Posted: Mon Oct 14, 2024 20:43 Post subject: correct settings for setting up 2 subnets on new builds?
Hello,
I have a 2-part question about keeping subnets generally separated while also granting access from only one specific computer on subnet 2 to be accessed by all of subnet 1.
Basically I have an OMV media server on subnet 2 that I want to be able to access on subnet 1.
The first part of my question is this... I recently bought 2 new routers and installed DD-WRT and noticed there are now a bunch of "new" settings under Advanced Routing > Routing Tables and would like info on the correct settings for my scenario.
My routers are both Netgear R7000 models, and both routers are running DD-WRT build v3.0-r58389 std (09/20/24)
Router 1 is the gateway to the Internet and is setup for DHCP and subnet 192.168.1.x
Router 2 has an ethernet cable from a LAN port on Router 1 going into it's WAN port.
Router 2 is on it's own subnet 192.168.3.x.
I need both subnets for specific reasons and can not have everything on one subnet so that is not an option. I also do not want to setup any VLANs.
Router 1 has a static route setup that points at router 2 for Internet connection and so subnet 2 can "see"/ping all of subnet 1...
I can not find any documentation on what these setting do, so can someone please tell me what the correct settings are for Router 1 Advanced Routing:
Dynamic Routing > Interface?
Routing Tables > Interface?
Routing Tables > Scope?
I also need to know what the correct settings are for Router 2's Advanced Routing settings.
Should Router 2 be set as a Gateway or a Router? (currently set as Gateway)
Router 2 is serving it's own subnet (192.168.3.x).
This subnet is where my media server lives, I also have a Pi-Hole running on this subnet and acting as a local DNS server, but NOT as the DHCP server, router 2 is still performing DHCP for this subnet.
What should the Dynamic Routing > Interface setting be set to?
I need Internet feed from Router 1 to Router 2.
I want subnet 2 to be able to "see"/ping/access everything on subnet 1.
I want subnet 2 to be NON-accessible from subnet 1
That is how it seems to be working at the moment with the settings I have shown in the attached pictures below, but I want to be sure I have all these settings and interfaces set correctly.
Once I am sure I have all the above mentioned settings correct, I would like to address the second half of my question
Currently the way I have my network setup is:
Subnet 1 can NOT access/ping any clients on subnet 2.
Subnet 2 CAN access/ping any clients on subnet1.
This is how I want it to be setup for security purposes.
What I would like to figure out now is:
How do I setup a static route that allows subnet 1 to access only one computer on subnet 2?
I want all of subnet one to be able to access only the file server on subnet 2, and nothing else.
The "file server" is a Raspberry Pi running Open Media Vault v7.4.10-1 Sandworm and it has a static IP address that is set on the Pi itself, not as a static lease on router 2, and this is how it needs to be because of OMV's settings.
Do I need to setup the static route in one of the routers, or on the Pi running OMV, or both? And what are all the exact settings I need to do to make this work smoothly on my r7000 routers?
As far as the first part of your questions, everything as described is correct, and you are needlessly worrying about it.
As far as the second part, if you want access to a device behind router #2, there are two different approaches.
Keep router #2 in Gateway mode, which means NAT is enabled. There's no need to create static routes on router #1 since you can simply create a port forward on router #2 to the target device. IOW, it's no different than remotely accessing a device over the WAN of the primary router using port forwarding. It just happens to be an internal router.
The other option is to use Router mode w/ router #2, which disables NAT (and connection tracking, making it a bit more efficient). But now you need a static route on router #1 that points to the WAN ip of router #2 as the gateway to the IP network behind it. And you need to add a firewall rule to allow router #1's IP network to access router #2's IP network.
Code:
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
WAN_IP="$(nvram get wan_ipaddr)"
WAN_NET="$WAN_IP/$(nvram get wan_netmask)"
I figured it would be something easier than a static route, like port forwarding
So if I want all of subnet 1 (192.168.1.x) to be able to see my server on subnet 2 at IP address 192,168.3.100 then I would set up a port forward that looked something like this?
Where I have the Source Net set to 192.168.1.0/24 and the IP Address set to the OMV server's IP? And then just check enable-save-apply?