accessing second router behind first router

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Martineau

Part of the Furniture
Thanks @Martineau .
Yes, this is the static route on my main router (AX86)
View attachment 31502

Yes, there is a reserved IP (192.168.1.98 as shown in one of previous post) for AC87U which is the downstream router, and yes it gets an automatic WAN-IP (192.168.1.98) from the main router (BTW, just for testing I changed that to static IP but it does not change anything).
So my conclusion is that it is a yes on all your 3 points.

There is definitely something that prevent/block traffic from 192.168.1.x devices to 192.168.98.x devices.

Rgds,
GS
Can you try setting the metric (hop value )to 1 on the main router.

Hopefully it will then show the static route(s) for the downstream router(s)...in my case
Code:
ip route | grep metric

192.168.50.0/24 via 10.88.8.251 dev br0  metric 2 
192.168.1.0/24 via 10.88.8.251 dev br0  metric 2

then query on the main router the route to a device attached to the downstream router...in my case
Code:
ip route get 192.168.1.111

192.168.1.111 via 10.88.8.251 dev br0  src 10.88.8.1 
    cache  mtu 1500 advmss 1460 hoplimit 64
 

Jeffrey Young

Senior Member
@GSpock

So after getting home sooner than I thought this week, I set about hauling my AC68U out of the closet and set up a test network. My setup differs from yours in that my upstream (main) router is a AC86U with Asus-Merlin 386.1 and my downstream (secondary router) is a AC68U with Asus-Merlin 384.18.

I hooked up the downstream 68U (cable from LAN port on upstream to WAN on downstream), turned off the NAT and Firewall. Setup a static route on the upstream router to point to the downstream router. So, my setup is;

Main: 192.168.189.0/24 (Router is 192.168.189.2). Router is also my DNS (running Diversion)
Secondary: 192.168.1.0/24 (Unit is 192.168.1.2)

The WAN port on the secondary unit is set up as automatic like yours (DHCP Reservation from the main). Assigned address is 192.168.189.18.

Like yourself, first crack - no internet connection when connected to the secondary unit (68U) until I manually assigned my upstream router as the DNS on the LAN page. See attached;

1614807834414.png


Once I made the manual DNS assignment and rebooted, now I have internet connection.

With a static route defined on the main router as below, everything works. I have bi-directional access to LAN devices on either subnet from either device (both LAN and WiFi).

Maybe setup the DNS assignment on your downstream router first (found under LAN->DHCP page) and lets see if we can get internet access first. Then we can tackle the next issue.

1614808197757.png


Cheers
 

ColinTaylor

Part of the Furniture
@Jeffrey Young's reply regarding DNS got me looking back at the original ping test because that shouldn't be effected by DNS issues:
Yes, nat/firewall are disabled and yes the static route is correct and yes things "should be good" .... but they are not (at least the way I want):

From PC connected to second router with IP 192.168.98.4, if I issue a ping to 192.168.1.13 ("main" PC) I get a timeout 100% paket loss while ping to 192.168.1.1 is 100% OK but I cannot access router page with browser ... This PC cannot access internet !!!

From "main" PC (connected with IP 192.168.1.13) ping to 192.168.98.4 gives timeout 100% paket loss, and ping to 192.168.98.1 (second router) gives 100% OK and I can access router main page it via browser !
In the tests that were done it looks like it might have actually been working! The issue was that there was no reply when pinging LAN clients on each network. If those clients were Windows PCs then this is expected because the Windows Firewall will block incoming requests from another subnet. The test would need to be redone with the Windows Firewall temporarily disabled.

EDIT: I've just noticed that @Jeffrey Young made exactly the same observation in post #21 :rolleyes:. But it looks like the OP never tested that theory and was getting confused between the firewalls on the routers and the firewalls on the PCs.
 
Last edited:

Jeffrey Young

Senior Member
Windows PCs then this is expected because the Windows Firewall will block incoming requests form another subnet. The test would need to be redone with the Windows Firewall temporarily disabled.

