Asus Router as an access point with DHCP

[MakIA]

I have been using Asuswrt-Merlin (v 380.65) for some time now (moved over from Tomato after using for 3 years) on RT-N66. The features I am using are DHCP/DNS Filtering (custom dns for some devices and others have opendns) and time scheduling for devices (under parental controls) which has been working nicely.

I had a requirement recently came up to change some of the configuration and wanted to use Asus router as an Access point only but then trying I see DHCP is not available anymore. So I searched on the forums and found some talk from RMerlin about instead of using AP mode, just disable NAT and firewall and use it that way so that DHCP is still available. Trying that and I end up with losing 3 days with lots of problems.

My setup now is like this.

<LocalNetwork> -- AsusRouter (as DHCP, time restrictions, DNS filtering etc) -- SecondRouter with CableModem(NAT)--Internet

I disabled NAT and tried it first and noticed that dns filtering stops working. The custom DNS for some devices that was defined before, now they have no DNS working at all and cant access internet. If I revert it back to using router DNS (Which is opendns defined on WAN DNS Server1 and Server 2 and has been set that way for some time and working ok) now they can access internet again but dns filtering to custom google DNS stops working for devices that I have it defined on. Does this have something to do with NAT being turned off ?

I disabled Firewall but that didnt make any difference for the above problem. However with Firewall disabled I noticed time restrictions for client stopped working ? I am not sure if this is exactly due to firewall disable or a combination of something else but time restrictions also stopped. At the time the devices were suppose to be working, they remain disabled ? Time/Date on router is correct.

Since WAN side is a private IP now (a different subnet than localnetwork) with secondrouter as a gateway, having private IP it gave me message about ddns cant work. That is ok as SeconRouter is doing that now. But having private subnet IP on WAN causes any problem or is it NAT/Firewall ?

I had to enable WAN interface because dnsmasq stopped working and every device will get 10.x.x.x IP for any domain they request so I had to enable it. First I disabled and just use local ethernet for sending over all traffic (wireless or otherwise) to SecondRouter but that caused huge problems with dnsmasq stopped working ?

its a mess now. I dont want NAT enabled on this. Do I still need one or two rules or some custom NAT rules for DNS filtering to work again but keep overall NAT off ? I also dont need WAN side active but dsmasq doesnt seem to work when that is disabled.

Any help with this and insight into what config changes are causing this and what I need to add back to make it work. I would appreciate it


Thanks

 

[CaptainSTX]

What you are trying to operate in is a double NAT setup. It works fine if you can live with a few limitations. Using DNS on the router not facing the Internet doesn't work using a standard setup under ASUS or Merlin at least trying to configure it using the GUI. I have been able to make it function using Tomato.

What you need to do is restore the ASUS router to the settings you had before messing around with it. Then:

1. Be sure the two routers are setup to assign DHCP in diffrent subnets.
2. Run a cable from a LAN port on the first router to the WAN port on the ASUS router.
3. Check that the ASUS router is set to get a WAN IP from the first router. You can assign the second router a static IP, but remember it needs to be from the the first routers subnet,

Now see if the ASUS router double NATed behind the first router works as you want. If you need ports forwarded to devices connected to the ASUS router you will have first forward them from the first router to the WAN IP of the ASUS router and then from the ASUS router to the device.

Also remember that while devices on the ASUS can see devices connected to the first router's LAN but not vice a versa. This can be a beneficial feature or a royal pain depending on your needs.

 

[MakIA]

What you are trying to operate in is a double NAT setup. It works fine if you can live with a few limitations. Using DNS on the router not facing the Internet doesn't work using a standard setup under ASUS or Merlin at least trying to configure it using the GUI. I have been able to make it function using Tomato.

What you need to do is restore the ASUS router to the settings you had before messing around with it. Then:

1. Be sure the two routers are setup to assign DHCP in diffrent subnets.
2. Run a cable from a LAN port on the first router to the WAN port on the ASUS router.
3. Check that the ASUS router is set to get a WAN IP from the first router. You can assign the second router a static IP, but remember it needs to be from the the first routers subnet,

Now see if the ASUS router double NATed behind the first router works as you want. If you need ports forwarded to devices connected to the ASUS router you will have first forward them from the first router to the WAN IP of the ASUS router and then from the ASUS router to the device.

