View previous topic :: View next topic |
Author | Message |
---|
DDE12 DD-WRT NoviceJoined: 09 May 2021 Posts: 9
| Posted: Sun May 09, 2021 2:48 Post subject: Gateway and Router mode setup to create multiple networks | | I have ISP modem connected to WAN port of Router 1 with IP address of 192.168.2.1. Routers A, B, C WAN ports are connected to LANs of Router 1. The IPs of these routers are 192.168.10.1, 192.168.11.1, 192.168.12. I'm trying to set this up so I can have 3 separate networks that can't see each other so I can experiment with 2 of them and not affect the third network and inconvenience the family. To avoid double NAT and other issues, should I set Router 1 to Gateway mode and the rest to Router mode in advanced setup or vice versa. Or am I off course and should be doing something different altogether? Thank you for taking a look at this. |
|
Back to top | |
|
Sponsor
| |
|
eibgrad DD-WRT GuruJoined: 18 Sep 2010 Posts: 9179
| Posted: Sun May 09, 2021 3:44 Post subject: | | IMO, the concern over being double NAT'd is usually overrated. In some specific cases, it can be a problem, mostly involving the need for NAT traversal (e.g., VOIP). Router mode does disable NAT, but it also disables connection tracking. And that can cause other problems, esp. given the router is typically used as an applications platform, and NOT just as a pure router. It also assumes you can add static routes to the primary router to establish the routing back to the local network behind the secondary router. Many ISP provided devices do NOT offer that option. So in general, you're usually better off to leave any secondary routers in Gateway mode unless you have a specific, known issue that makes that unworkable. And in some cases (as I described above), you made have no choice anyway. _________________ ddwrt-ovpn-split-basic.sh * ddwrt-ovpn-split-advanced.sh * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh (UPDATED!) * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh |
|
Back to top | |
|
Per Yngve Berg DD-WRT GuruJoined: 13 Aug 2013 Posts: 6904 Location: Romerike, Norway
| Posted: Sun May 09, 2021 7:48 Post subject: | | Entering static routes here will be no issue as they are put in Router 1 which is dd-wrt, not the ISP Modem. |
|
Back to top | |
|
DDE12 DD-WRT NoviceJoined: 09 May 2021 Posts: 9
| Posted: Sun May 09, 2021 15:08 Post subject: | | I do have VOIP, Plex does not like the double NAT and some of my Echo and smart home devices are not working either. Why some of them and why they were working fine for several days, I don't know. So if I'm understanding correctly, I should put Router 1 in Router mode and routers A-C in Gateway while setting static routes on Router 1 to routers A-C? |
|
Back to top | |
|
Per Yngve Berg DD-WRT GuruJoined: 13 Aug 2013 Posts: 6904 Location: Romerike, Norway
| Posted: Sun May 09, 2021 15:32 Post subject: | | No, Router 1 in Gateway mode and routers A-C in Router mode. Do Router 1 have the Public IP? |
|
Back to top | |
|
DDE12 DD-WRT NoviceJoined: 09 May 2021 Posts: 9
| Posted: Sat May 15, 2021 22:15 Post subject: | | I have the following settings but can't get an internet connection on Router A: Router 1 (Buffalo WZR-600DHP2 DD-WRT v3.0-r44715 std (11/03/20))(Public IP) Advanced Routing Operation Mode Gateway Static Routing Masquerade Route unchecked Destination LAN NET: 192.168.11.0 Subnet Mask: 255.255.255.0 Gateway: 192.168.1.111 Interface: Any Administration > Commands > Firewall iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT Router A (Buffalo WZR-600DHP 22084 Idexx v1.0 (02/13/14)) Basic Setup > WAN Connection Type Connection Type: Static IP WAN IP Address 192.168.1.111 Subnet Mask: 255.255.255.0 Gateway: 192.168.1.1 Static DNS 1-3 are all blank. What am I missing or have wrong? |
|
Back to top | |
|
Per Yngve Berg DD-WRT GuruJoined: 13 Aug 2013 Posts: 6904 Location: Romerike, Norway
| Posted: Sat May 15, 2021 22:50 Post subject: | | Masquerade Route (NAT) must be ticked. |
|
Back to top | |
|
DDE12 DD-WRT NoviceJoined: 09 May 2021 Posts: 9
| Posted: Sat May 15, 2021 23:28 Post subject: | | I ticked it but that still did not allow me to connect to the internet. |
|
Back to top | |
|
Per Yngve Berg DD-WRT GuruJoined: 13 Aug 2013 Posts: 6904 Location: Romerike, Norway
