Problem with cascading router setup

[Dazed2u]

Goal: Router 1 with regular connection to ISP, Router2 cascaded from Router1 running OpenVPN client to 3rd party provider. Router cascade will be Router1 WAN to Router2 LAN port. All connections to Router1 (wired and wireless) will have direct connection to Internet. All connections to Router2 (wired and wireless) will have a VPN connection based on OpenVPN client running on Router2. Connected clients (regardless of router) will be able to connect to each other.

The setup is working as desired with one exception. Clients on Router1 can not see/connect to clients on Router2. I can't even connect to the Router2 WebUI while connected to the Router1 network. Searching online indicates my problem is either with my routing rule on Router1 and/or firewall restrictions on Router2.


Setup:

Router1 (RT-AC66u)
WAN IP: ISP Provided
LAN IP: 192.168.1.1
<LAN Port>
|
|
<WAN Port>
Router2 (RT-N16)
WAN IP: 192.168.1.2
LAN IP: 192.168.2.1


My routing rule on Router1 is as follows (set through GUI of Asuswrt-Merlin):

Network/Host IP - 192.168.2.0
Netmask - 255.255.255.0
Gateway - 192.168.1.2
Metric - 0
Interface - LAN



On Router2 (running Tomato Shibby) I've tried several options for firewall, including

i) changing mode from Gateway to Router

ii) allowing Router1 traffic through to Router2 ..... iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT

iii) disabling firewall completely using the following:

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT


Still no luck. Router2 clients can see Router1 clients, but Router1 clients can not see Router2 clients.


What am I missing?

 

[stevech]

double-NAT.

The two routers in different subnets, need a static route to / from the other subnet. And a gateway IP for that route.

simpler to just use APs or WiFi routers re-purposed as APs, versus cascaded routers with different subnet numbers, etc.

 

[Dazed2u]

double-NAT.

The two routers in different subnets, need a static route to / from the other subnet. And a gateway IP for that route.

simpler to just use APs or WiFi routers re-purposed as APs, versus cascaded routers with different subnet numbers, etc.

The reason I opted for the cascaded router approach is that I have both wireless AND wired devices that I will be switching in and out of the router that has the VPN client running on it (Router2). This seemed to be the most painless way of having one router dedicated to the VPN connection, which I could attach a mix of wired and wireless devices as needed.

I'm wondering if my static route from Router1 to Router2 is the issue - particularly since I tried removing the firewall on Router2 without resolving the issue. Per my OP, I don't have any issue with traffic from Router2 finding Router1, so I would assume my route/gateway from Router2 is okay.

Thanks for your thoughts -any guidance is definitely appreciated!