Routing from WAN to LAN on Asus Router

  • ATTENTION! As of November 1, 2020, you will not be able to reply to threads 6 months after the thread is opened. Threads will not be locked, so posts may still be edited by their authors.

Mike S

Regular Contributor
I have a cabin with a Fiber Optic Modem / Router supplied by my local telco (LAN Address 192.168.200.1). I have a bunkhouse with an Asus RT-AC68R router (LAN Address 192.168.201.1; WAN Address 192.168.200.2) running Asuswrt Merlin 384.18. The bunkhouse router has a hardwire connection from the WAN port to a LAN port on the main cabin router.

I want to be able to access devices on the bunkhouse LAN from my laptop when I am connected to the main cabin LAN. I have configured a static route on the main cabin router to route all 192.168.201.0/24 traffic to 192.168.200.2. I can ping 192.168.201.1 from the cabin LAN, but I can't ping anything connected to the LAN port on the Asus router.

When I run a Tracert, from the main cabin LAN to 192.168.201.50 (a device on my bunkhouse LAN), the 1st hop goes to 192.168.200.1 (my cabin modem/router) and the second hop goes to 192.168.200.2 (the WAN port on the Asus Router), and then stops. I can successfully ping 192.168.201.50 form the ASUS router, so the problem seems to be that the ASUS router is not forwarding the traffic to its LAN.

How can I configure the Asus router to make this work?
 

Yo_2T

Occasional Visitor
Set the Asus router to AP Mode. Right now you're having 2 separate LANs running. The Asus in AP Mode will essentially put everything on the same 192.168.200.x LAN.
 

brummygit

Senior Member
I have a cabin with a Fiber Optic Modem / Router supplied by my local telco (LAN Address 192.168.200.1). I have a bunkhouse with an Asus RT-AC68R router (LAN Address 192.168.201.1; WAN Address 192.168.200.2) running Asuswrt Merlin 384.18. The bunkhouse router has a hardwire connection from the WAN port to a LAN port on the main cabin router.

I want to be able to access devices on the bunkhouse LAN from my laptop when I am connected to the main cabin LAN. I have configured a static route on the main cabin router to route all 192.168.201.0/24 traffic to 192.168.200.2. I can ping 192.168.201.1 from the cabin LAN, but I can't ping anything connected to the LAN port on the Asus router.

When I run a Tracert, from the main cabin LAN to 192.168.201.50 (a device on my bunkhouse LAN), the 1st hop goes to 192.168.200.1 (my cabin modem/router) and the second hop goes to 192.168.200.2 (the WAN port on the Asus Router), and then stops. I can successfully ping 192.168.201.50 form the ASUS router, so the problem seems to be that the ASUS router is not forwarding the traffic to its LAN.

How can I configure the Asus router to make this work?
I have this type of configuration on my network.

  • Turn off NAT in the WAN settings on your bunkhouse router
  • Turn off the firewall on the bunkhouse router
  • This is important for it to work - set a static route on your ISP router that sets network 192.168.201.0 (subnet mask 255.255.255.0) to next hop 192.168.200.2 with Metric=1. My example:
    1597357266101.png
  • If your ISP router doesn't allow you to set a static route you have 3 options
    1. replace the ISP router (or put a second in the cabin with Dual NAT) which is capable of static routes (I have an RT-AX88U as I must use my ISP router which doesn't support static routes)
    2. use NAT and not be able to access the devices in the bunkhouse
    3. use the RT-AC68U in the bunkhouse as an AP on the same LAN segment
I've assumed you have a reason for segmenting your network into different subnets, but if not, option 3 is simplest unless you are happy adding static routes
 
Last edited:

Mike S

Regular Contributor
Set the Asus router to AP Mode. Right now you're having 2 separate LANs running. The Asus in AP Mode will essentially put everything on the same 192.168.200.x LAN.
I am using the Asus Router as an OpenVPN Server so I can access my cabin from home, which is not possible if I switch to AP mode.
 

Mike S

Regular Contributor
I have this type of configuration on my network.

  • Turn off NAT in the WAN settings on your bunkhouse router
  • Turn off the firewall on the bunkhouse router
  • This is important for it to work - set a static route on your ISP router that sets network 192.168.201.0 (subnet mask 255.255.255.0) to next hop 192.168.200.2 with Metric=1. My example:
    View attachment 25406
  • If your ISP router doesn't allow you to set a static route you have 3 options
    1. replace the ISP router (or put a second in the cabin with Dual NAT) which is capable of static routes (I have an RT-AX88U as I must use my ISP router which doesn't support static routes)
    2. use NAT and not be able to access the devices in the bunkhouse
    3. use the RT-AC68U in the bunkhouse as an AP on the same LAN segment
I've assumed you have a reason for segmenting your network into different subnets, but if not, option 3 is simplest unless you are happy adding static routes
Turning off NAT and the Firewall in the bunkhouse router solves the problem of accessing devices on the bunkhouse LAN from the main cabin LAN. I can ping everything in both directions. However, now I can't access anything from the bunkhouse LAN on the internet. If I do a Tracert from the bunkhouse LAN to 8.8.8.8, it shows hop 1 being the bunkhouse router, hop 2 is the main cabin modem/router, and then nothing. Very perplexing!!!
 

