need networking help - 2 routers, can't reach other subnet - verizon fios _ dslreports forums

login register site

Home Reviews Tools Forums FAQs Find Service News Maps About

All Forums Hot Topics Gallery

how-to block ads

Forums US Telco Support Verizon Verizon FiOS > Need networking help - 2 routers, can't reachother subnet

Search Topic: uniqs5101 share

[Northeast] Moca bridge works but can't file share So I hopped on the 150 mbps train and I get erratic results

plammie

@verizon.net

Need networking help - 2 routers, can't reach other subnet

Hey all, I'm having an issue with multiple routers and subnets on my FIOSconnection. Here's how everything is setup:

Primary router:ActionTec MI424WR Rev D (from Verizon)WAN IP: From ISPWAN NETMASK: From ISPLAN IP: 192.168.1.1LAN NETMASK: 255.255.255.0

Secondary router (WAN connected to ActionTec LAN):Belkin N750 gigabit w/ 802.11nWAN IP: 192.168.1.2WAN NETMASK: 255.255.255.0LAN IP: 192.168.2.1LAN NETMASK: 255.255.255.0

With this setup, I have the secondary router's WAN port connected to a LAN port onthe primary router. Each are broadcasting an SSID and each are running DHCP toassign address to their respective subnets. Everything was well and good, exceptthat I could reach 192.168.1.* systems from 192.168.2.*, but not vice versa --anything connected to the Primary router was blind to systems connected toSecondary. Also, I could not ping anything on .2 from .1.

So, I added the following static route to the primary router:DESTINATION: 192.168.2.0NETMASK: 255.255.255.0GATEWAY: 192.168.1.2

Once this was added to the router, I could ping everything, so that was good.However, even though .1 can now ping .2, I can't access certain things such as theweb interface of my NAS (192.168.2.2). I can ping it, but accessing it in thebrowser from .1 doesn't work; however, accessing from .2 does work.

I think the ActionTec router might be blocking it, but that's just a guess. Thefirewall on this thing has me thoroughly confused. Currently, I have 192.168.1.2 inthe DMZ on the ActionTec, but that didn't make a difference. I've also completelydisabled the firewall on the secondary Belkin router, but still nothing.

Any help from the pros here? Much appreciated!

actions 2012-Feb-2 5:15 pm

More FiberPremium,MVM

Is there are reason you're running LAN-to-WAN and not LAN-to-LAN?

LAN-to-WAN creates routing issues and also means the devices behind the secondrouter are double NATed.

See the following FAQ for a walk-through of setting up the LAN-to-LANMost commented news this week

[104] Verizon: Our Review Shows No Congestion; Netflix to Blame

[95] Wall Street Whines About New 10 Mbps Min. BroadbandDefinition

[66] Aereo's Plan B: Argue It's a Bonafide Cable Company

[58] Sprint Testing New Lower Cost Data Plans

[52] Alcatel Lucent Sets New 10 Gbps Copper Speed Record

[49] Comcast Latest to Test Super Ultra Mega DVR

[48] Groups, Leaders Want Verizon Investigated for Network Neglect

[45] FCC Shot Clock on Comcast Merger Begins

[42] Dish Internet TV to Target Cord Cutters and 'Cord Haters'

[40] Public Knowledge Criticizes T-Mobile's Speed Test CapExemption

Hot Forum Topics

Problems again with Rcable [Start Communications]

ABP being sued for blocking ads. [Security]

[rCable] CBC FIFA football stream keeps choking[Start Communications]

[Updated] Flash Player 14.0.0.145 [Software]

Microsoft Security Bulletins for July 8 2014 [Security]

Theoretical question about MD5 sum, Not about how secure it's not.[Security]

Been waiting 3 mths for U-Verse installation...what are our options?[AT&T U-verse]

[Electrical] Laser printer and A/C on same circuit[Home Improvement]

pir motion detector question [Home Improvement]

[Plumbing] Pipe bang when water turn off [Home Improvement]

Need networking help - 2 routers, can't reach other subnet - Verizon FiOS... http://www.dslreports.com/forum/r26846307-Need-networking-help-2-...

