Basic question about LAN ip address recognition

brec

Regular Contributor
My AC86U is currently a DHCP server to all LAN devices. The LAN address is 192.168.50.1, subnet mask 255.255.255.0. The DHCP IP pool is 192.168.50.3 through 192.168.50.254. I have added some manually assigned addresses within that pool.

Suppose I want a LAN device not to use DHCP but rather to use an IP address that I specify in the device's configuration. Can I reduce the 86U's DHCP IP pool width and assign the device an IP within the LAN address subnet 192.168.50.0/24 but outside the DHCP IP pool? Or will the 86U drop packets from that address? The same question applies where I assign the device an address from another subnet, such as from 10.0.0.0/8. What does the 86U do with packets from a LAN connection with a source subnet unknown to it?
 

eibgrad

Part of the Furniture
Suppose I want a LAN device not to use DHCP but rather to use an IP address that I specify in the device's configuration. Can I reduce the 86U's DHCP IP pool width and assign the device an IP within the LAN address subnet 192.168.50.0/24 but outside the DHCP IP pool? Or will the 86U drop packets from that address?

It will work just fine. Nothing requires your LAN clients to use DHCP for their TCP/IP configuration. DHCP is just a convenience. You just have to make sure when manually configuring devices that the IPs assigned are NOT within the scope of the DHCP server, to prevent conflicts.

The same question applies where I assign the device an address from another subnet, such as from 10.0.0.0/8. What does the 86U do with packets from a LAN connection with a source subnet unknown to it?

It will route it out its default gateway, just like any other unknown IP address. In order for the router to handle an additional IP network on the same ethernet segment as the current LAN, the router itself has to be bound to that same IP network too.
 

brec

Regular Contributor
Thanks! As to your first point, that's what I assumed so I'm reassured. As to your second, I'm afraid I don't know about binding or how to bind my 86U to an additional subnet.
 

eibgrad

Part of the Furniture
Thanks! As to your first point, that's what I assumed so I'm reassured. As to your second, I'm afraid I don't know about binding or how to bind my 86U to an additional subnet.

If you're using OEM/stock firmware, it may NOT be possible.

But assuming it is possible (e.g., using Merlin), you can use ifconfig to bind the router itself to the same IP network as the other device(s) on that same IP network.

Code:
ifconfig br0:1 192.168.10.1 netmask 255.255.255.0

This is something you could execute as part of the services-start script, for example.

Now the router and those devices could communicate. And those devices could now make the router's IP address on that network their default gateway, assuming you wanted to give those devices internet access. However, if the devices are only communicating amongst themselves, there's no need to involve the router at all.
 

brec

Regular Contributor
If you're using OEM/stock firmware, it may NOT be possible.

But assuming it is possible (e.g., using Merlin), you can use ifconfig to bind the router itself to the same IP network as the other device(s) on that same IP network.

Code:
ifconfig br0:1 192.168.10.1 netmask 255.255.255.0

This is something you could execute as part of the services-start script, for example.

Now the router and those devices could communicate. And those devices could now make the router's IP address on that network their default gateway, assuming you wanted to give those devices internet access. However, if the devices are only communicating amongst themselves, there's no need to involve the router at all.
1. Given that I can just use an address in my current subnet but that doesn't conflict with the DHCP pool, I think I'm OK without worrying about introducing another subnet.

2. But I'm technically curious. I am running Merlin. Where would I find the services-start script? I ssh'd into the 86U and looked around without success.
 

eibgrad

Part of the Furniture
1. Given that I can just use an address in my current subnet but that doesn't conflict with the DHCP pool, I think I'm OK without worrying about introducing another subnet.

I didn't realize you were considering a different subnet because of your concern in manually configuring devices. Yeah, the whole issue is therefore moot.

2. But I'm technically curious. I am running Merlin. Where would I find the services-start script? I ssh'd into the 86U and looked around without success.

YOU have to create the script.

 

brec

Regular Contributor
Got it. Were I to do this, could I change your example 192.168.10.1 to a non-192.168.0.0/16 ip such as an address in 10.0.0.0/8?
 

brec

Regular Contributor
Annnnnd... lastly (?) does ipconfig br0:1 ... create the br0 "device" or refer to a preexisting one?
 

