Can't access LAN of the inner router from the outer router

[ggbal]

have one route served as the gateway to the internet. Let's call it routerF. And I have another router (routerB) connected to routerF but with all LAN devices connecting to it.

The problem is that from routerF network 192.168.10.0/24, I want to access the machine in routerB, for example the router web page at 192.168.100.1. But I can't. I can see in the log files that the packets were dropped. But I can't figure out where it was dropped since I accept all in its prerouting chain. Looking for your help and suggestion.


The connection likes this

routerF (192.168.10.0/24)-LAN port 1 (192.168.10.2) ----> routerB (192.168.100.0/24) -WAN port (192.168.100.1)

Here is the routing table in routerF

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
66.192.23.1    *               255.255.255.255 UH        0 0          0 vlan2
192.168.100.0   192.168.10.2            255.255.255.0   UG        0 0          0 br0
192.168.10.0    *               255.255.255.0   U         0 0          0 br0
66.192.23.0    *               255.255.248.0   U         0 0          0 vlan2
127.0.0.0       *               255.0.0.0       U         0 0          0 lo
default         66.192.23.1 0.0.0.0         UG        0 0          0 vlan2

iptables -L -t nat is

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
WANPREROUTING  all  --  anywhere             wan1-ip             

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  anywhere             anywhere           
SNAT       all  --  192.168.10.0/24      192.168.10.0/24     to:192.168.10.1

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain WANPREROUTING (1 references)
target     prot opt source               destination         
DNAT       icmp --  anywhere             anywhere            to:192.168.10.1
DNAT       all  --  anywhere             anywhere            to:192.168.10.2

Here is the routing table for routerB

estination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.10.1   *               255.255.255.255 UH        0 0          0 vlan2
192.168.100.0   *               255.255.255.0   U         0 0          0 br0
192.168.10.0    *               255.255.255.0   U         0 0          0 vlan2
127.0.0.0       *               255.0.0.0       U         0 0          0 lo
default         unknown         0.0.0.0         UG        0 0          0 vlan2

iptables -L -t nat

target     prot opt source               destination         
DNAT       tcp  --  anywhere             wan1-ip             tcp dpt:www to:192.168.100.1:80
ACCEPT     all  --  anywhere             192.168.100.0/24   

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  anywhere             anywhere           
SNAT       all  --  192.168.100.0/24     192.168.100.0/24    to:192.168.100.1

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain WANPREROUTING (0 references)
target     prot opt source               destination         
DNAT       icmp --  anywhere             anywhere            to:192.168.100.1

The drop message in the log files in routerB

Nov 24 18:01:08 unknown user.warn kernel: DROP IN=vlan2 OUT= MACSRC=e0:91:e6:ea:a1:28 MACDST=e0:91:e6:ea:a2:67 MACPROTO=0800 SRC=192.168.10.15 DST=192.168.100.1 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=54713 DPT=80 SEQ=3453556736 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010303050101080A1345ACAD0000000004020000) 
Nov 24 18:01:10 unknown user.warn kernel: DROP IN=vlan2 OUT= MACSRC=e0:91:e6:ea:a1:28 MACDST=e0:91:e6:ea:a2:67 MACPROTO=0800 SRC=192.168.10.15 DST=192.168.100.1 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=54712 DPT=80 SEQ=597615546 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010303050101080A1345B3840000000004020000)

 

[ColinTaylor]

You don't state the router models or firmware used, but there was a similar post here which appears to be specific to Merlin's 382.1.

If you add the "-v" option to your iptables commands you can see what rules are being hit.

I suggest that you try accessing something other than the router at 192.168.100.1 because it's having to do a loopback for that. Keep it simple.

I can see in the log files that the packets were dropped. But I can't figure out where it was dropped since I accept all in its prerouting chain.

Just because the packet is accepted by the nat table doesn't mean in doesn't traverse the other tables. Have a look at the filter table. That's where it will be dropped.

 

[ColinTaylor]

I'm guessing you're using TomatoUSB?

 

[ggbal]

Thanks, @ColinTaylor, I have found out the problem. In the filter table, there are more drops in the INPUT and FORWARD chains. I added new rules to allow RouterF to access RouterB there. And now everything works fine. Thanks for the help.