 1 ms 1 ms 192.168.1.2
8 1 ms <1 ms <1 ms 192.168.100.1
9 1 ms 1 ms 1 ms 192.168.1.2
10 1 ms <1 ms <1 ms 192.168.100.1
11 16 ms 1 ms 1 ms 192.168.1.2
12 1 ms 1 ms 1 ms 192.168.100.1
13 18 ms 12 ms 9 ms 192.168.1.2
14 1 ms 1 ms 1 ms 192.168.100.1
15 2 ms 1 ms 1 ms 192.168.1.2
16 1 ms 1 ms 3 ms 192.168.100.1
17 2 ms 1 ms 1 ms 192.168.1.2
18 1 ms 1 ms 1 ms 192.168.100.1
19 15 ms 6 ms 2 ms 192.168.1.2
20 1 ms 1 ms 1 ms 192.168.100.1
21 2 ms 2 ms 2 ms 192.168.1.2
22 1 ms 1 ms 1 ms 192.168.100.1
23 2 ms 2 ms 2 ms 192.168.1.2
24 2 ms 1 ms 1 ms
Quote:
Check the routes with:
ip route show
That Cisco router should probably do the same and route to 192.168.100.2
I think I have the Cisco router configured properly to route from all of my VLANS based off the config:
Gateway of last resort is 192.168.1.1 to network 0.0.0.0
Code:
S* 0.0.0.0/0 [1/0] via 192.168.1.1
10.0.0.0/24 is subnetted, 4 subnets
S 10.10.10.0 [1/0] via 192.168.100.2
S 10.10.20.0 [1/0] via 192.168.100.2
S 10.10.30.0 [1/0] via 192.168.100.2
S 10.10.40.0 [1/0] via 192.168.100.2
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, GigabitEthernet0/0
L 192.168.1.2/32 is directly connected, GigabitEthernet0/0
192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.100.0/24 is directly connected, GigabitEthernet0/1
L 192.168.100.1/32 is directly connected, GigabitEthernet0/1
Quote:
You do not need any firewall rules to do this on the DDWRT router (if there is no NAT from the Cisco router you might need some NAT rules to allow traffic out of the router or NAT traffic out of br0 if your local LAN clients have a firewall which blocks other than local traffic).
Good deal. I will go ahead and remove the iptable rules from DDWRT then. I checked the Wiki again and it looks like the guide for deleting iptable rules is also kind of old. Any idea how to clear them all out? Unless its same as a GNU/Linux system.
Quote:
But the Cisco router should allow traffic coming from 192.168.1.0, so that firewall might need some ACCEPT rules
[/quote]
Which I think it does seeing as I am able to SSH into the router from my LAN. But I could be wrong.[/list]
I apologize for bumping a super old thread but I wanted to shed some guidance on how I was able to connect my L3 Cisco switch to my DD-WRT home router in-case someone were to find themselves in a situation similar to my own.
So following the advice of setting the gateway of last resort of the switch. In this case, I used one dedicated interface on the switch (GigabitEthernet 0/4 and set it to have an IP address of 192.168.1.2. Then I set-up all of my VLANs on the switch to use 192.168.1.2 as the next hop. Finally I set the gateway of last resort to its dedicated IP address (192.168.1.2).
Next I went into DD-WRT and setup static routes to all of the VLANs (10.10.10.1/24, 10.10.20.1/24 etc). The issue I ran into was that my LAN could communicate with my VLANs and vice-versa but my VLANs could not communicate out to the internet. I realized that I did not have NAT enabled on the staitc routes, checked the NAT option on the static route configuration page. Applied, saved and it worked.
My LAN can now freely talk with my VLANs and my VLANs can talk to both my LAN and the greater internet.
Thank you all so much for all of the help. I had a lot of fun learning.