That is where I was going in post 21. Maybe I missed something along the way after that post. For some reason, I thought it was ruled out. Thanks @ColinTaylor for bringing that blackout to the forefront. Cheers
 

Maverickcdn

Senior Member
Can you try setting the metric (hop value )to 1 on the main router.
FWIW I leave the metric blank in the GUI and the router auto defaults to a metric of 1

@Jeffrey Young's reply regarding DNS got me looking back at the original ping test because that shouldn't be effected by DNS issues:

In the tests that were done it looks like it might have actually been working! The issue was that there was no reply when pinging LAN clients on each network. If those clients were Windows PCs then this is expected because the Windows Firewall will block incoming requests from another subnet. The test would need to be redone with the Windows Firewall temporarily disabled.

EDIT: I've just noticed that @Jeffrey Young made exactly the same observation in post #21 :rolleyes:. But it looks like the OP never tested that theory and was getting confused between the firewalls on the routers and the firewalls on the PCs.

I suspected the same but I hadnt had my coffee yet ;) I was also under the impression there wasn't a reliance on ping testing only, I made the assumption there was RDP or FTP or some other connection testing that was also failing as the end goal was to have a connection between clients on different subnets... I guess we'll know soon enough

For my setup up on the cascaded routers I leave WAN DNS (assuming Main router is advertising a DNS to DHCP clients) on auto and LAN DNS to advertise router IP
 

Martineau

Part of the Furniture
FWIW I leave the metric blank in the GUI and the router auto defaults to a metric of 1
Indeed, but for diagnostic purposes, it can be useful to visually confirm that the default metric has been explicitly overridden i.e. has the GUI tweak been applied to the routes for the selected device(s).
 

GSpock

Senior Member
Can you try setting the metric (hop value )to 1 on the main router.

Hopefully it will then show the static route(s) for the downstream router(s)...in my case
Code:
ip route | grep metric

192.168.50.0/24 via 10.88.8.251 dev br0  metric 2
192.168.1.0/24 via 10.88.8.251 dev br0  metric 2

then query on the main router the route to a device attached to the downstream router...in my case
Code:
ip route get 192.168.1.111

192.168.1.111 via 10.88.8.251 dev br0  src 10.88.8.1
    cache  mtu 1500 advmss 1460 hoplimit 64

on main router:
ip route | grep metric
default via 192.168.99.1 dev eth0 metric 1
192.168.98.0/24 via 192.168.1.98 dev br0 metric 1


Then
ip route get 192.168.98.4
192.168.98.4 via 192.168.1.98 dev br0 src 192.168.1.1
cache
 

GSpock

Senior Member
@GSpock

So after getting home sooner than I thought this week, I set about hauling my AC68U out of the closet and set up a test network. My setup differs from yours in that my upstream (main) router is a AC86U with Asus-Merlin 386.1 and my downstream (secondary router) is a AC68U with Asus-Merlin 384.18.

I hooked up the downstream 68U (cable from LAN port on upstream to WAN on downstream), turned off the NAT and Firewall. Setup a static route on the upstream router to point to the downstream router. So, my setup is;

Main: 192.168.189.0/24 (Router is 192.168.189.2). Router is also my DNS (running Diversion)
Secondary: 192.168.1.0/24 (Unit is 192.168.1.2)

The WAN port on the secondary unit is set up as automatic like yours (DHCP Reservation from the main). Assigned address is 192.168.189.18.

Like yourself, first crack - no internet connection when connected to the secondary unit (68U) until I manually assigned my upstream router as the DNS on the LAN page. See attached;

View attachment 31523

Once I made the manual DNS assignment and rebooted, now I have internet connection.

With a static route defined on the main router as below, everything works. I have bi-directional access to LAN devices on either subnet from either device (both LAN and WiFi).

Maybe setup the DNS assignment on your downstream router first (found under LAN->DHCP page) and lets see if we can get internet access first. Then we can tackle the next issue.

View attachment 31524

Cheers

Thanks. I have changed the DNS on second router:
Capture d’écran 2021-03-04 081302.png


rebooted but still cannot access PC2 from PC1, ping gives 100% paket loss even if windows firewall is disabled on PC2 .... (anyway leaving firewall disabled on PC2 is not really an option, but I understand it is OK for test purposes).

Rgds,
GS

EDIT: last update :
I disabled firewall on the second router AND on windows PC2 and then .... ping is now OK, but cannot still "browse" PC2 from PC1 with explorer or RDP.
So, the question now is how to make this work without completely disabling windows firewall ...

Anyway, many thanks to all who have already participated in helping me so far.
 
