How can I link 2 nets behind 1 modem/router?

[Crock]

Hope someone can help. I’m trying to set up two LANs behind my Telstra Cable Modem (&router) but allow them to access devices on each others’ net. Picture of the current configuration is below. I should note that net 192.168.2.x is via a 5-port switch. I’m trying to avoid running additional cabling as the two routers and modem are in separate rooms.

Network A is mainly used for home business. I occasionally run a VPN client on my router or on the NAS for P2P.

Network B is mainly used for media and I usually have the router’s VPN client activated for a US presence to be able to get US Netflix. I’d like devices on Net B to be able to access devices on Net A, primarily the Plex media server and printer. I’d also like devices on Net A to be able to access devices on Net B, but really only for administration, so it’s a nice-to have. I also recently put an Xbox onto this net.

Both routers have ASUS firmware, NAT & DHCP running, and have a combination of wired and wireless devices. The cable modem also has NAT running.

Cable modem is in router mode (not bridging), but I can put it into bridging and add a switch behind it if that would be helpful.

Currently, devices on Net B are not able to access the plex media server or NAS file server on Net A. Of course I want minimal lag for streaming from my Plex and Netflix. I *Think* I need some static routing rules to achieve this, but I’m unsure if they should be on the Cable modem, or one or both of the routers.

I also want to configure it so the Xbox has minimal lag for gaming.

Can someone advise what configuration settings I need on the modem & two routers to achieve this? Should I turn off the NAT on my modem? The routers?

I have tried setting up 2 static routes on the Cable modem:

Route 1: 192.168.3.0 / 255.255.255.0 -> 192.168.2.3

Route 2: 192.168.1.0 / 255.255.255.0 -> 192.168.2.2

But this did not appear to work. Not sure if it is a fault of the modem/router, though, as I have read it can be dodgy in applying static routes.

Separately, I have also tried setting up a static routes on each of the two routers:

Router A: 192.168.3.0 / 255.255.255.0 -> 192.168.2.3 WAN port, Metric = 1

Router B: 192.168.1.0 / 255.255.255.0 -> 192.168.2.2 WAN port, Metric = 1

Would it be an option to set the gateway on router B point to router A? and turn off NAT?

I know I could place Router B behind Router A (LAN->WAN), but cabling is an issue.
Thanks!

 

[ColinTaylor]

I have tried setting up 2 static routes on the Cable modem:

Route 1: 192.168.3.0 / 255.255.255.0 -> 192.168.2.3

Route 2: 192.168.1.0 / 255.255.255.0 -> 192.168.2.2

This looks correct but you also need to turn off the firewall and NAT on Router A and Router B.

You don't need any static routes on Router A or Router B as all the traffic is going through their default gateways.

EDIT: I note that in your picture you have the two routers' "LAN" addresses as 192.168.x.255. I guess this is just representative of the whole subnet as that would not be valid as an address for the routers themselves.

 

[K-2SO]

If the routers are relatively close to each other I would simplify the network. Router A has mostly low bandwidth wireless clients, some on 2.4GHz. Router B has high bandwidth clients all wired. Router A as main router and Router B as AiMesh node. All devices on one subnet. AiMesh 2.0 is coming to both routers. Some speed loss to wireless clients, but central management and more control.

 

[Crock]

Thanks.

This looks correct but you also need to turn off the firewall and NAT on Router A and Router B.

When I do this ^^, I lose connection to the internet. I note that the modem is still connected to the internet, but the router and my PC lose connection to the internet.

The cable modem is pretty mickey mouse. While it says it has a firewall, it seems to filter only outbound traffic. The settings page says: "Control outbound traffic initiated from within the local network. Inbound traffic may be controlled by configuring Port Forwarding." It has settings High, Medium, Low and None, along with options for "Enable Port Scan" and "Enable DOS Protection". Is this still protecting my network?
Is it an option to leave the firewalls ON on routers A & B, and open selected ports?


Yes, the x.255 is representative. They are 253 and 251, respectively.

 

[Crock]

If the routers are relatively close to each other I would simplify the network. Router A has mostly low bandwidth wireless clients, some on 2.4GHz. Router B has high bandwidth clients all wired. Router A as main router and Router B as AiMesh node. All devices on one subnet. AiMesh 2.0 is coming to both routers. Some speed loss to wireless clients, but central management and more control.

I haven't used AI Mesh.
Will that still allow me to use the VPN client on router B only?

 

[K-2SO]

Will that still allow me to use the VPN client on router B only?

There will be one router only - Router A. Router B turns into AP with wireless backhaul. The VPN should run on Router A. If you install Merlin firmware on it you will get multiple client/server instances option with policy based routing. Then you can choose what devices on your network go through VPN and what through WAN. See the example below. RT-AC88U has a faster CPU and allows higher speeds through VPN.

Policy based routing

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

 

[eibgrad]

In most cases it would be better to have a single network and just distribute your APs. It's certainly my preferred configuration whenever possible. But I'm going to assume you have your reasons for keeping these two networks separated.

