Allow LAN traffic between T-mobile gateway and Asus AX88 in router mode

[craigeryjohn]

I have T-Mobile home internet. Their gateway allows ZERO configuration for firewall, DNS, DHCP, etc. I'm stuck with 192.168.12.xxx and whatever random IPs it gives out. I let the T-Mobile gateway service iot devices, and some upstairs wired devices. Again, it has ZERO configurability, but serves a good purpose for keeping my smart switches and chatty iot devices connected and off my main wifi channels.

Downstream from that I use an AX-88U in router mode to handle the bulk of our home devices, for DHCP, nextdns CLI, etc. This is on 192.168.0.xxx. On occasion, a devices between the two networks will need to communication, e.g. for printing, networked USB drive, gateway management, etc.

But I just cannot figure out how to configure the Asus to allow traffic to pass between these two devices! Pings pass through, internet traffic is great, but it's like inbound traffic from any 12.xxx device is blocked. Any suggestions how to set a port trigger or custom firewall script to allow this?

 

[ColinTaylor]

Outbound traffic from 92.168.0.x should work without any problem. The issue is going the other way. To have complete connectivity between both subnets you would have to disable NAT and the firewall on the Asus and create a static route on the T-mobile gateway.

As you say you don't have any control over the T-mobile gateway the above won't work. The only alternative is to create port forwarding rules on the Asus for each device you want to access from the 192.168.12.x network. So if you had a printer on 192.168.0.10:9100 you could create a forwarding rule for port 9100. So it would accessed as 192.168.12.zzz:9100. Where 192.168.12.zzz is the WAN IP address of the Asus.

 

[Tech Junky]

First off there's a bit more you can do with the phone app as it seems they shutdown the web option through a browser.

Anyway, if you want to permit access between the 2 networks either change the Asus to 192.168.12.x and exclude your IP. Or permit the same subnet through the firewall.

I have a DIY setup but, don't permit the 12.x inside beyond the firewall rules I have in place. Then again I don't have anything connecting to the GW WIFI as it's just a backup at this point or when trying to troubleshoot a website issue to bypass all of my filtering.

 

[craigeryjohn]

Outbound traffic from 92.168.0.x should work without any problem. The issue is going the other way. To have complete connectivity between both subnets you would have to disable NAT and the firewall on the Asus and create a static route on the T-mobile gateway.

As you say you don't have any control over the T-mobile gateway the above won't work. The only alternative is to create port forwarding rules on the Asus for each device you want to access from the 192.168.12.x network. So if you had a printer on 192.168.0.10:9100 you could create a forwarding rule for port 9100. So it would accessed as 192.168.12.zzz:9100. Where 192.168.12.zzz is the WAN IP address of the Asus.

This worked! At least for printing between the two! Any idea if there is a way to create a custom firewall rule/script that would accomplish something similar for a range of IPs?

 

[craigeryjohn]

First off there's a bit more you can do with the phone app as it seems they shutdown the web option through a browser.

The phone app is even more restrictive than the web interface.

Anyway, if you want to permit access between the 2 networks either change the Asus to 192.168.12.x and exclude your IP. Or permit the same subnet through the firewall.

By changing the Asus to 12.x, don't I introduce a whole mess of IP conflicts, depending on which device hands out the IP address?

 

[Tech Junky]

The phone app seems to be the only way to make changes at this point. Then again it might depend on which gateway you're using. With the KVD21 most of the web stuff was gimped and forced to the phone app.

Disable DHCP on the Asus and let the gateway handle it. If you don't have a ton of devices on the Asus then you could limit the DHCP scope to what's not used by the gateway, From what I've seen with it it hands out IPs over 12.100 in general so the Asus supplying say 50-99 shouldn't be an issue.

 

[ColinTaylor]

By changing the Asus to 12.x, don't I introduce a whole mess of IP conflicts, depending on which device hands out the IP address?

Yes, that won't work. You can't have the same subnet on both sides of a router. It's not a valid setup and the Asus will refuse to allow you to configure it that way. To have all devices part of a single subnet (192.168.12.x) you would have to change the Asus from router mode to access point mode. You then loose a lot of the functionality of the Asus as well as the separation of IoT devices from the rest of the network.

 

[ColinTaylor]

This worked! At least for printing between the two! Any idea if there is a way to create a custom firewall rule/script that would accomplish something similar for a range of IPs?

Can you give an example of what you're trying to achieve?

 

[craigeryjohn]

Can you give an example of what you're trying to achieve?

examples: Use my printer, log into esp8266s, access a network share, access both router web interfaces, etc when I'm on the 'wrong' wired device or WITHOUT switching SSIDs.

 

[ColinTaylor]

examples: Use my printer, log into esp8266s, access a network share, access both router web interfaces, etc when I'm on the 'wrong' wired device or WITHOUT switching SSIDs.

You could probably do most of that but you still need to forward specific ports to specific devices. The main complication comes when you want to access two or more devices on the 192.168.0.x network that use the same port, e.g. two printers. You then have to map a different external port number to the internal port number (e.g. 9101 -> 9100). There's always going to have to be compromises given the limitation of the T-Mobile device. If there were some way of setting a static route on the T-Mobile it would be a lot simpler.