Last edited:

GSpock

Senior Member
@GSpock

So after getting home sooner than I thought this week, I set about hauling my AC68U out of the closet and set up a test network. My setup differs from yours in that my upstream (main) router is a AC86U with Asus-Merlin 386.1 and my downstream (secondary router) is a AC68U with Asus-Merlin 384.18.

I hooked up the downstream 68U (cable from LAN port on upstream to WAN on downstream), turned off the NAT and Firewall. Setup a static route on the upstream router to point to the downstream router. So, my setup is;

Main: 192.168.189.0/24 (Router is 192.168.189.2). Router is also my DNS (running Diversion)
Secondary: 192.168.1.0/24 (Unit is 192.168.1.2)

The WAN port on the secondary unit is set up as automatic like yours (DHCP Reservation from the main). Assigned address is 192.168.189.18.

Like yourself, first crack - no internet connection when connected to the secondary unit (68U) until I manually assigned my upstream router as the DNS on the LAN page. See attached;

View attachment 31523

Once I made the manual DNS assignment and rebooted, now I have internet connection.

With a static route defined on the main router as below, everything works. I have bi-directional access to LAN devices on either subnet from either device (both LAN and WiFi).

Maybe setup the DNS assignment on your downstream router first (found under LAN->DHCP page) and lets see if we can get internet access first. Then we can tackle the next issue.

View attachment 31524

Cheers

Hi,
I confirm that when NAT is disabled on downstream, the internet connection is lost despite the manual DNS setting. So, there might/could be a difference due to firmware version.
cheers.
 

Jeffrey Young

Senior Member
Well, I am tapped. Have not looked at your iptables yet (although I am no expert at iptables).

Question though. When you say "disabled firewall on second router", is the second router your downstream router (the 87U)? If so, and you want bi-directional comms then that firewall should be disabled (or a rule added to allow comms in the desired subnets).
 

GSpock

Senior Member
Well, I am tapped. Have not looked at your iptables yet (although I am no expert at iptables).

Question though. When you say "disabled firewall on second router", is the second router your downstream router (the 87U)? If so, and you want bi-directional comms then that firewall should be disabled (or a rule added to allow comms in the desired subnets).
Yes, second router = 87U = downstream router, in all my messages.
cheers
Edit: concerning iptables, I have not done anything since it was mentioned that static route on one side and correct wan-ip on the other side would make it.
 

Maverickcdn

Senior Member
Noob observation.... I see DNSFILTER in the iptables of R2.... are you using the DNS filter in parental controls?

Code:
-A PREROUTING -s 192.168.98.0/24 -p udp -m udp --dport 53 -j DNSFILTER
-A PREROUTING -s 192.168.98.0/24 -p tcp -m tcp --dport 53 -j DNSFILTER

Is there any other custom configuration like this that hasnt been mentioned? Looks like DoS protection might also be enabled?

Maybe a reset of at least router 2 is in order to rule out any persistent changes that were made that have been overlooked/forgotten about
 

GSpock

Senior Member
Noob observation.... I see DNSFILTER in the iptables of R2.... are you using the DNS filter in parental controls?

Code:
-A PREROUTING -s 192.168.98.0/24 -p udp -m udp --dport 53 -j DNSFILTER
-A PREROUTING -s 192.168.98.0/24 -p tcp -m tcp --dport 53 -j DNSFILTER

Is there any other custom configuration like this that hasnt been mentioned? Looks like DoS protection might also be enabled?

Maybe a reset of at least router 2 is in order to rule out any persistent changes that were made that have been overlooked/forgotten about

Hi,
some "time scheduling" were defined to block access for some systems. I have removed them. I also installed unbound out-of-the-box and I know there was some requirement to set dns filter but I have not customized anything in this area.

Thanks.
GS
 

GSpock

Senior Member
Bingo !

Now, everything works OK by changing the NAT acceleration parameter that used to be on auto on downstream router. Setting to disabled allows me bi-directional comm.

1614940815676.png


1614940995840.png


Thanks ALL for your contributions,
GS
 

Maverickcdn

Senior Member
So is @L&LD on vacation? I thought for sure Id see a post about doing a M&M config in here :cool:

Just goes to show, sometimes if its working for others its generally your config thats broken and starting from scratch can help rule out issues.... after all my sketchy advice given, Im glad you eventually tracked it down and got it working

and thanks to @Jeffrey Young @ColinTaylor @Martineau for pitching in

Enjoy the weekend everyone.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top