accessing second router behind first router

[Jeffrey Young]

EDIT

I am no expert here, but if you can ping the first router OK, but none of the LAN clients on the that router, then I'd say you still have a firewall issue on the first router or a firewall issue on the clients on the first router.

Looking at my iptables print out, I remember seeing a rule in my router that is allowing lan communications only within the same subnet. I am thinking that, beside the static route on the second router, you are going to need a iptables rules on the first router to forward traffic from the second router's clients to the clients on the first router.

It is just a thought. I am not home to test that theory, but you got me interested now. I have a AC68U in storage. I am going to get it out this weekend and try to simulate your environment and play.

 

[Maverickcdn]

I really need to stop posting first thing in the morning, ha. My comment about iptables and firewall enabled/disabled we're wrong, you must have mistyped that command originally, my morning mind thought it disabled iptables, I swear Ill wait till Im 2 coffees in from now on before commenting with noob knowledge! I have the firewall disabled on mine and still use a plethora of iptables rules to control access.

Have you tried rebooting R2 after setting NAT/firewall disabled? That 169.254.39.0 route on R2 is a automaticprivateip of a client connected to R2 and could be causing issues

 

[Maverickcdn]

Looking at my iptables print out, I remember seeing a rule in my router that is allowing lan communications only within the same subnet. I am thinking that, beside the static route on the second router, you are going to need a iptables rules on the first router to forward traffic from the second router's clients to the clients on the first router.

I run 2 cascaded subnets (2 routers) behind my main and all clients across all subnets have lan/wan access across all networks except where blocked by my own iptables rules between subnets in firewall-start.

 

[Jeffrey Young]

I run 2 cascaded subnets (2 routers) behind my main and all clients across all subnets have lan/wan access across all networks except where blocked by my own iptables rules between subnets in firewall-start.

That is good to know. I won't be home until later in the week to check. From your experience, something else is amiss.

It has been a while, so I don't remember where I saw the rule that I am thinking of.

 

[GSpock]

Thanks @Maverickcdn and @Jeffrey Young for your last messages.
Indeed, things have elvolved here after a reboot of both routers ...

Here is a recap of the situation and I made a short drawing to make it as clear as possible:


So, after the reboot I did not issue any iptables command anywhere and confirm that static route on main router is correct (see previous post).

PC2 can now access any devices on main network and access internet as long as nat is enabled. As soon as nat is disabled internet connect is lost ! This behavior is confirmed by @KAMyers1 in another post (btw, it seems we have the same config and trying to achieve the same results)

PC1 cannot access any devices on second router, regarless of firewall state on second router. This is the last thing to be resolved now ... any further ideas/explanation/suggestion welcome !

Rgds,
GS

PS: for those who would be wondering the purpose of all this: provide an on-demand OpenVPN Server on second router that will be pluged to a remotable activable AC/DC homeplug ...

 

[GSpock]

That 169.254.39.0 route on R2 is a automaticprivateip of a client connected to R2 and could be causing issues

I wonder if this ip is not related to the 5GHz Wifi specific to this AC87U ... and it is still there after the reboot ...

 

[Jeffrey Young]

Your static route from the main router to the downstream router is likely not going to work with NAT enabled on the second router.

You are looking for bi-directional communications between the two subnets right? Something to test and play with this weekend.

 

[ColinTaylor]

I wonder if this ip is not related to the 5GHz Wifi specific to this AC87U ... and it is still there after the reboot ...

Correct. This is the interface to the Qualcomm 5GHz chip.

 

[GSpock]

Your static route from the main router to the downstream router is likely not going to work with NAT enabled on the second router.

You are looking for bi-directional communications between the two subnets right? Something to test and play with this weekend.

Yes, correct bi-directional is the goal. As mentioned, turning nat off on second router implies no internet access ..... not the desired behavior.
Thanks,
GS

 

[Jeffrey Young]

You mentioned that your downstream router has it's IP set via static IP. Is this done via DHCP assignment or truly static? If static, what do you have for your gateway and DNS servers set to on the WAN?