Also remember that while devices on the ASUS can see devices connected to the first router's LAN but not vice a versa. This can be a beneficial feature or a royal pain depending on your needs.

Thanks for your reply. I did mention that I turned off NAT on AsusRouter and thats when all hell broke lose

so I have NAT off on AsusRouter (lets call this AsusRouter1 and NAT is ON on SecondRouter lets call this Router2).

<LocalNetwork> ---> AsusRouter1 - NAT OFF (Subnet 192.168.2.0, DHCP, time restrict, DNS filtering) ---> Router2 with CableModem - NAT ON (Subnet 192.168.3.0) ---> INTERNET

The above NAT setup was specifically to avoid double NAT and hence all the royal pain. I just want to use AsusRouter1 for wifi (has better performance), DHCP, DNS filtering, time restrictions.. thats all I need at this point AsusRouter1 to functions as.

From Router2 LAN I have cable going to AsusRouter1 WAN but I gave AsusRouter1 static IP on WAN and gateway of 192.168.3.1 (Router2 IP). I can give it DHCP IP from Router2 subnet if that makes any difference. Do I need to specify default gateway in static routes on AsusRouter1 as well ? I believe anything that comes over LAN/Ethernet on AsusRouter1 would be sent over to WAN and hence go out to 192.168.3.1 and there is no need to define 0.0.0.0 0.0.0.0 static route. Am I correct in this assumption ?

Having NAT off is causing the problems on Asus it seems but then why dnsmasq stops working with no WAN is beyond me. To me this is a bug, why have the option to turn NAT off on Asuswrt-merlin firmware when it breaks things ? And what issues Firewall OFF would cause (time restrictions ?). Again why is that option there on the GUI ?

Can I add manual NAT configuration on telnet/ssh on AsusRouter1 for couple of rules of NAT for dns filtering to work? Something like dnsmasq settings that you can do on Tomato for custom assigned DNS on some devices? Do you or anyone have any NAT rules that can be added to make dns filtering work ?

 

[MakIA]

3. Check that the ASUS router is set to get a WAN IP from the first router. You can assign the second router a static IP, but remember it needs to be from the the first routers subnet,

Also can you explain the above a little bit ?

I have two different subnets defined. 192.168.2.0 for AsusRouter1 LAN and 192.168.3.0 for Router2 LAN and AsusRouter1 WAN. Is this not correct ?

 

[CaptainSTX]

Also can you explain the above a little bit ?

I have two different subnets defined. 192.168.2.0 for AsusRouter1 LAN and 192.168.3.0 for Router2 LAN and AsusRouter1 WAN. Is this not correct ?

That is correct as far as setting them on different subnets.

 

[MakIA]

ok good. On Tomato did you had to do anything special like add NAT rules manually to get it working there ?

I just noticed on AsusMerlin turning off NAT also stops time restrictions and DNS filter stops working. I thought turning off firewall is causing that but no its NAT that causes that problem too.

Any rules I can add to it in dnsmasq or other config files in jfs to make the time restrictions/parental controls work again ? I have NAT OFF, Firewall is ON on Asus.

 

[MakIA]

anyone ?

so this cannot be done with AsusMerlin. Do I have to get some other firewall device or look into tomato or dd-wrt to do this kind of setup ?

 

[jeff3820]

Thanks for your reply. I did mention that I turned off NAT on AsusRouter and thats when all hell broke lose

so I have NAT off on AsusRouter (lets call this AsusRouter1 and NAT is ON on SecondRouter lets call this Router2).

<LocalNetwork> ---> AsusRouter1 - NAT OFF (Subnet 192.168.2.0, DHCP, time restrict, DNS filtering) ---> Router2 with CableModem - NAT ON (Subnet 192.168.3.0) ---> INTERNET

The above NAT setup was specifically to avoid double NAT and hence all the royal pain. I just want to use AsusRouter1 for wifi (has better performance), DHCP, DNS filtering, time restrictions.. thats all I need at this point AsusRouter1 to functions as.

