Cascaded Routers, VLAN's

[Matt84]

Hi all. My head hurts. Oy. So... I have an Asus AC3100, Asus BRT 828 and TP link T1600G-28TS... Layout as follows.

AC3100 - Main Router to internet. 192.168.2.1 (Not VLAN capable) Uses AI Mesh for wireless.
BRT 828 - VLAN router. 192.168.1.1 Wan port of 828 connects to LAN port on AC3100. Wireless turned off on 828.

I have multiple VLANs to separate some smart home stuff from my NAS, server, PCs on the 828...
VLAN 40 - 192.168.40.0 -> PC's
VLAN 60 - 192.168.60.0 -> Server

Routes on 3100
192.168.1.0 255.255.255.0 192.168.2.2 (WAN port on 828 is 2.2)
192.168.60.0 255.255.255.0 192.168.2.2
192.168.40.0 255.255.255.0 168.168.2.2

I can communicate with everything on the BRT828 (inter vlan routing works, can connect to internet (NAT and firewall are off on BRT 828 letting the 3100 do all of that).

The issue is, wireless clients on the 192.168.2.1 network cannot talk to anything on any of the vlans. I can ping the VLAN interfaces no issue as I have routers set up on the 3100 just no devices. I can plin anything on the 192.168.2.0 network from any of the VLANs.... I *think* the issue is on the 828... I cannot give a LAN to LAN route to the 192.168.2.0 network as its not on that router.

The reason I set it up this was is because I have the 3100 configured for DDNS, LetsEncrypt Certificate (828 cannot do this) and it has the mesh setup which the 828 cannot do either.

I have been setting this up for hours now and my brain is mush so any insight anyone can offer would be appreciated. I am thinking it may just not work because of the AC3100 and then I will have to move the 828 up as the main router, put the 3100 off of it as a DHCP client on the same LAN and not use mesh just set them up as AP's but they then do not roam well

 

[Matt84]

So I ended up sorting all of this out with some google fu, linix fu, windows task scheduler, etc. Basically, because the 828 is below my main router, I disabled the firewall entirely. Just because you disable it in the GUI, it is not entirely disabled as far as the WAN port is concerned. I have a Windows task schedule setup to run weekly after my network reboots with the following commands in a .bat file:

c:\plink.exe -ssh 192.168.x.x -l username -pw password -m c:\commandstopass.txt

In the text file referenced I have:

cd /usr/sbin/
/usr/sbin/iptables -P INPUT ACCEPT
/usr/sbin/iptables -P FORWARD ACCEPT
/usr/sbin/iptables -P OUTPUT ACCEPT
/usr/sbin/iptables -t nat -F
/usr/sbin/iptables -t mangle -F
/usr/sbin/iptables -F
/usr/sbin/iptables -X

You can also run the able commands from putty if you reboot the router

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X

Those wipe out the firewall entirely. Do NOT do that if this is your gateway to the internet or its going to allow everything in and out of your router.

Everything now works exactly as I had wanted. Now I just need to figure out a way to pass WOL packets from my wireless LAN to a VLAN. Then fun never ends.