Access point mode and Guest Wireless network

[Bob Wu]

Hi, I have Asus rt-ac56r router behind another VPN router. I currently set up the Asus router in "access point" mode. My goal is to access the USB disk connected to the Asus router via both VPN and LAN.

Unfortunately I discovered that in "access point" mode the guest wireless network segregation stops working. Basically a computer connects to Asus guest wireless network can also access the USB disk. I tried 1) switching to the default "wirelss mode", 2) setting up different subnets for the VPN router and the Asus router, 3) disabling Asus router firewall. This fixed the guest wireless network issue, however, I don't know how to set up the USB disk access from VPN in this situation. My guess is that I need to somehow NAT the USB disk to the VPN router subnet? Given that I'm new to networking, can some one here give me help on how to achieve this?

Thanks!

 

[roguetr]

That sounds painful. It's probably a bug, I can't see why the guest network should function any different in AP mode.

If you're happy with leaving it in router/wireless mode, you should only need to make sure your routes are in order and preferably (most likely need to) eliminate NAT on the second router.

VPN subnet route needs to be added to router 2. Router 1 is going to need a route for the subnet behind router 2.

I'm assuming the USB disk is only accessible from the new subnet created on router 2 and is not accessible from the WAN interface ... ?

Alternatively just use the LAN ports on router 2 and configure within the same subnet of the first router. You could avoid the NAT and routing all together.

Sent from my MI 5 using Tapatalk

 

[Bob Wu]

Alternatively just use the LAN ports on router 2 and configure within the same subnet of the first router. You could avoid the NAT and routing all together.
/QUOTE]

I've tried setting both routers' DHCP servers on the same subnet (different range though, say, router 1 allocates between 192.168.1.10~100, and router 2 allocates 192.168.101~200), then set router 1 IP to be 192.168.1.1 and router 2 external IP 192.168.1.2 and internal IP 192.168.1.3. Somehow Merlin firmware detects IP conflict and force me to use a new subnet for router 2.

 

[Bob Wu]

I'm assuming the USB disk is only accessible from the new subnet created on router 2 and is not accessible from the WAN interface ... ?

Yes, after I switch to wireless router mode, the USB disk attached to router 2 is only accessible from the new subnet of router 2 (if not in guest wireless network), but no longer accessible from the WAN/VPN interface. Assuming router 1 subnet is 192.168.1.0/24 and router 2 subnet is 10.0.0.0/24, router 1 internal IP is 192.168.1.1 and router 2 external IP is 192.168.1.2, internal IP is 10.0.0.1 and router 2 WAN port connects to router 1 eth2 port. Should the extra route on router 1 look like, destination 10.0.0.0/24 -> 192.168.1.2 or destination 10.0.0.0/24 -> interface eth2? Also, besides disabling firewall on router 2, what else should I do to allow USB disk access from router 2 WAN interface?

 

[ColinTaylor]

I've tried setting both routers' DHCP servers on the same subnet (different range though, say, router 1 allocates between 192.168.1.10~100, and router 2 allocates 192.168.101~200), then set router 1 IP to be 192.168.1.1 and router 2 external IP 192.168.1.2 and internal IP 192.168.1.3. Somehow Merlin firmware detects IP conflict and force me to use a new subnet for router 2.

That is not a valid network configuration. 1) You must never have more than one DHCP server on a subnet. 2) You cannot have the same subnet on the WAN side of a router that you have on the LAN side.

 

[ColinTaylor]

Should the extra route on router 1 look like, destination 10.0.0.0/24 -> 192.168.1.2 or destination 10.0.0.0/24 -> interface eth2? Also, besides disabling firewall on router 2, what else should I do to allow USB disk access from router 2 WAN interface?

You don't say what your primary router is apart from "another VPN router" so I don't know the exactly syntax. But you want a static route for network=10.0.0.0/24, gateway=192.168.1.2, interface=LAN (or it's equivalent like br0). On the Asus you need to turn off the firewall, and disabling NAT is also a good idea.

 

[Bob Wu]

You don't say what your primary router is apart from "another VPN router" so I don't know the exactly syntax. But you want a static route for network=10.0.0.0/24, gateway=192.168.1.2, interface=LAN (or it's equivalent like br0). On the Asus you need to turn off the firewall, and disabling NAT is also a good idea.

The primary router is the VPN router which has DHCP and firewall. Asus router is behind it and the USB disk is attached to Asus router. I'll try the static route when I get home from my trip. Thanks for both of your help!

