AX86U and Netgear R7500 in cascade mode

[clvk07]

I connected a netgear r7500 router in cascade mode to isolate IOT devices to my AX86U (latest merlin)

Gave IP of 192.168.200.1. Can not ping the netgear router or any other device from the main Asus network. All good.

However in device manager in asus I see 192.168.1.41 and says R7500. It is the NVR Camera which is connected to the R7500.

I can login to 192.168.1.41 from the main asus network. However when I log in it says that the IP address of the NVR is 192.168.200.4

strange thing is that I can not ping it but can connect via webui

Pinging 192.168.1.41 with 32 bytes of data:
Request timed out.

Also the Mac address on device manager of 192.168.1.41 is not the one of the NVR but the one of the Netgear router.

How can this happen?

 

[bbunge]

Regardless of your findings that is not the way to isolate your IoT devices. All the devices connected to the Netgear router will have access to all the devices connected to the Asus. Would be better to do modem - Netgear - Asus. You will have double NAT but that is not bad. The firewall in the Asus will block connections from the Netgear IoT network and you should be able to access the IoT devices from the Asus network. You can also give the Asus router WAN IP address DMZ access on the netgear.
Or, you can dump the Netgear and use the Asus Guest network 1 which works very well!

 

[ColinTaylor]

How can this happen?

192.168.1.41 is the "WAN" address of the Netgear router. The NVR has created a port forwarding rule to itself in the Netgear's firewall (using UPnP), i.e. 192.168.1.41 -> 192.168.200.4

 

[clvk07]

Regardless of your findings that is not the way to isolate your IoT devices. All the devices connected to the Netgear router will have access to all the devices connected to the Asus. Would be better to do modem - Netgear - Asus. You will have double NAT but that is not bad. The firewall in the Asus will block connections from the Netgear IoT network and you should be able to access the IoT devices from the Asus network. You can also give the Asus router WAN IP address DMZ access on the netgear.
Or, you can dump the Netgear and use the Asus Guest network 1 which works very well!

They are wired IOT, can not use the wifi guest... It is a different IP range I gave to the netgear can not access any device in the netgear network from the asus router and vice versa. The nvr was an exception.. So they are not isolated this way?

 

[clvk07]

192.168.1.41 is the "WAN" address of the Netgear router. The NVR has created a port forwarding rule to itself in the Netgear's firewall (using UPnP), i.e. 192.168.1.41 -> 192.168.200.4

You right, the NVR had UPNP on, I turned it off and now can not access the webui anymore from the asus, everything seems isolated now

 

[ColinTaylor]

It is a different IP range I gave to the netgear can not access any device in the netgear network from the asus router and vice versa. The nvr was an exception.. So they are not isolated this way?

No, because all devices upstream from the Netgear (including the Asus' LAN) are potentially accessible. From the perspective of a client on the Netgear's LAN everything upstream is part of "the internet". Whether they are actually accessible will be down to any restrictions each target device has imposed. So a Windows PC's shared drive would probably be blocked by Windows Firewall but the GUI of a network printer would probably be accessible.

 

[clvk07]

No, because all devices upstream from the Netgear (including the Asus' LAN) are potentially accessible. From the perspective of a client on the Netgear's LAN everything upstream is part of "the internet". Whether they are actually accessible will be down to any restrictions each target device has imposed. So a Windows PC's shared drive would probably be blocked by Windows Firewall but the GUI of a network printer would probably be accessible.

So there is no way to isolate wired IOT with a second router? (as Asus doesn't support VLANS) I thought because can't ping them that they would be isolated

 

[ColinTaylor]

So there is no way to isolate wired IOT with a second router? (as Asus doesn't support VLANS) I thought because can't ping them that they would be isolated

I don't know what advanced features the Netgear router has. If it were another Asus you could use its Network Services Filter to block access to the 192.168.1.x network. But the best solution would be to do as @bbunge suggested, or use three routers in a "V" configuration.

 

[clvk07]

I don't know what advanced features the Netgear router has. If it were another Asus you could use its Network Services Filter to block access to the 192.168.1.x network. But the best solution would be to do as @bbunge suggested, or use three routers in a "V" configuration.

sorry I thought I did double NAT, my asus is the main router, so I have Modem to AX86U, to Netgear on Internet port. Gave different addressing to Netgear. Is this not a V config?

 

[ColinTaylor]

Is this not a V config?

No. A "V" config uses three routers. One connected to the modem serving as the primary gateway device and two secondary routers connected directly to the primary.