How to access 2nd router (ASUS RT-AC68U) login page while on main router (Fios G1100) WiFi network?

[techguy12]

Hello!

I'm wondering if this is possible, please let me know.

My setup is currently:
Summary: ASUS router is behind the Fios Router

1.Verizon Fios Quantum Gateway G1100
(connection shared via Ethernet cord Fios LAN to ASUS WAN)
2. ASUS RT-AC68U running asuswrt-merlin 384.7.2

Issue:

I noticed that while on my ASUS WiFi/Router, I CAN ACCESS the Fios Router login page and the ASUS Router login page both with no issue.

But when I'm on the Fios WiFi/Router, I can only access the Fios Router login page. I CAN'T ACCESS the ASUS Router login page.

My Fios Router LAN = 192.168.1.1 / default gateway is 192.168.1.1

My ASUS Router LAN = 192.168.2.1 (How do I change this to 192.168.1.2 instead?) / default gateway is 192.168.1.1

I tried changing my ASUS Router LAN to = 192.168.1.2 but for some reason I'm unable too via ASUSwrt-Merlin firmware. I've disabled the DHCP on the ASUS router but no luck. I've also tried connecting Fios LAN to ASUS LAN but no luck either.

What am I doing wrong here? Is it even possible to do what I'm asking? Do I need to set a firewall rule some where?
Do I need to change my ASUS Router LAN to 192.168.1.2 to make this happen? If so, please let me know what needs to be done!

Thank you in advance!

Summary:
I want to be able to access my second router login page (ASUS RT AC68U) while I'm on my Fios WiFi network.

 

[ColinTaylor]

You have two routers and therefore you must have two different subnets. (Because of that you also have a double-NAT situation for any clients connecting to the second router.)

As I understand it your primary router and subnet is the Fios which creates subnet 192.168.1.x. Connected to this is a second router (Asus) which creates a second (LAN) subnet 192.168.2.x. The Asus's WAN interface will have an address somewhere in the 192.168.1.2 to 192.168.1.254 range.

You cannot change the Asus' LAN-side IP address to something within the WAN-side subnet. That's not a valid network configuration.

If you're only interested in being able to access the Asus' web interface and don't care about being able to access other devices on the Asus LAN then there's a simple solution.

Log into the Asus and enable "Enable Web Access from WAN". You can then access it from the Fios subnet using the Asus' WAN IP address.

---------------------------------------------------------------------------

Alternatively....

For devices connected to the Fios subnet (192.168.1.x) to be able to freely connect to all devices on the Asus subnet (192.168.2.x) you would need to do three things;

1. Determine what the Asus' WAN IP address is and make sure it is fixed and doesn't change. You can fix it either by creating a DHCP reservation for it on the Fios or by entering the settings manually on the Asus (WAN > Internet Connection > Static IP).

2. Turn off the firewall on the Asus. Turn off NAT on the Asus.

3. Create a static route on the Fios that says network 192.168.2.0 is accessible via host 192.168.1.*** (where 192.168.1.*** is the Asus' fixed WAN IP address).

 

[MichaelCG]

Or better yet, just change your ASUS to be in AP mode and let the FIOS be the only router and the ASUS just does WiFi duties.

 

[techguy12]

You have two routers and therefore you must have two different subnets. (Because of that you also have a double-NAT situation for any clients connecting to the second router.)

As I understand it your primary router and subnet is the Fios which creates subnet 192.168.1.x. Connected to this is a second router (Asus) which creates a second (LAN) subnet 192.168.2.x. The Asus's WAN interface will have an address somewhere in the 192.168.1.2 to 192.168.1.254 range.

You cannot change the Asus' LAN-side IP address to something within the WAN-side subnet. That's not a valid network configuration.

If you're only interested in being able to access the Asus' web interface and don't care about being able to access other devices on the Asus LAN then there's a simple solution.

Log into the Asus and enable "Enable Web Access from WAN". You can then access it from the Fios subnet using the Asus' WAN IP address.

---------------------------------------------------------------------------

Alternatively....

For devices connected to the Fios subnet (192.168.1.x) to be able to freely connect to all devices on the Asus subnet (192.168.2.x) you would need to do three things;

1. Determine what the Asus' WAN IP address is and make sure it is fixed and doesn't change. You can fix it either by creating a DHCP reservation for it on the Fios or by entering the settings manually on the Asus (WAN > Internet Connection > Static IP).

2. Turn off the firewall on the Asus. Optionally you can also turn off NAT on the Asus.

3. Create a static route on the Fios that says network 192.168.2.0 is accessible via host 192.168.1.*** (where 192.168.1.*** is the Asus' fixed WAN IP address).

I use my ASUS router because it has the ability to attach a External Hard Drive and OpenVPN Server. Would that cause an issue?

