Two Asus Routers Chained Together (LAN -> WAN) [one dedicated VPN router]

[in0verMyHead]

Here is my setup

Router 1: 192.168.1.1 subnet: 255.255.255.0
FW version: 3.0.0.4.380_7266

Router 2: IP leased from Router 1: 192.168.1.11. Own IP is 10.0.0.1 subnet: 255.0.0.0
Asuswrt-merlin: FW version:380.65

Computer A: plugged into Router 1 with IP 192.168.1.189

Computer B: plugged into Router 2 with IP 10.0.0.79

I have a static route added to Router 1: 10.0.0.0, subnet 255.0.0.0 to gateway 192.168.1.11

I also put 10.0.0.79 in Router 2's DMZ

I can't ping from Computer A to Computer B, nor SMB to it.

Any ideas?

Router 2 is always configured to connect via OpenVPN as external Computer B traffic should always go through OpenVPN.

 

[ColinTaylor]

Normally I would say,
1) Remove the DMZ entry
2) Turn off the firewall on Router 2
3) Turn off NAT on Router 2
It should now work.

However it's not clear how you've got your OpenVPN setup. Presumably you've got some policy rules for 10.0.0.79.

 

[in0verMyHead]

Normally I would say,
1) Remove the DMZ entry
2) Turn off the firewall on Router 2
3) Turn off NAT on Router 2
It should now work.

However it's not clear how you've got your OpenVPN setup. Presumably you've got some policy rules for 10.0.0.79.

Wow! You nailed it. I can ping computer B from computer A.

However, I can't SMB into it. Any ideas?

Computer A is a Mac and Computer B is a Windows machine.

I'm trying to network attach via Finder with smb://10.0.0.79 and it times out.

Computer B has the firewall turned off.

Note if Computer A is connected to Router B, I can mount the share.

Here are the policy rules I have on the OpenVPN and settings — note toggling VPN on / off doesn't make a difference so I doubt it's the policy rules.

source_ip --- dest_ip iface notes
10.0.0.24 --- 0.0.0.0 VPN all traffic from machine goes to vpn
10.0.0.91 --- 0.0.0.0 VPN all traffic from machine goes to vpn
10.0.0.0/24 --- 0.0.0.0 VPN all traffic goes to vpn
10.0.0.79 --- 0.0.0.0 VPN all traffic from computer b to vpn
192.168.1.0/24 --- 10.0.0.79 WAN all traffic from router a lan to computer b to wan
10.0.0.79 --- 192.168.1.0/24 WAN all traffic from computer b to router a lan to wan

 

[ColinTaylor]

Sorry. I don't know why that's not working. But then I don't use Mac's or the VPN client.

But for testing I would definitely disable the VPN on Router 2. You seem to have multiple redundant and conflicting rules. I suggest you carefully review the wiki. I suspect you only need to have two rules. Also leave the firewall off on Computer B, at least for the time being, because the default action is usually to block incoming connection attempts from another subnet.

Can you try connecting to Computer B using something other than SMB? Just trying to determine whether it's just an SMB issue or something larger. Try using RDP (if it's enabled on Computer B). Have you got any devices on 10.0.0.x that run a web server, like a printer? Try connecting to them.

 

[in0verMyHead]

Tried all your suggestions.

RDP from Computer A to Computer B can't get initiated either. I get a "connection to the server was was lost" error.

In trying to reach my printer, now connected to Router 2, the web connection times out.

Any other tests to run? Thanks for the help to this point! Almost there ...

As a last note, pinging from Computer A to Computer B is very unreliable initially. Ping results below. It has me wondering if I have a faulty configuration.

ping 10.0.0.79
PING 10.0.0.79 (10.0.0.79): 56 data bytes

Request timeout for icmp_seq 0
92 bytes from router.asus.com (192.168.1.1): Redirect Host(New addr: 192.168.1.11)
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 db69 0 0000 3f 01 d416 192.168.1.50 10.0.0.79

Request timeout for icmp_seq 1
92 bytes from router.asus.com (192.168.1.1): Redirect Host(New addr: 192.168.1.11)
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 1d76 0 0000 3f 01 920a 192.168.1.50 10.0.0.79

Request timeout for icmp_seq 2
92 bytes from router.asus.com (192.168.1.1): Redirect Host(New addr: 192.168.1.11)
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 ef61 0 0000 3f 01 c01e 192.168.1.50 10.0.0.79

Request timeout for icmp_seq 3
92 bytes from router.asus.com (192.168.1.1): Redirect Host(New addr: 192.168.1.11)
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 1483 0 0000 3f 01 9afd 192.168.1.50 10.0.0.79

Request timeout for icmp_seq 4
92 bytes from router.asus.com (192.168.1.1): Redirect Host(New addr: 192.168.1.11)
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 30e4 0 0000 3f 01 7e9c 192.168.1.50 10.0.0.79

64 bytes from 10.0.0.79: icmp_seq=3 ttl=127 time=2116.118 ms
64 bytes from 10.0.0.79: icmp_seq=4 ttl=127 time=1110.938 ms
64 bytes from 10.0.0.79: icmp_seq=5 ttl=127 time=109.926 ms
64 bytes from 10.0.0.79: icmp_seq=6 ttl=127 time=3.189 ms
92 bytes from router.asus.com (192.168.1.1): Redirect Host(New addr: 192.168.1.11)

Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 26e0 0 0000 3f 01 88a0 192.168.1.50 10.0.0.79
64 bytes from 10.0.0.79: icmp_seq=7 ttl=127 time=2.236 ms
​

 

[ColinTaylor]

How are routers connected together? Do you have any other switches, AP's, etc. in your setup that you've not told us about?