| Posted: Sun May 16, 2021 7:27 Post subject: | | Put this is Firewall of Router 1 to make sure everything is NAT'ed out the WAN. iptables -t nat -A POSTROUTING -o `get_wanface` -j MASQUERADE Begin with the basics. Can you ping Router 1 from Router A? Can you ping Router 1 from a client behind Router A? |
|
Back to top | |
|
egc DD-WRT GuruJoined: 18 Mar 2014 Posts: 13064 Location: Netherlands
| Posted: Sun May 16, 2021 8:07 Post subject: | | If there is no DNS set maybe a DNS problem? Try 9.9.9.9 for static DNS 1 If possible I would not use static IP for WAN but use a static lease from the primary router. That way you know what IP addresses are handed out But that is just me _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1. Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399 Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614 Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087 |
|
Back to top | |
|
DDE12 DD-WRT NoviceJoined: 09 May 2021 Posts: 9
| Posted: Fri May 21, 2021 16:27 Post subject: | | I added the following to the firewall of Router 1. iptables -t nat -A POSTROUTING -o `get_wanface` -j MASQUERADEPing testing: Client on Router A can ping 192.168.11.1 192.168.1.111 Cannot ping 192.168.1.1 or a client on Router 1 Router A can ping 192.168.1.1 192.168.11.1 192.168.1.111 1.1.1.1 The WAN IP of Router 1 a client on Router 1 Client on Router 1 can ping 192.168.11.1 192.168.1.111 Cannot ping a client on Router A Router 1 can ping 192.168.11.1 192.168.1.111 Cannot ping client on Router A I tried a static DNS on Router A (9.9.9.9) but that did not help. |
|
Back to top | |
|
Per Yngve Berg DD-WRT GuruJoined: 13 Aug 2013 Posts: 6904 Location: Romerike, Norway
| Posted: Fri May 21, 2021 17:28 Post subject: | | Quote: | Client on Router 1 can ping 192.168.11.1 192.168.1.111 Cannot ping a client on Router A |
Change the default gateway on the Client on Router 1 from 192.1.1 to 192.1.111 and redo the test. If it goes through, check the routes on router 1. route 192.168.11.0/24 via 192.168.1.111 |
|
Back to top | |
|
egc DD-WRT GuruJoined: 18 Mar 2014 Posts: 13064 Location: Netherlands
| Posted: Fri May 21, 2021 17:50 Post subject: | | On what router is the following firewall rule set:
Quote: | Administration > Commands > Firewall iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT |
_________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1. Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399 Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614 Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087 |
|
Back to top | |
|
DDE12 DD-WRT NoviceJoined: 09 May 2021 Posts: 9
| Posted: Mon May 31, 2021 18:38 Post subject: | | Setting the default gateway on client on Router 1 to 192.168.1.111 could not ping client on Router A and now client on Router 1 could no longer connect to the internet. The following firewall command is on both routers. iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT |
|
Back to top | |
|
Alozaros DD-WRT Guru
Joined: 16 Nov 2015 Posts: 6511 Location: UK, London, just across the river..
| Posted: Mon May 31, 2021 21:13 Post subject: | | just curious, is SPI firewall disabled on those in router mode ? have a look on those links... https://wiki.dd-wrt.com/wiki/index.php/Wireless_access_point https://wiki.dd-wrt.com/wiki/index.php/Category:Linking_Routers as well, follow the gurus guidance ! If i got you correctly...you want 3 separate networks...behind your router 1 ??? Your best bet is...if your router allows it,do a x3 separate Vlans...related to the router 1 LAN ports and than, all those routers will be on a different Vlan, either with net isolation or not, depends what do you need them for.... You may need to update to a newer build, as this build you have is old...sadly there is a lots of WIP on the newer builds especially Brodacom Vlans and ect. _________________ Atheros TP-Link WR740Nv1 ---DD-WRT 56490 WAP TP-Link WR1043NDv2 -DD-WRT 56941 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas Qualcomm-Atheros Netgear XR500 --DD-WRT 56941 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla Netgear R7800 --DD-WRT 56941 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla Netgear R9000 --DD-WRT 56932 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla Broadcom Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN NOT USING 5Ghz ANYWHERE ------------------------------------------------------ Stubby DNS over TLS I DNSCrypt v2 by mac913 |
|
Back to top | |
|
|