1 of 4 12.7.2014 13:54

actions 2012-Feb-3 9:04 am reply

claibourne

join:2011-07-04Garland, TX

reply to plammieIf I understand your config correctly, it doesn't sound like the Actiontec is theproblem. If your goal is to simply subnet, and not restrict traffic in any waybetween 192.168.1.x (Actiontec) and 192.168.2.x (Belkin), you'd need to:

1) totally disable the firewall on the Belkin and set it up in classical routing mode2) make sure the appropriate network routes are in place on both routers.

You would not want to put the Belkin in the Actiontec DMZ. This would make therouter and any client on 192.168.2.x vulnerable, since the Belkin firewall isdisabled.

Alternatively, if you leave the Belkin firewall enabled, you'd have to set up portforwards on it to the services you want to access from 192.168.1.x, e.g., to yourNAS server. You probably wouldn't want the Belkin in the Actiontec DMZ in thiscase, either, as any port forwards you setup would be accessible on the Internet.

actions 2012-Feb-3 11:14 am

plammie

@verizon.net

Ok, I figured it out and everything is now working. The issue appears to be that theActionTec router doesn't recognize traffic from Subnet 1 to Subnet 2 as internaltraffic -- it treats it as external traffic and closes it off. To fix this, it required someAdvanced Firewall Filters that were far from unituitive and took a lot of testing toget it just right. If anyone runs into a similar situation in the future, here's arundown of what I did to make it all work:

Primary Router:ActionTec, MI424WR Rev DWAN IP/NETMASK:Assigned by ISPLAN IP/NETMASK:192.168.1.1 / 255.255.255.0

Secondary Router:Belkin N750 Gigabit w/ 802.11nWAN IP/NETMASK:192.168.1.2 / 255.255.255.0LAN IP/NETMASK:192.168.2.1 / 255.255.255.0

Plug Secondary router's WAN port into a LAN port on the Primary router. Setup Secondary router to have static LAN address (192.168.1.2) At this point, you should have 2 separate subnets: Subnet 1 (192.168.1.*) andSubnet 2 (192.168.2.*). Systems on both subnets should be able to reach the internet. Also, Subnet 2should be able to ping and reach systems on Subnet 1; however, systems on Subnet1 should not be able to ping or reach systems on Subnet 2. For this, we need tocreate a static route so Subnet 1 can reach Subnet 2. Create and apply the following static route in the Primary router: (Advanced >Routing)

RULE NAME:Network (Home/Office)DESTINATION:192.168.2.0(your secondary subnet)GATEWAY:192.168.1.2(secondary router's WAN IP)NETMASK:255.255.255.0METRIC:1

The router now has a route between Subnet 1 (192.168.1.*) and Subnet 2(192.168.2.*). You should be able to ping systems on Subnet 1 from 2, and pingsystems on Subnet 2 from 1. You should not be able to access any systems, though-- the firewall is still blocking all but ping traffic from Subnet 1 to Subnet 2. Weneed to create some firewall rules to allow this communication. Make sure Primary firewall is set to at least typical/medium (Firewall Settings >General). We need to create some network objects to make it easier to manage the ruleswe'll create. Go to Advanced > Network Objects and do the following:

A. Click Add. You are now on Edit Network Object screen.B. Set Description to 'Subnet 1'.C. In Items section below, click Add.D. Set Network Object Type to 'IP Subnet'.E. Set Subnet IP Address to 192.168.1.0.F. Set Subnet Mask to 255.255.255.0.G. Click Apply. You are now back on Edit Network Object screen.H. Click Apply. You are now back on Network Objects Screen.I. Repeat the above steps again, but this time creating a second network objectcalled 'Subnet 2':

Name:Subnet 2IP Subnet:192.168.2.0Subnet Mask:255.255.255.0

DSLReports Est.1999 Saturday, 12-Jul 07:45:53 feedback terms Mobile mode


2 of 4 12.7.2014 13:54

Now we create the firewall rules. Go to Firewall Settings > Advanced Filtering. In the Inbound/Input rules section, click the Add link next to Network(Home/Office) Rules. Create the following Advanced Filter:

SOURCE ADDRESS:Select 'Subnet 1'DEST. ADDRESS:Select 'Subnet 2'PROTOCOL:'Any'OPERATION:'Accept Packet'OCCUR:'Always'

Click Apply. You will now be back on the Advanced Filtering page. In the Outbound rules section, click the Add link next to Network (Home/Office)Rules. Create the following Advanced Filter:SOURCE ADDRESS:Select 'Subnet 1'DEST. ADDRESS:Select 'Subnet 2'PROTOCOL:'Any'OPERATION:'Accept Packet'OCCUR:'Always'

Click Apply. You will now be back on the Advanced Filtering page. Click Apply.