You don't need any static routes on the cable modem+router. This is a simple case of the local networks behind routers A and B needing static routes to the other's network on their respective default gateways.

# Router A
Destination: 192.168.3.0/24
Gateway: 192.168.2.3

# Router B
Destination: 192.168.1.0/24
Gateway:  192.168.2.2

Since each router is bound to the 192.168.2.x network, they know how to reach each other from that point. And you don't need to disable NAT for this to function correctly either. With the 192.168.2.x network being bound to the WAN of each router, no NAT'ing will take place.

The only remaining issue is to configure the routers firewalls to allow entry by the other's network.

# Router A
iptables -I INPUT -i vlan2 -s 192.168.1.0/24 -j ACCEPT
iptables -I FORWARD -i vlan2 -s 192.168.1.0/24 -j ACCEPT

# Router B
iptables -I INPUT -i vlan2 -s 192.168.3.0/24 -j ACCEPT
iptables -I FORWARD -i vlan2 -s 192.168.3.0/24 -j ACCEPT

I'm only guessing the input network interface (-i) is vlan2 (usually is). Adjust accordingly. You could even eliminate that option and it should still work. But I like to restrict firewall rules as much as possible when I can.

 

[ColinTaylor]

With the 192.168.2.x network being bound to the WAN of each router, no NAT'ing will take place.

This is not quite correct. NAT'ing of Router A and B's LAN clients will always take place unless it is turned off on the router. Which subnet each router's WAN is part of makes no difference to that.

So your setup will work even without any static routes because everything on LAN A is NAT'ed to 192.168.2.2 and everything on LAN B is NAT'ed to 192.168.2.3. The only change required would be to change the firewall policies to ACCEPT which can either be done with your iptables rules or by turning off the firewall. Without the blanket firewall change you would need to setup individual forwarding rules.

I tend to not like this kind of setup when using private subnets because you can't identify individual clients on "the other" network because their IP addresses are masqueraded to their respective router's WAN IP address.

 

[eibgrad]

This is not quite correct. NAT'ing of Router A and B's LAN clients will always take place unless it is turned off on the router. Which subnet each router's WAN is part of makes no difference to that.

Yeah, you're right about that. For some reason, I was only thinking about the routers themselves when I made that statement, and not the networks behind them. Duh.

So your setup will work even without any static routes because everything on LAN A is NAT'ed to 192.168.2.2 and everything on LAN B is NAT'ed to 192.168.2.3. The only change required would be to change the firewall policies to ACCEPT which can either be done with your iptables rules or by turning off the firewall. Without the blanket firewall change you would need to setup individual forwarding rules.

Given the OP's doubts about the firewall of the cable modem+router, I would be reluctant to disable the firewall on routers A and B. I purposely didn't offer that recommendation because of the security concerns.

I tend to not like this kind of setup when using private subnets because you can't identify individual clients on "the other" network because their IP addresses are masqueraded to their respective router's WAN IP address.

Agreed. What the OP could do instead is keep the static routes on the cable modem+router, and just disable NAT for those particular connections.

# Router A
iptables -t nat -I POSTROUTING -d 192.168.3.0/24 -j ACCEPT

Router B
iptables -t nat -I POSTROUTING -d 192.168.1.0/24 -j ACCEPT

 

[ColinTaylor]

When I do this ^^, I lose connection to the internet. I note that the modem is still connected to the internet, but the router and my PC lose connection to the internet.

Putting aside the LAN to LAN issue for the moment I can't think why this would stop you connecting to the internet. I have setup two Asus routers like this (one behind the other with NAT disabled) and it works without any problems. I can only think that there's something about the Netgear that is dropping any packets that are not part of 192.168.2.x. (I experienced this problem once with a Netgear router I had many years ago.) You can test this theory by re-enabling NAT but leaving the firewall off and seeing if internet access returns.

The cable modem is pretty mickey mouse. While it says it has a firewall, it seems to filter only outbound traffic. The settings page says: "Control outbound traffic initiated from within the local network. Inbound traffic may be controlled by configuring Port Forwarding." It has settings High, Medium, Low and None, along with options for "Enable Port Scan" and "Enable DOS Protection". Is this still protecting my network?

I couldn't find a manual for the Netgear so I don't know what difference the firewall "levels" make. The options sound normal for a home router though. Outbound traffic is allowed by default so it gives you the option to block some or all of that. Inbound traffic is usually blocked by default so you would have to use port forwarding rules to allow exceptions.

Is it an option to leave the firewalls ON on routers A & B, and open selected ports?

Yes you could do that. You could leave both routers as they were and setup port forwarding rules on each to allow access to specific hosts.

 

[Crock]

OK. After a LOT of rebooting, I got it to work with static routes on the modem/router. Thanks, Colin! I think some of the internet connection issues were due to the DNS settings. (Others due to all the f-ing cables looking alike. We'll leave it at that.)
Is it normal for DHCP clients to take the gateway as their DNS server??
Should I also turn off uPNP?