 

[ColinTaylor]

PC2 can now access any devices on main network and access internet as long as nat is enabled. As soon as nat is disabled internet connect is lost ! This behavior is confirmed by @KAMyers1 in another post (btw, it seems we have the same config and trying to achieve the same results)

Yes, correct bi-directional is the goal. As mentioned, turning nat off on second router implies no internet access ..... not the desired behavior.

This same problem was also discovered here. This setup has always worked in the past but something has now changed. I suspect there are now some additional firewall rules or routing changes in the newer firmwares. I can't guess what they are because I don't run Merlin's firmware. If you show us the output of iptables-save from each router it might give us a clue.

 

[GSpock]

This same problem was also discovered here. This setup has always worked in the past but something has now changed. I suspect there are now some additional firewall rules or routing changes in the newer firmwares. I can't guess what they are because I don't run Merlin's firmware. If you show us the output of iptables-save from each router it might give us a clue.

Thanks, here below the result of iptables-save on both router.
For completness, note that main router (AX86) is connected to ISP modem/router via PPPoE and gets its own public IP. Its WAN-IP is 192.168.99.2 coming from ISP (it also gets a private 10.24.97.178).
I also put some "xxx" in the public IP.
Rgds,
GS

 

[GSpock]

You mentioned that your downstream router has it's IP set via static IP. Is this done via DHCP assignment or truly static? If static, what do you have for your gateway and DNS servers set to on the WAN?

Truly static as defined on main router as 192.168.1.98.

DNS servers :

and here:

but I guess all these DNS settings were automatically defined.

 

[Jeffrey Young]

Thanks, here below the result of iptables-save on both router.
For completness, note that main router (AX86) is connected to ISP modem/router via PPPoE and gets its own public IP. Its WAN-IP is 192.168.99.2 coming from ISP (it also gets a private 10.24.97.178).
I also put some "xxx" in the public IP.
Rgds,
GS

can you also give the iptables-save output when the second router is not in NAT mode with the firewall turned off?

 

[ColinTaylor]

Truly static as defined on main router as 192.168.1.98.

FYI that's not "truly static", it's a DHCP reservation, as shown by the 87U's WAN connection type.

 

[GSpock]

can you also give the iptables-save output when the second router is not in NAT mode with the firewall turned off?

Here it is:

 

[GSpock]

FYI that's not "truly static", it's a DHCP reservation, as shown by the 87U's WAN connection type.

what difference does it make, if any ?

 

[Maverickcdn]

I guess if anything the difference here to my setup is I run a modem in bridge mode and my R1 router is the Internet gateway.... your setup, your modem is the Internet gateway. I've been running static routes this way since 384.14ish. That and I run different models of routers.

Maybe give the solution from this static routes thread by removing/altering the iptables INVALID rule a try

 

[Martineau]

Truly static as defined on main router as 192.168.1.98.
View attachment 31492

DNS servers :
View attachment 31490
and here:
View attachment 31491

but I guess all these DNS settings were automatically defined.

I have always used a Reserved IP on the main router for downstream Routers when building them for family and friends.

and on the downstream router

WAN Connection Type	Automatic IP Static IP​

I also have

Do you have similar Static routes defined on the main router?

 

[GSpock]

I have always used a Reserved IP on the main router for downstream Routers when building them for family and friends.

View attachment 31500

and on the downstream router

​

WAN Connection Type	Automatic IP Static IP​

I also have

View attachment 31501

Do you have similar Static routes defined on the main router?

Thanks @Martineau .
Yes, this is the static route on my main router (AX86)

Yes, there is a reserved IP (192.168.1.98 as shown in one of previous post) for AC87U which is the downstream router, and yes it gets an automatic WAN-IP (192.168.1.98) from the main router (BTW, just for testing I changed that to static IP but it does not change anything).
So my conclusion is that it is a yes on all your 3 points.

There is definitely something that prevent/block traffic from 192.168.1.x devices to 192.168.98.x devices.

Rgds,
GS