N66U Router and WAN subnet masks - my understanding of subnetting is clearly very flawed?!?!

[marta322]

Hello, I'm currently playing' with an RT-N66U I has laying around with a view to use to create a seperate network segment within my existing network.

I'm currently going crazy as it seems some fundamental assumptions I have regarding basic routing and subnetting is plain incorrect!!

• I have the N66U WAN plugged into a class C subnet with the address 192.168.93.253 and mask of 255.255.255.252
• My my main Internet gateway router on that network is 192.168.93.254, which is configured as the WAN gateway on the N66U WAN config
• The N66U LAN is configured as 192.168.53.254 with a mask of 255.255.255.0
• I have a laptop plugged into the LAN on 192.168.53.10 with a mask of 255.255.255.0 and a gateway of 192.168.53.254

From my 'understanding' I should be able to access the Internet from the laptop (which I can) via the WAN gateway, and I should be able to ping and traceroute to 192.168.93.254 (which I also can).

However, I also believed that I should not be able to ping or route to any other addresses on the 192.168.193.x subnet as the mask on the N66U WAN interface is set to 255.255.255.252 which only permits 2 addresses on the 192.168.193.x network to be addressable / reachable??

It seems not, as from the laptop I can happily ping everything on the 192.168.193.x class C network !?!

OK, I'm guessing my understanding was / is completely wrong - but I'd apreciate it if anyone can confirm that at least, and perhaps also offer some explanation of where I'm wrong?

Secondly, my objective was to make it so that anything on the LAN side of the N66U (wireless or off the internal 4 port LAN switch) could access the Internet, the local 192.168.53.x class C network, but NOT devices other than the gateway on the 192.168.93.x network. Is this possible with a RT-N66U and if so how / where do I need to look?

Many thanks, and apologies if the above is a really daft / dumb question...

 

[coxhaus]

As long as something is routing your 192.168.93.0/24 class C then you should be abled to ping all IPs. Just like when you ping 8.8.8.8 on the internet. There are other networks routing the network that makes up 8.8.8.8.

How is your 192.168.93.0 class C defined and setup? Where is the 192.168.193.0 class C defined?

Is 193 and 93 the same network? Still it does not matter. You can define a class C network and then take part of the class C and define a point to point over it or a 248 mask over it as it does not matter it just subnetting. The mask defines how much of the network the device sees. Remember all network definitions have a network IP address and a IP broadcast network address.

 

[marta322]

The 192.168.93.0/24 network has a Ubiquiti Edgerouter on .254 (which is my actual) Internet gateway router. I kind of understand that the requests are routed to the Edgerouter internal interface as it's the gateway, and as the Edgrerouter knows about the rest of the 192.168.93.0 subnet it routes the traffic accordingly.

For some reason though I had it in my head that by setting a /30 mask on its WAN address the N66U would only be able to address itself on .253 and the Edgerouter on .254 as /32 is a 2 IP subnet.

Clearly to accomplish my objective I need to find a way of using static routes or some other feature to restrict routing on the 192.168.193.0 subnet to just the .254 gateway (I clearly also need to go back and refresh myself on the very basics of subnetting and routing!!!), in regards to former (restricting routing to the .254 gateway on the WAN interface) - any ideas anyone??

 

[coxhaus]

The N66U is just forwarding to the higher level router which is doing the routing so it does not matter if your N66U does not know where the other IPs are.

If you have an Edgerouter you should be able to do ACLs, access control lists to deny traffic.

 

[marta322]

Great - I at least get that. I'll go look at ACLs (used them in the distant past) as I'd need to deny only the traffic originating from the 192.168.53.0 subnet and not the 192.168.93.0 clients.

I'm wondering if I could set the route of last resort (0.0.0.0) on the N66U to the public gateway address of the Edgerouter, and then add a static route to that IP on the N66U to go via the Edgerouter LAN address (192.168.53.254)?

I'll look at ACLs on the Edgerouter anyway! Thanks again for the help.

 

[coxhaus]

I kind of doubt it. On Cisco PRO gear you can have multiple IPs on interfaces and you may be able to set that up on Cisco PRO gear. You know 0.0.0.0 0.0.0.0 represent all unknown IP addresses and masks.

Your Edgerouter is in control of the WAN network not the N66U router. The limiting has to be done by the Edgerouter.

 

[marta322]

That makes sense - the emphasis obviously being 'unknown'. Looks like the Edgerouter ACLs will do the trick though - just reading an article on setting up a guest network using settings in the Firewall / Rulesets section of the GUI and it looks like it will do what I am looking for and seems like a better approach. Thanks again.

 

[MichaelCG]

Based on the netmask of the N66, it can only ARP and talk directly to the hosts that fall into that subnet. Anything else it can talk to if the next hop router will route it for them.

As already stated, you either need to put an ACL in place on the EdgeRouter or on the N66 itself to drop the packets.

 

[coxhaus]

The ASUS routers don't have ACLs.