Are the clients wired or wireless? Try to only used wired devices for your testing.

 

[in0verMyHead]

How are routers connected together? Do you have any other switches, AP's, etc. in your setup that you've not told us about?

Are the clients wired or wireless? Try to only used wired devices for your testing.

Good call. I have a bunch of other gear. Namely, I had Router 2 plugged into another router in bridge mode. I've since cleaned everything up.

All testing is done on wired connections.

I'm still getting the same timeout to the printer and "connection to the server was was lost" for RDP.

What do you recommend next?

 

[Grisu]

Are the bridge mode routers from Asus too? They have some problems as bridge since long time now (you could use them in repeater mode instead) or try them with Johns fork firmware if available for your devices.

 

[ColinTaylor]

I'm assuming the connection between Router 1 and Router 2 is by Ethernet cable?

What do you recommend next?

Power off Router's 3 and 4.
Disconnect the unmanged switch.
Ping computer B from computer A.
If you still have a poor connection, SSH onto Router 1 (192.168.1.1) and ping Router 2 (192.168.1.11).

 

[in0verMyHead]

Router 1 and Router 2 connected by ethernet. Router 1 LAN <-> Router 2 WAN.

Powered off Router's 3 and 4 and unplugged the switch.

Ping Computer A -> Computer B is solid now.

Still can't RDP into Computer B

Connection to my printer on Router 2 times out still.

What's next?

 

[in0verMyHead]

Are the bridge mode routers from Asus too? They have some problems as bridge since long time now (you could use them in repeater mode instead) or try them with Johns fork firmware if available for your devices.

I have a really old Apple Airport Extreme and Express that are the repeaters.

 

[ColinTaylor]

Still can't RDP into Computer B

Do you still have the firewall turned off on that PC?

Are you sure RDP is enabled? Don't confuse RDP with Remote Assistance.


What about smb://10.0.0.79 ?

Connection to my printer on Router 2 times out still.

Can you ping it reliably? What model is it?

 

[in0verMyHead]

Do you still have the firewall turned off on that PC?

Yes I do:

Are you sure RDP is enabled? Don't confuse RDP with Remote Assistance.

Yes I do:

What about smb://10.0.0.79 ?

Times out still.

Can you ping it reliably? What model is it?

I didn't hard connect it to my router, so it's the only wireless connection. Packet loss at 7% for over 100 pings. Seems reliable.

HP 8715. Just got it at Costco.

I'm confounded ...

 

[ColinTaylor]

I'm confounded ...

Me too.

Can you try telnet to the IP address of the printer.

 

[in0verMyHead]

I get a connection refused and don't believe my model has telnet support (doesn't exist in the options) and did some googling.

Perhaps I've incorrectly set a gateway so I took screenshots of the router configuration pages.

Anything stand out as wrong?

Router 1:

Router 2:

 

[in0verMyHead]

Here are the WAN-NAT pass through pages:

Router 1

Router 2

 

[ColinTaylor]

I can't see anything wrong with that.

I notice that the subnet mask for Router 2 is actually different now from what you originally posted. Post #1 has it at 255.0.0.0 but now it's 255.255.255.0. Either would work but what you have now is better.

Maybe double-check the routing on each router at System Log > Routing Table. But TBH that seems to be working OK.

Also might be worth doing an "ipconfig /all" on the Windows PC.

 

[in0verMyHead]

OK, here it is. I wonder if there's weirdness in the routing table for 1 ...

Router 1 Router Table:

Router 2 Router Table:

"ipconfig /all"

Windows IP Configuration

Host Name . . . . . . . . . . . . : Xmen
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Marvell Yukon 88E8056 PCI-E Gigabit Ether
net Controller
Physical Address. . . . . . . . . : 00-1A-92-8*-**-**
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::b59f:cc0:****:*******(Preferred)
IPv4 Address. . . . . . . . . . . : 10.0.0.79(Preferred)
Subnet Mask . . . . . . . . . . . : 255.0.0.0
Default Gateway . . . . . . . . . : 10.0.0.1
DHCPv6 IAID . . . . . . . . . . . : 30199****
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-03-C3-39-5A-00-1A-**-**-**-**

DNS Servers . . . . . . . . . . . : 10.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Marvell Yukon 88E8001/8003/8010 PCI Gigab
it Ethernet Controller
Physical Address. . . . . . . . . : 00-1A-92-**-**-**
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{70151B4F-51EE-415D-8F5D-************}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{AB8E0098-5262-48D2-BA2F-************}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

 

[ColinTaylor]

OK, here it is. I wonder if there's weirdness in the routing table for 1 ...

There seems to be some sort of VPN running on Router 1, which you've not mentioned before. Try turning that off, check the routing table and test again.

Your PC at 10.0.0.79 has been manually configured and you haven't corrected the netmask on it.

 

[in0verMyHead]

Fixed both ... still no luck ... anything else to diagnose or look into?