 

[techguy12]

Or better yet, just change your ASUS to be in AP mode and let the FIOS be the only router and the ASUS just does WiFi duties.

Or better yet, just change your ASUS to be in AP mode and let the FIOS be the only router and the ASUS just does WiFi duties.

I use my ASUS router because it has the ability to attach a External Hard Drive and OpenVPN Server. Would that cause an issue?

 

[ColinTaylor]

Is it an OpenVPN server or client that is setup on the router? I see you have numerous other posts about OpenVPN, is that part working now?

 

[techguy12]

Is it an OpenVPN server or client that is setup on the router? I see you have numerous other posts about OpenVPN, is that part working now?

I was able to configure it for both. The VPN client is what I was having the issue with. I forgot to post my solution.

 

[CaptainSTX]

If you want to use the functions of the ASUS in a dual router setup you will need to double NAT the ASUS behind the FIOS router. The two basic things you need to do when running in double NAT.

1. Ethernet cable from LAN port on FIOS router to WAN port on ASUS.

2. For the LAN on the ASUS you must use a different subnet than the FIOS is using. The LAN can be 192.168.2.0/24.

If you want to be able to access the GUI user interface on the ASUS from a device connected to the FIOS you need to able remotes access from the WAN on the ASUS. Not a great idea from a security stand point but probably less risky since the router is double NATed.

Running a VPN client on the ASUS will be straight forward and work just fine. Running a VPN server is possible and according to Merlin it can be made to work.

 

[ColinTaylor]

I was able to configure it for both. The VPN client is what I was having the issue with. I forgot to post my solution.

I don't believe you will be able to use your OpenVPN setup if you change the Asus from router mode to AP mode. Therefore you might as well use the "Enable Web Access from WAN" option I mentioned in post #2. Simple.

 

[techguy12]

I don't believe you will be able to use your OpenVPN setup if you change the Asus from router mode to AP mode. Therefore you might as well use the "Enable Web Access from WAN" option I mentioned in post #2. Simple.

Would it be this?

 

[ColinTaylor]

Would it be this?

Correct.

 

[CaptainSTX]

Would it be this?

To give yourself a little bit more security select to only allow certain IPs access.

 

[techguy12]

To give yourself a little bit more security select to only allow certain IPs access.

So it would have to be a static ip right not one from a vpn that is always changing?

 

[ColinTaylor]

To give yourself a little bit more security select to only allow certain IPs access.

There's probably very little security to be gained. We would only be talking about restricting the access of devices that are already part of the LAN. Just because cause it's called the "WAN" interface doesn't mean it's connected to the internet.

 

[CaptainSTX]

There's probably very little security to be gained. We would only be talking about restricting the access of devices that are already part of the LAN. Just because cause it's called the "WAN" interface doesn't mean it's connected to the internet.

The WAN port on the double NATed router does have full access to the WWW even if the WAN IP is a LAN IP on the FIOS router. I'm also not sure if full acccess means full exposure or how that exposure changes if for some reason you put the ASUS router in the DMZ or are running VPN clients on the ASUS router.

I have never wanted to find out what happens the hard way so I never have allowed access to a router from the WAN if it is double NATed.

 

[ColinTaylor]

The WAN port on the double NATed router does have full access to the WWW even if the WAN IP is a LAN IP on the FIOS router.

Indeed, but the reverse is not true. The Asus is exactly the same as any regular LAN client in that respect.

From what he's said I'd have to assume that the Fois LAN setup is fairy normal and therefore a "trusted network". Of course, as you say, if he starts putting devices in a DMZ or something then on his own head be it.

 

[MilkyTech]

@ColinTaylor I have a similar situation and my setup is not working as you logically described. It seems reasonable that I should be able to access the asus router gui through it WAN ip with WAN remote access enabled but I cannot. I was successful accessing the gui from the other subnet, however, I needed to first set up a static route in the first router, then turn off the firewall in the asus router, then access the gui using the asus LAN ip address.

 

[MilkyTech]

What I am really looking to do though is access the asus gui from the internet! Is this even possible? If I could get to it with the WAN ip like you said I should, then I could simply forward a port to that ip on the primary router since its on the same subnet. The primary router won't let me forward a port to an ip on the other subnet even though the static route is set up giving access to that subnet.

 

[MichaelCG]

DO NOT ENABLE ACCESS TO THE GUI FROM THE INTERNET!

If you must have the ability to remotely admin the router, use OpenVPN or some other function that is more secure. Direct exposure of the admin interface is just a matter of time before your router is compromised.

 

[ColinTaylor]

@MilkyTech What router do you have? What firmware version are you running?

Enabling remote WAN access to the router is regarded as a very bad idea and strongly discouraged by this forum. It has had numerous security issues in the past which were actively exploited.

If you need remote access to the router it is advisable to use the VPN server.