 

[roguetr]

Yes, after I switch to wireless router mode, the USB disk attached to router 2 is only accessible from the new subnet of router 2 (if not in guest wireless network), but no longer accessible from the WAN/VPN interface. Assuming router 1 subnet is 192.168.1.0/24 and router 2 subnet is 10.0.0.0/24, router 1 internal IP is 192.168.1.1 and router 2 external IP is 192.168.1.2, internal IP is 10.0.0.1 and router 2 WAN port connects to router 1 eth2 port. Should the extra route on router 1 look like, destination 10.0.0.0/24 -> 192.168.1.2 or destination 10.0.0.0/24 -> interface eth2? Also, besides disabling firewall on router 2, what else should I do to allow USB disk access from router 2 WAN interface?

That's sounds right (route 10.0.0.0/24 via 192.168.1.2), though you'd be accessing the disk via the IP of the subnet behind the WAN interface of router 2 (10.0.0.1) and you need to disable NAT on router 2. Router 2 would also need VPNSUBNET/MASK via 192.168.1.1, though the defaultgw of 192.168.1.1 should be sufficient.

You also want to make sure the subnet on router 2 doesn't conflict with your VPN range.

If I was you, I'd configure the LAN interface of router 2 as 192.168.1.2, disable DHCP as suggested and only connect via the LAN ports. Don't use the WAN port at all. This way router 2 just acts as a switch and is basically just an AP (but not in AP mode). You'll avoid the requirement to route and any possible subnet and routing conflicts. The disk would be available on 192.168.1.2.

Sent from my MI 5 using Tapatalk

 

[roguetr]

I didn't notice this response ... Yeah ... Don't do that ... As Colin said, it's not a valid config. See my response just before this one.

Sent from my MI 5 using Tapatalk

 

[Bob Wu]

If I was you, I'd configure the LAN interface of router 2 as 192.168.1.2, disable DHCP as suggested and only connect via the LAN ports. Don't use the WAN port at all. This way router 2 just acts as a switch and is basically just an AP (but not in AP mode). You'll avoid the requirement to route and any possible subnet and routing conflicts. The disk would be available on 192.168.1.2.

Sent from my MI 5 using Tapatalk

On Asus router Merlin firmware, how to config router 2 LAN interface to a particular IP w/ DHCP on router 2 disabled? Are you saying that the cable should be from router 2 LAN port (any one of the four available) to router 1 LAN port, and leave router 2 WAN port empty? I'll definitely try this out, sounds an interesting approach. I assume I need to set Asus router to be "default wireless mode" but disable DHCP, firewall, NAT.

 

[roguetr]

In LAN, configure the LAN address to 192.168.1.2 and disable the DHCP server.

The LAN ports act as a switch and aren't subject to firewalling or NAT, connect a LAN port from router 2 to a LAN port on router 1 and you should be good to go.

Sent from my MI 5 using Tapatalk

 

[roguetr]

The only problem I can think of with this setup is if you want router 2 to have internet access (for diagnostics to work and updates to flag) you'll need to give it a default gateway (192.168.1.1).

In OpenWRT there is a field in the LAN network settings for adding a default gateway and of course you can set it via the cli using uci. I'm not 100% sure how you would do this in AsusWRT/Merlin but I imagine you could put a dummy entry in WAN and set the default gateway to 192.168.1.1.

None of this should affect connecting clients. It's almost cosmetic. I'd be tempted to just disable the WAN interface in the WAN settings.

If you wanted to get really fancy ... and router 1 supports 802.3ad link aggregation, you could run two network cables from LAN ports 1 and 2 and enable bonding in the switch control section, boosting your throughput between the two routers. This way clients on router 1 can access the hosted disk on router 2 much more effectively. This is what I'm currently doing.

Sent from my MI 5 using Tapatalk

 

[Bob Wu]

In LAN, configure the LAN address to 192.168.1.2 and disable the DHCP server.

The LAN ports act as a switch and aren't subject to firewalling or NAT, connect a LAN port from router 2 to a LAN port on router 1 and you should be good to go.

Sent from my MI 5 using Tapatalk

Got back from my trip and resume experiments on this. Unfortunately this method didn't work b/c once DHCP is disabled on router 2 (asus router), the laptop connecting to guest wireless network no longer gets an IP. If connecting to the normal wireless network, the laptop does get an IP assigned by router 1.

I'm experimenting the two subnet method, will report back...

 

[roguetr]

Got back from my trip and resume experiments on this. Unfortunately this method didn't work b/c once DHCP is disabled on router 2 (asus router), the laptop connecting to guest wireless network no longer gets an IP. If connecting to the normal wireless network, the laptop does get an IP assigned by router 1.

I'm experimenting the two subnet method, will report back...

Damn ... The guest wireless restrictions did dawn on me after posting ... I had my finger crossed!

Unfortunately I doubt there's a simple way to relay DHCP. The routing method should work fine once you get everything 'just right'

Good luck!

Sent from my MI 5 using Tapatalk