ColinTaylor

Part of the Furniture
Annnnnd... lastly (?) does ipconfig br0:1 ... create the br0 "device" or refer to a preexisting one?
It's ifconfig, not ipconfig (that's a Windows command). The br0 device must already exist (which it does).
 

brec

Regular Contributor
Thanks for your patience -- take the rest of the day off!
 

sfx2000

Part of the Furniture
Suppose I want a LAN device not to use DHCP but rather to use an IP address that I specify in the device's configuration. Can I reduce the 86U's DHCP IP pool width and assign the device an IP within the LAN address subnet 192.168.50.0/24 but outside the DHCP IP pool? Or will the 86U drop packets from that address

If you're on the same subnet you're fine.

I would have the DHCP scope from 192.168.50.100 to 150 - don't need much more than that for DHCP, and this allows some flexibility for static IP's set locally on the lan clients for servers, etc...
 

brec

Regular Contributor
In reply to my question as to assigning a LAN device an address, such as 10.0.0.0/8, other than the router's 192.168.0.0/16. What does the 86U do with packets from a LAN connection with a source subnet unknown to it? --
It will route it out its default gateway, just like any other unknown IP address. In order for the router to handle an additional IP network on the same ethernet segment as the current LAN, the router itself has to be bound to that same IP network too.
Does "route it out its default gateway" mean out its WAN interface? Does "handle" mean provide NAT?

Suppose I assign an ip of 10.0.0.123 and a gateway of 192.168.1.1 (the router) to a LAN device and I plug that device into the LAN side of the router (possibly via a passive switch, but I don't think that's relevant). What will happen to WAN traffic from that LAN device if I don't configure bridging (binding) to the 10.0.0.0/8 network?
 

eibgrad

Part of the Furniture
In reply to my question as to assigning a LAN device an address, such as 10.0.0.0/8, other than the router's 192.168.0.0/16. What does the 86U do with packets from a LAN connection with a source subnet unknown to it? --

Does "route it out its default gateway" mean out its WAN interface? Does "handle" mean provide NAT?

It's whatever is acting as the default gateway at the moment on the router, which probably will be the WAN. But if the router, for example, has an active OpenVPN client and has it configured to route ALL traffic over that VPN by changing the default gateway to the VPN, then the traffic will be routed out the VPN.

That's why I didn't specifically say WAN but rather default gateway. I don't know w/ certainty what the default gateway is unless I have more information.

Suppose I assign an ip of 10.0.0.123 and a gateway of 192.168.1.1 (the router) to a LAN device and I plug that device into the LAN side of the router (possibly via a passive switch, but I don't think that's relevant). What will happen to WAN traffic from that LAN device if I don't configure bridging (binding) to the 10.0.0.0/8 network?

In order for any LAN device to be routed outside its own LAN, which could be *any* other LAN, including the internet, it has to have a default gateway on the same IP network. IOW, 10.0.0.123 can NOT access 192.168.1.1 to gain internet access. Not unless the router is also bound to the 10.0.0.x network (e.g., 10.0.0.1) and becomes the 10.0.0.123 device's default gateway. Unless that happens, the 10.0.0.123 device is confined to the *local* ethernet segment w/ other devices in the same IP network 10.0.0.x (or any subnet of 10.x.x.x). IOW, it can NOT be routed. It can only communicate w/ similarly bridged (switched) devices.
 

eibgrad

Part of the Furniture
P.S. You seem to be purposely vague about the bigger picture here. I don't understand what's the fundamental issue or problem. Perhaps if you did make it known, we could be more specific in what is or isn't possible.
 

brec

Regular Contributor
In order for any LAN device to be routed outside its own LAN, which could be *any* other LAN, including the internet, it has to have a default gateway on the same IP network. IOW, 10.0.0.123 can NOT access 192.168.1.1 to gain internet access. Not unless the router is also bound to the 10.0.0.x network (e.g., 10.0.0.1) and becomes the 10.0.0.123 device's default gateway. Unless that happens, the 10.0.0.123 device is confined to the *local* ethernet segment w/ other devices in the same IP network 10.0.0.x (or any subnet of 10.x.x.x). IOW, it can NOT be routed. It can only communicate w/ similarly bridged (switched) devices.
Would an alternative to using a command in the router like
ifconfig br0:1 10.0.0.1 netmask 255.0.0.0
be to use the GUI's Advanced Settings::LAN::Route to provide a static route? The brief (as always for ASUS) documentation on that facility is that it's for other routers on the LAN side of the 86U so they can share the 86U's WAN gateway. But would it also work to allow a non-router LAN device to "share" the WAN gateway?
 

eibgrad

Part of the Furniture
Would an alternative to using a command in the router like
ifconfig br0:1 10.0.0.1 netmask 255.0.0.0
be to use the GUI's Advanced Settings::LAN::Route to provide a static route? The brief (as always for ASUS) documentation on that facility is that it's for other routers on the LAN side of the 86U so they can share the 86U's WAN gateway. But would it also work to allow a non-router LAN device to "share" the WAN gateway?