From Router2 LAN I have cable going to AsusRouter1 WAN but I gave AsusRouter1 static IP on WAN and gateway of 192.168.3.1 (Router2 IP). I can give it DHCP IP from Router2 subnet if that makes any difference. Do I need to specify default gateway in static routes on AsusRouter1 as well ? I believe anything that comes over LAN/Ethernet on AsusRouter1 would be sent over to WAN and hence go out to 192.168.3.1 and there is no need to define 0.0.0.0 0.0.0.0 static route. Am I correct in this assumption ?

Having NAT off is causing the problems on Asus it seems but then why dnsmasq stops working with no WAN is beyond me. To me this is a bug, why have the option to turn NAT off on Asuswrt-merlin firmware when it breaks things ? And what issues Firewall OFF would cause (time restrictions ?). Again why is that option there on the GUI ?

Can I add manual NAT configuration on telnet/ssh on AsusRouter1 for couple of rules of NAT for dns filtering to work? Something like dnsmasq settings that you can do on Tomato for custom assigned DNS on some devices? Do you or anyone have any NAT rules that can be added to make dns filtering work ?

I think you are making this more complex then it needs to be. I have almost the same setup as you because I have to use the ISP modem/router as it controls internet and TV. The ISP router is set as 192.168.0.1. I set the DHCP range on the ISP modem as 192.168.0.100 to 192.168.0.200. Then on my Asus RT-AC68U I assigned a static WAN address of 192.168.0.2, and the gateway of 192.168.0.1. Since I do access my NAS from outside the network I did one more thing to the ISP modem...I assigned the DMZ port to 192.168.0.2 once the Asus router was registered with the ISP router. Yes, I have double NAT...on the Asus (router is 192.168.1.1 and is has a DHCP range of 192.168.1.2 to 192.168.1.210), configure it normally...NAT ON, Firewall ON. This works great...I have gigabit WAN and I routinely get ~920 down in this configuration.

The Asus router does all the network Wi-Fi and network transfers...the ISP router just acts as a gateway to the internet. I have full NAS access from external to my network...don't make it too complicated.

 

[MakIA]

I think you are making this more complex then it needs to be. I have almost the same setup as you because I have to use the ISP modem/router as it controls internet and TV. The ISP router is set as 192.168.0.1. I set the DHCP range on the ISP modem as 192.168.0.100 to 192.168.0.200. Then on my Asus RT-AC68U I assigned a static WAN address of 192.168.0.2, and the gateway of 192.168.0.1. Since I do access my NAS from outside the network I did one more thing to the ISP modem...I assigned the DMZ port to 192.168.0.2 once the Asus router was registered with the ISP router. Yes, I have double NAT...on the Asus (router is 192.168.1.1 and is has a DHCP range of 192.168.1.2 to 192.168.1.210), configure it normally...NAT ON, Firewall ON. This works great...I have gigabit WAN and I routinely get ~920 down in this configuration.

The Asus router does all the network Wi-Fi and network transfers...the ISP router just acts as a gateway to the internet. I have full NAS access from external to my network...don't make it too complicated.

yep that is similar setup to mine. one thing though, why you have to assign DMZ port to Asus router, Wouldnt that be a security concern?

For me I also have VOIP phones and I start getting problems with those. Thats why I wanted to keep them on localnetwork subnet but wanted to avoid double NAT situation. It seems the firmware is not able to do this. Run with NAT ON (or do selective NATs) but just forward packets over to WAN port ? Turning NAT off breaks everything on Asus router.

Perhaps some other kind of configuration/setup would allow avoid double NAT (similar to IPTV VLANs ? Not familiar too much with them but can test)

 

[jeff3820]

I use DMZ to make it easy to access the Asus router from outside my network. This is not insecure as it is the same as if the Asus router was connected to a cable modem/internet...NAT is still being used in the Asus router so the firewall is active and I do not expose Asus GUI to the WAN or leave SSH or Telnet on. Again, exactly like connecting to a cable modem and I can get to the Asus from anywhere in the world without having to forward ports in the ISP router. DMZ basically bypasses the ISP router firewall but only for the one IP address.

If the VOIP phones are a problem when double NATed then I would either just connect them to the ISP modem directly or DMZ the IP address from the ISP router to the ASUS router so the ISP router is not blocking any traffic...those decisions are done only by the Asus router.