Pulling my hair out!!

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

JaimeZX

Senior Member
Guys, see the attached network diagram. I foolishly changed some settings trying to solve one issue and created another.

As you can see, I have a Linksys running DD-WRT "inside" of my Asus 3200 running Merlin. (Linksys on static IP: 192.168.1.254)

So originally I had the Linksys running as "Gateway" and using access restrictions in DD-WRT to keep some clients from the internet. ALL WAS WELL, except for one problem: one of the clients (a camera) needed daily NTP updates or it would stop putting a DTG stamp on the recorded video. Well, and my main computer (on Asus) couldn't directly access my RPi (on the Linksys).

So my original goal for today was "let port 123 through the no-internet."

On the DD-WRT/Linksys I've set up [ Setup ] -> [ Advanced Routing ] for Static Routing to send traffic bound for 192.168.1.0/24 through 192.168.1.254 as gateway.
On the Asus I've set up [ LAN ] -> [ Route ] for a static route to send traffic bound for 192.168.2.0/24 through 192.168.1.254 as gateway.

After MUCH fiddling I switched the Linksys from Gateway to Router mode and futzed with iptables some in DD-WRT.

iptables -A FORWARD -p udp --dport 123 -j ACCEPT
iptables -A FORWARD -p tcp --dport 8123 -j ACCEPT


I also made some edits to the Asus settings.

At THIS POINT clients on either network can access each other as required. WIN!!

UNFORTUNATELY now NONE of the clients on the Linksys have internet access.
Everyone on 192.168.2.0/24 can ping the Asus, but nothing beyond.

I assume Asus/Unbound is providing DNS to the Linksys, because when I (on Linksys) tcpdump -i eth1 icmp and ping 8.8.8.8 from my RPi on Linksys, I see:

IP raspberrypi > dns.google: ICMP echo request, id 5378, seq 96, length 64
IP Netgear-DD-WRT > raspberrypi: ICMP host dns.google unreachable, length 92


I'd like to tcpdump on the Asus now to see if I can figure out where it's going but that's not part of Asus/Merlin.

So my brain is dead. Seems like (obviously) the Linksys traffic is hitting the Asus network, but it also seems like I have some kind of access restrictions. But if I go to (Asus) [ AiProtection ] -> [ Parental Controls ] I certainly don't have the Linksys in there. Is there anywhere ELSE that would turn off the Internet for a client? AAAAAAAAARRRRRGH
 

Attachments

  • Network.jpg
    Network.jpg
    25.1 KB · Views: 29
Last edited:

ColinTaylor

Part of the Furniture
Why are you routing traffic through a nonexistent gateway at 192.168.14.254?
 

JaimeZX

Senior Member
Oop! Ha - typo! Should be 192.168.1.254. Good catch. Will fix the original post. :)
 

sfx2000

Part of the Furniture
this might help... adjust as needed

Code:
# Redirect NTP requests to go through router
iptables -t nat -A PREROUTING -i br-lan -p udp --dport 123 -j DNAT --to 192.168.1.1
iptables -t nat -A PREROUTING -i br-guest -p udp --dport 123 -j DNAT --to 192.168.1.1
 

JaimeZX

Senior Member
Thanks! I'll mess with it. :)
 

JaimeZX

Senior Member
this might help... adjust as needed

Code:
# Redirect NTP requests to go through router
iptables -t nat -A PREROUTING -i br-lan -p udp --dport 123 -j DNAT --to 192.168.1.1
iptables -t nat -A PREROUTING -i br-guest -p udp --dport 123 -j DNAT --to 192.168.1.1
Unfortunately I think that winds up being trumped by the DROP lines since I have internet access off for the camera. :confused:
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top