Static routing is only there to allow specific destination IPs/networks (e.g., 199.199.199.0/24) to be routed out a specific gateway rather than the default gateway (0.0.0.0/0). That could be another gateway hosted on the router itself (e.g., an OpenVPN client), or some other device on the same LAN. IOW, minimally, the router has a default gateway (a fall-through for unknown networks) and *possibly* static routes to other gateways for known networks.

But none of this isn't going to compensate for the lack of having the router bound to the 10.0.0.x network! As I said, the device @ 10.0.0.123 can't even reach the router (or any other gateway on the LAN) for routing purposes if the two devices can't communicate over a common, local IP network!

This is why users turn to third-party firmware like Merlin. It provides much more flexibility to deal w/ odd and unforeseen situations.
 

brec

Regular Contributor
P.S. You seem to be purposely vague about the bigger picture here. I don't understand what's the fundamental issue or problem. Perhaps if you did make it known, we could be more specific in what is or isn't possible.
Indeed! I wanted to avoid undue broadening of the scope. But now that you've asked (yay!) stand by for the project description and network design issues.
 

brec

Regular Contributor
P.S. You seem to be purposely vague about the bigger picture here. I don't understand what's the fundamental issue or problem. Perhaps if you did make it known, we could be more specific in what is or isn't possible.
The project is to add a WireGuard VPN box to my LAN -- a headless Ubuntu system that will peer with a WireGuard server on a cloud VPS. Let's call this new LAN box "WGbox." It has multiple ethernet connectors. I'd like it to provide VPN tunneling to two other LAN clients: a headless data server ("DS"), and a Mac. To reiterate, both WGbox and DS are headless so I need SSH access to them from the Mac.

WGBox would use three of its RJ45 connectors as follows:

ETH1: AC86U -- VPN WAN access, WGBox OS WAN access, and Mac SSH access to WGBox;
ETH2: Mac -- VPN tunnel access (occasional) ;
ETH3: DS -- VPN tunnel access (full time), DS OS WAN access, and Mac SSH access to DS.

Right now there's only one subnet, 192.168..../16. There are many boxes/hosts/devices on it -- phones, thermostats, computers, home theater components, etc. -- in addition to DS and WBbox. I'm pretty sure that having each device to be tunneled on its own subnet is needed for WireGuard configuration.

Let's say the Mac will become 172.16.0.6 and DS will be 172.17.0.7. The WGbox's ETH1 connector will remain on 192.168..../16. Its ETH2 connector becomes 172.16.0.2 (Mac's subnet), and its ETH3 connector becomes 172.17.0.1 (gateway on DS's subnet).

I don't want the Mac on the VPN all the time but only occasionally as a web client. I was planning to turn on the browser's proxy server feature, with WGBox (172.16.0.2) as the proxy, only when I want to use the VPN.

I haven't figured out yet how to avoid tunneling SSH access to DS and DS OS WAN access. The former must be avoided, and the latter should be avoided.
 

eibgrad

Part of the Furniture
I'm pretty sure that having each device to be tunneled on its own subnet is needed for WireGuard configuration.

Why? Seems to me all you need to do is configure the WGBox w/ *one* ethernet port on the 192.168.x.x network and configure it as a router, so it can route traffic from any other device on the 192.168.x.x network through the WG connection, which itself is being managed over the 192.168.x.x network and through the WAN of the primary router.

This is exactly what I do w/ my own OpenVPN client running on a standalone PC dedicated for this purpose (I didn't like the poor performance of my OpenVPN client on my ASUS router). It's actually running the x86 version of DD-WRT, so I could have chosen WireGuard as an alternative VPN. But the basic concepts are the same. By definition, DD-WRT *is* a router (and Ubuntu could likewise be configured as a router), where traffic into its ethernet port is routed over the VPN. And any device I want to use the VPN I simply change its default gateway to the IP of the standalone PC.

It seems to me you're making this unnecessarily complicated. Or else I'm missing some important detail that would make my proposal unpalatable.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top