Posted: Fri Oct 21, 2022 16:49 Post subject: Linking subnets: accessing subnet from main network
Symptoms
1) Both 192.168.1.0\24 and 192.168.2.0\24 devices can access the Internet via the main router1.
2) Success: Devices from 192.168.2.0\24 network can access devices in 192.168.1.0\24 network
3) Failure Scenario: Devices in 192.168.1.0\24 network can NOT access devices in 192.168.2.0\24 network.
4) Router2 with WAN IP 192.168.1.2 can be accessed by devices in 192.168.1.0\24 network.
5) Router2 with LAN IP 192.168.2.1 can not be accessed by devices in 192.168.1.0\24 network
Joined: 18 Mar 2014 Posts: 12881 Location: Netherlands
Posted: Sat Oct 22, 2022 14:37 Post subject:
Welcome to the forum
Unfortunately you are running an old and outdated build with known security issues.
Upgrading to latest build 50551 is highly recommended.
See the forum guidelines with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
*After* upgrading reset to defaults and put settings in manually do not restore a backup!
Now on to your problem.
I attached my personal notes how I do it, (I do not use router mode as it can break things but it is not wrong).
The problem might be in your NetGear static route, it is a long time ago I used NetGear stock so it is a bit of a guessing game.
Usually you take the Network you want to route: 192.168.2.0 (Netgear might use 192.168.2.1) subnet mask: 255.255.255.0 and the gateway, the gateway is the address on the current subnet you want to send the traffic to, in this case it is the WAN address of the R7000 so it should be 192.168.1.2
Posted: Sun Oct 23, 2022 23:02 Post subject: thanks for pointers
1) Thank you for the recommendation to install later firmware. I went ahead and installed one of the latest onto the router: DD-WRT v3.0-r50551 std (10/19/22).
2) I also corrected the incorrect route on the ORBI. The intent is to route packets from the 192.168.1.0 network to the 192.168.2.0
Static Route
Destination IP 192.168.2.1
IP Subnet Make 255.255.255.0
Gateway IP Address 192.168.1.2
Metric 10
Current State
I reviewed the attached work document and followed it. I still can not access devices in my subnet (192.168.2.0) from my main network (192.168.1.0).
I did a search for my Orbi RBR850. This post says that multiple subnets are not supported by the RBR850. I am not sure if I am a dead end due to a firmware limitation on the firmware or if it is still a mis-configuration on my part.
Note that a complicating factor is that I am have installed the NordVPN client on the DD-WRT network (192.168.2.0). The VPN is working correctly. I have also tried disabling the VPN altogether and it has not changed the subnet behavior.
Joined: 18 Mar 2014 Posts: 12881 Location: Netherlands
Posted: Mon Oct 24, 2022 6:08 Post subject:
Well difficult to say what the problem is.
You can set a static route on the orbi so I assume that should/could work.
For this kind of setup to work, you need a static route on main router to the secondary router and opening of the firewall of the secondary router (provided you have left the router in Gateway mode)
For the static route you can try a destination IP of 192.168.2.0 that is how a route should officially be set to a subnet.
I do not know if there is a command line (telnet) but you should be able to check if the route is set either form command line with: ip route show or maybe there is a GUI option to show the routing.
You can disable the firewall on the DDWRT router to be sure that is not the problem.
But this rule should be sufficient:
iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT
If you also want to get to the DDWRT router itself then also use:
iptables -I INPUT -s 192.168.1.0/24 -j ACCEPT
A VPN client (when not using PBR) is a problem when you want access via the WAN like you are doing, there is however one exception and that is access from the attached upstream router like you are doing as the DDWRT router should have a route to your ORBI.
So the NordVPN client should not be a problem in this case.
Posted: Tue Oct 25, 2022 1:31 Post subject: updated configuration
Thanks for the help, I will keep grinding away until I get it to work. I appreciate you educating me and helping me to get the routing to work for the DD-WRT\ORBI combination.
Regarding the Orbi RBR850, the latest firmware does not support SSH or a command interface like the DD-WRT. I will try to see if I can get more debug output for the RBR850.
Please see attached the updated the configuration with your advice.
Router1
Orbi router1 hosting subnet for DD-WRT R7000 router2.
Exposed to the Internet and hosting Router2
router1_orbi_static_route.png
Router2
Connected to Router1 via WAN port
Note that I disabled the firewall on the DD-WRT and opened for input and output. I will tighten it up once I get it work
router2_wrt_firewall_disabled.png (disabled the firewall from web server)
router2_wrt_firewall_commands.png (opened up the ports and did the NAT forwarding that you had suggested)[/list]
Joined: 18 Mar 2014 Posts: 12881 Location: Netherlands
Posted: Tue Oct 25, 2022 6:24 Post subject:
Yes @PYB is right the -t nat rule is (usually) not necessary at least it is wrong it is missing a part.
A rule like this can be useful if LAN clients on router 2 have a firewall which does not allow traffic from other than its own subnet, so not allowing traffic from the primary router.
But if you need it you have to use the whole rule:
Code:
iptables -t nat -I POSTROUTING -s $(nvram get wan_ipaddr)/$(nvram get wan_netmask) -o br0 -j SNAT --to $(nvram get lan_ipaddr)
Posted: Tue Oct 25, 2022 17:36 Post subject: Re: Linking subnets: accessing subnet from main network
Just check the ips assign to routers from the wan router are pinging or not. I tried also but it is not pinging though firewall is off / disable at both the routers. It is strange. I can enter from router too not on wan to all other PCs which are attached directly to wan router. However from wan router I cannot assess the PCs attached on subnet routers. Though all PC in the subnet can access wan router easily. Then I check the Ip assign by my wan router to subnet router on DHCP and also static. The particular IP is not pinging from wan side, but pinging from subnet side.
FIREWALL SETTING WITH POSTROUTING
iptables -t nat -I POSTROUTING -s $(nvram get wan_ipaddr)/$(nvram get wan_netmask) -o br0 -j SNAT --to $(nvram get lan_ipaddr)
THANK YOU
At this point, I am done with the effort. I believe it may be the ORBI RBR8500 not forwarding packets.
Thank all of you for your help. I appreciate the excellent documentation online and that provided by you and the other posters.
My next step may be to remove the ORBI and use it as only wireless access point and purchase some more Netgear7000 routers and install DD-WRT. I know that these devices will support the proper sub netting.