What's new

Pulling my hair out!!

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

JaimeZX

Senior Member
Guys, see the attached network diagram. I foolishly changed some settings trying to solve one issue and created another.

As you can see, I have a Linksys running DD-WRT "inside" of my Asus 3200 running Merlin. (Linksys on static IP: 192.168.1.254)

So originally I had the Linksys running as "Gateway" and using access restrictions in DD-WRT to keep some clients from the internet. ALL WAS WELL, except for one problem: one of the clients (a camera) needed daily NTP updates or it would stop putting a DTG stamp on the recorded video. Well, and my main computer (on Asus) couldn't directly access my RPi (on the Linksys).

So my original goal for today was "let port 123 through the no-internet."

On the DD-WRT/Linksys I've set up [ Setup ] -> [ Advanced Routing ] for Static Routing to send traffic bound for 192.168.1.0/24 through 192.168.1.254 as gateway.
On the Asus I've set up [ LAN ] -> [ Route ] for a static route to send traffic bound for 192.168.2.0/24 through 192.168.1.254 as gateway.

After MUCH fiddling I switched the Linksys from Gateway to Router mode and futzed with iptables some in DD-WRT.

iptables -A FORWARD -p udp --dport 123 -j ACCEPT
iptables -A FORWARD -p tcp --dport 8123 -j ACCEPT


I also made some edits to the Asus settings.

At THIS POINT clients on either network can access each other as required. WIN!!

UNFORTUNATELY now NONE of the clients on the Linksys have internet access.
Everyone on 192.168.2.0/24 can ping the Asus, but nothing beyond.

I assume Asus/Unbound is providing DNS to the Linksys, because when I (on Linksys) tcpdump -i eth1 icmp and ping 8.8.8.8 from my RPi on Linksys, I see:

IP raspberrypi > dns.google: ICMP echo request, id 5378, seq 96, length 64
IP Netgear-DD-WRT > raspberrypi: ICMP host dns.google unreachable, length 92


I'd like to tcpdump on the Asus now to see if I can figure out where it's going but that's not part of Asus/Merlin.

So my brain is dead. Seems like (obviously) the Linksys traffic is hitting the Asus network, but it also seems like I have some kind of access restrictions. But if I go to (Asus) [ AiProtection ] -> [ Parental Controls ] I certainly don't have the Linksys in there. Is there anywhere ELSE that would turn off the Internet for a client? AAAAAAAAARRRRRGH
 

Attachments

  • Network.jpg
    Network.jpg
    25.1 KB · Views: 110
Last edited:
Oop! Ha - typo! Should be 192.168.1.254. Good catch. Will fix the original post. :)
 
this might help... adjust as needed

Code:
# Redirect NTP requests to go through router
iptables -t nat -A PREROUTING -i br-lan -p udp --dport 123 -j DNAT --to 192.168.1.1
iptables -t nat -A PREROUTING -i br-guest -p udp --dport 123 -j DNAT --to 192.168.1.1
 
Thanks! I'll mess with it. :)
 
this might help... adjust as needed

Code:
# Redirect NTP requests to go through router
iptables -t nat -A PREROUTING -i br-lan -p udp --dport 123 -j DNAT --to 192.168.1.1
iptables -t nat -A PREROUTING -i br-guest -p udp --dport 123 -j DNAT --to 192.168.1.1
Unfortunately I think that winds up being trumped by the DROP lines since I have internet access off for the camera. :confused:
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top