That said, I suspect that this is seriously degrading my up/down speeds. Need to test that theory a bit more.

Regarding the option eibgrad suggested: (Thanks eibgrad)
After thinking long and hard (while waiting to things to reboot over & over), I guess my main objective is to have router B be in the "US" and A local, and the ability for most any device to connect to either via Wifi. This is achievable as standalone nets and doesn't require the modem routing rules.
The second objective is to get router B to be able to access the NAS fileserver & plex server on net A, preferrably on ethernet for better bandwidth. The Plex server seems to advertise itself - not sure exactly how - for smart TV clients.
I have opened the port on Router A for the Plex, so devices on Net B should be able to access it. If I turned back on the NATs & FWs for both routers and dropped the routing table on the modem, would the Plex advertisements still get to Net B? Would I then put a static route on Router B to point to the Plex server on Net A (ie to router A 2.3)?

Also, getting into Merlin for a moment, does the ASUS mobile app still work with it, or does it have its own mobile app? I find it very convenient to turn off my kids' internet access easily!!

 

[ColinTaylor]

Is it normal for DHCP clients to take the gateway as their DNS server??

Normally yes, but that's because the gateway device is usually also the local DHCP and DNS server. So devices connected to Router A should get that as their DNS server and devices connected to Router B should get that as their DNS server.

Should I also turn off uPNP?

UPnP won't work properly in this double NAT setup so you might as well turn it off.

That said, I suspect that this is seriously degrading my up/down speeds. Need to test that theory a bit more.

It should have no impact on your speeds.

I have opened the port on Router A for the Plex, so devices on Net B should be able to access it.

How have you opened the port? The reason you turned off NAT and the firewall was so that you don't have to do this sort of thing. Or are you suggesting this as an alternative?

 

[dosborne]

Why not put router A and B on the same subnet and use the LAN port instead of the WAN port? 192.168.2.x No routing rules or anything else required.

That's essentially how I have mine set up currently.

 

[Crock]

@dosborne
You mean using router B as an AP behind router A by connecting its LAN port to the switch at the modem? I didn't think router B's VPN client would work - doesn't it only work via the WAN port? So wouldn't I have to use Router A as the VPN client, putting the whole net into VPN?

I also considered connecting B's WAN port to the swtich at the modem configured as a client to A (e.g. 192.168.1.254) (not sure if this was the option you were describing) But I didn't think that router A would recognise it (since A's WAN port is connected to the same switch. The WAN and LAN ports can't have the same subnet, can they?)

Cabling is the issue. My modem is phyically between the routers. I have *1* cable from each router to the modem/switch. More cabling = PITA. Moving either router to the modem would mean buying more switches & losing some Wifi distribution. Also, I'm about to change ISPs and hoping to talk them into relocating the modem access point.

 

[K-2SO]

Also, getting into Merlin for a moment, does the ASUS mobile app still work with it, or does it have its own mobile app? I find it very convenient to turn off my kids' internet access easily!!

This mobile app opens access from WAN to your router. Convenient, but a security risk. Yes, it works with Merlin too.

 

[Smokey613]

This mobile app opens access from WAN to your router. Convenient, but a security risk. Yes, it works with Merlin too.

Only if you allow it to. It will prompt you to turn on WAN access but it is not required if using the app on your local network only. Simply decline the request when prompted.

 

[Crock]

Firstly, I want to thank everyone for their help.
I hate networks.
I have a degree in Electrical Engineering and Computer Science and have been working in IT for over 20 years. I understand the basics.
But, as one network engineer told me many years ago, diagnosing network issues is like trying to drain a swamp with a stick.
Don't know how you guys keep your hair.
OK. Rant over.

My only conclusion is that my RT68AC (router B) may be dodgy.
The settings worked for a while, and even VPN client was good.
Then I tried to set it into Access Point mode, to try an alternate configuration.
Ugh.
I had to completely reset the router and re-enter all the config. I made sure that all the settings were identical to Router A.
After that, router B would connect to the modem via WAN, and accept clients on the WLAN and LAN.
BUT, it refused to give internet access to the clients! (VPN was off) Clients couldn't even Ping the modem or get a traceroute. THe modem showed it was connected.
I could log into Router B from net A via its WAN port, but that's it.
Once I turned back on NAT on router B, voila! It's clients can access the internet. WTF??
They can also ping both routers

The only difference between router A & B that I can see is that the firmware is 305.0.0.4.385_20633 on B and ...385_20631 on A. However, both report that they are "the latest version".

I note that every time I changed a LAN setting on router B, it dropped it's WAN connection, and wouldn't reconnect until I re"applied" the WAN settings. (no actual changes) That reconnected the WAN, but client's still couldn't access beyond router B's LAN.

I should note that my modem is also being wierd in that it keeps kicking off my PC I'm using to test stuff & resetting the WLAN adapter when I connect.

Any fuir

 

[Crock]

Oops.
Any further help on this is appreciated.