You're all done. You should now have internet access on both subnets, be able toping across subnets and also be able to access services across subnets (localwebservers, SSH, telnet, mail, etc). You will not be able to see network file sharesacross subnets in Windows, however, as this requires a WINS server (which is welloutside the scope of this post). For instance, I have a Western Digital NAS on the192.168.2.0 subnet that I can access as \\Mybooklive\ from within Subnet 2; onSubnet 1, however, I have to access it by its IP \\192.168.2.10\.


claibourne


I'm a bit confused. It makes sense that the AT would think 192.168.2.x isexternal and would send that traffic out the WAN interface, BEFORE you set up theroute to 192.168.2.0 via 192.168.1.2 (the Belkin).

Once that route is set up, the Actiontec's firewall shouldn't touch the traffic at all.

After that, it should just be a case of deciding whether or not you want the Belkinfirewall to be active or not active, and setting up port forwards if you do.

Did I miss something that would make all those other rules necessary?


plammie

@verizon.net

Haha you're not the only one confused, claibourne. It didn't really make sense tome, either, which is why it took so long to figure out. Its as if the routes are donepost-firewall. Logically speaking, if the 'Network (Home/Office)' connection isdefined with an IP of 192.168.1.1, and you add a route to 192.168.2.1 to it, you'dthink the firewall would apply the same rules. But that is not the case. Perhapsthere's a way to modify the 'Network (Home/Office)' connection properties so that itknows the second subnet is part of it, and thusly treat the traffic the same as itwould on the primary subnet? I couldn't get it to work that way, but perhapssomeone more experienced with this router knows the trick.


claibourne


Oh well. Who knows?

On the \\Mybooklive\ thing, you should be able to put an entry in the actiontec DNSserver to map the name. Under advanced settings, go into the DNS server, and adda manual entry for Mybooklive with 192.168.2.10 as its IP (assuming it's static or aDHCP reservation on the Belkin side).


plammie

@verizon.net

Cool, nice trick -- I hadn't even got to the DNS part of this thing yet. Thanks!


More FiberPremium,MVM

reply to plammie

said by plammie :

Its as if the routes are done post-firewall.

Correct. The firewall only applies to the WAN port.


3 of 4 12.7.2014 13:54

join:2005-09-26West Chester, PA

kudos:29said by plammie :

Perhaps there's a way to modify the 'Network (Home/Office)' connection properties sothat it knows the second subnet is part of it, and thusly treat the traffic the same as itwould on the primary subnet?

Create a VLAN for the 2nd subnet, then add it to the Network H/O group.

Although if you do that I don't see why you don't put everything on one subnet.Yes, I saw your post that you wanted to segregate traffic, but you're defeating that.--There are 10 kinds of people in the world; those who understand binary and those who don't.


kevnich24

join:2006-04-19Mulberry, FL

reply to plammieI am with More Fiber on this. am also confised by this - you say you want trafficseparated but the only thing this accomplishes is having traffic unseparated??? Yourgiving conflicting statements about what you want. If you dont want traffic separateits easier to just remove secondary router rather than the setup you have.

The only time you want traffic traversing different subnets locally is in a large lanenvironment where this is too much broadcast traffic going on and want to separateyour broadcast domains.

actions 2012-Feb-4 1:06 am

Forums US Telco Support Verizon Verizon FiOS

[Northeast] Moca bridge works but can't file share So I hopped on the 150 mbps trainand I get erratic results

kasda.ccFull Series ADSL Modem Router With Reliable Quality&Competitive Price


4 of 4 12.7.2014 13:54

need networking help - 2 routers, can't reach other subnet - verizon fios _ dslreports forums

Documents