eibgrad

Senior Member
I am using the Asus Router as an OpenVPN Server so I can access my cabin from home, which is not possible if I switch to AP mode.
If this is the only reason for NOT using an AP config, it doesn't make sense. AFAIK, the OpenVPN server should be bound to both the WAN *and* LAN (unless someone knows for sure that RMerlin only binds it to the WAN, which seems unlikely). And thus should be accessible via port forwarding on the main router. Only thing you need to do is NAT the incoming traffic from the OpenVPN server's tunnel network into the LAN (br0) so all the traffic appears to be coming from the LAN ip of the AP, and thus clients will reply back to that AP. Or else add a static route the primary router (which isn't always possible w/ OEM devices) that points to the AP as the gateway to the OpenVPN server's tunnel network.
 
Last edited:

Mike S

Regular Contributor
If this is the only reason for NOT using an AP config, it doesn't make sense. AFAIK, the OpenVPN server should be bound to both the WAN *and* LAN (unless someone knows for sure that RMerlin only binds it to the WAN, which seems unlikely). And thus should be accessible via port forwarding on the main router. Only thing you need to do is NAT the incoming traffic from the OpenVPN server's tunnel network into the LAN (br0) so all the traffic appears to be coming from the LAN ip of the AP, and thus clients will reply back to that AP. Or else add a static route the primary router (which isn't always possible w/ OEM devices) that points to the AP as the gateway to the OpenVPN server's tunnel network.
If you configure an Asus Router as an AP, none of the OpenVPN functionality is available. Unfortunately, the Fiber Optic Modem/Router that is provided by my Telco does not support any VPN functionality.
 

eibgrad

Senior Member
If you configure an Asus Router as an AP, none of the OpenVPN functionality is available. Unfortunately, the Fiber Optic Modem/Router that is provided by my Telco does not support any VPN functionality.
Ugg. That's too bad. I don't see why it was designed that way. Because there's no obvious reason for the restriction. Maybe you should try FreshTomato or dd-wrt instead, esp. if it only needs to be an AP. I know dd-wrt has no such restriction, and IIRC, neither does tomato.
 

dosborne

Very Senior Member
Put the Asus router on the same subnet as your other router (200.x) and use the lan port instead of the wan port.
 

eibgrad

Senior Member
Put the Asus router on the same subnet as your other router (200.x) and use the lan port instead of the wan port.
But he wants to use the OpenVPN server on that AP, and can't in that configuration (at least according to the OP). Unless you're suggesting he NOT specifically change the router mode to AP in the GUI, but just treat it as an AP the old fashioned way (disabling the DHCP server manually, assigning an IP on the LAN side in the same network as the primary router, etc.). But I assume the OpenVPN server will still not be bound to the LAN.
 

brummygit

Senior Member
Turning off NAT and the Firewall in the bunkhouse router solves the problem of accessing devices on the bunkhouse LAN from the main cabin LAN. I can ping everything in both directions. However, now I can't access anything from the bunkhouse LAN on the internet. If I do a Tracert from the bunkhouse LAN to 8.8.8.8, it shows hop 1 being the bunkhouse router, hop 2 is the main cabin modem/router, and then nothing. Very perplexing!!!
Did you add the static route? Without it the internet traffic doesn’t know how to get back to the bunkhouse LAN
 

Mike S

Regular Contributor
Did you add the static route? Without it the internet traffic doesn’t know how to get back to the bunkhouse LAN
I have a static route for the bunkhouse LAN in the main cabin modem/router. This works, as I can ping from my laptop in the main cabin to other devices in the bunkhouse. Why this doesn't work for internet traffic has me baffled. I have a tech support call in to my Telco to see if they can figure this out.
 

brummygit

Senior Member
I can only imagine it's the ISP router not NATing from a downstream subnet properly, but that would be very poor.
 

Mike S

Regular Contributor
I have a static route for the bunkhouse LAN in the main cabin modem/router. This works, as I can ping from my laptop in the main cabin to other devices in the bunkhouse. Why this doesn't work for internet traffic has me baffled. I have a tech support call in to my Telco to see if they can figure this out.
My Telco is just as baffled about this as I am. We suspect that the Telco modem/router either isn't handling NAT properly, when the traffic is coming from the Asus router subnet, or the Telco router is not properly handling the static route for traffic coming from the fiber WAN port.

In the mean time, I have enabled NAT on the Asus Router. With the firewall on the ASUS router disabled, things are working. I can access the internet from the bunkhouse, and still ping devices in the bunkhouse from the main cabin LAN. Not elegant, but a serviceable workaround until we figure out what the problem is.
 

dosborne

Very Senior Member
Unless you're suggesting he NOT specifically change the router mode to AP in the GUI
Exactly. Everything on 1 subnet should work fine.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top