View previous topic :: View next topic |
| Author | Message |
|---|
DDE12
DD-WRT NoviceJoined: 09 May 2021
Posts: 9
| | Posted: Sun May 09, 2021 2:48 Post subject: Gateway and Router mode setup to create multiple networks | | | I have ISP modem connected to WAN port of Router 1 with IP address of 192.168.2.1. Routers A, B, C WAN ports are connected to LANs of Router 1. The IPs of these routers are 192.168.10.1, 192.168.11.1, 192.168.12. I'm trying to set this up so I can have 3 separate networks that can't see each other so I can experiment with 2 of them and not affect the third network and inconvenience the family. To avoid double NAT and other issues, should I set Router 1 to Gateway mode and the rest to Router mode in advanced setup or vice versa. Or am I off course and should be doing something different altogether? Thank you for taking a look at this. |
|
| Back to top | |
 |
Sponsor
| |
|
eibgrad
DD-WRT GuruJoined: 18 Sep 2010
Posts: 9179
| | Posted: Sun May 09, 2021 3:44 Post subject: | | | IMO, the concern over being double NAT'd is usually overrated. In some specific cases, it can be a problem, mostly involving the need for NAT traversal (e.g., VOIP). Router mode does disable NAT, but it also disables connection tracking. And that can cause other problems, esp. given the router is typically used as an applications platform, and NOT just as a pure router. It also assumes you can add static routes to the primary router to establish the routing back to the local network behind the secondary router. Many ISP provided devices do NOT offer that option. So in general, you're usually better off to leave any secondary routers in Gateway mode unless you have a specific, known issue that makes that unworkable. And in some cases (as I described above), you made have no choice anyway.
_________________
ddwrt-ovpn-split-basic.sh * ddwrt-ovpn-split-advanced.sh * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh (UPDATED!) * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh |
|
| Back to top | |
|
Per Yngve Berg
DD-WRT GuruJoined: 13 Aug 2013
Posts: 6904
Location: Romerike, Norway
| | Posted: Sun May 09, 2021 7:48 Post subject: | | | Entering static routes here will be no issue as they are put in Router 1 which is dd-wrt, not the ISP Modem. |
|
| Back to top | |
|
DDE12
DD-WRT NoviceJoined: 09 May 2021
Posts: 9
| | Posted: Sun May 09, 2021 15:08 Post subject: | | | I do have VOIP, Plex does not like the double NAT and some of my Echo and smart home devices are not working either. Why some of them and why they were working fine for several days, I don't know. So if I'm understanding correctly, I should put Router 1 in Router mode and routers A-C in Gateway while setting static routes on Router 1 to routers A-C? |
|
| Back to top | |
|
Per Yngve Berg
DD-WRT GuruJoined: 13 Aug 2013
Posts: 6904
Location: Romerike, Norway
| | Posted: Sun May 09, 2021 15:32 Post subject: | | | No, Router 1 in Gateway mode and routers A-C in Router mode. Do Router 1 have the Public IP? |
|
| Back to top | |
|
DDE12
DD-WRT NoviceJoined: 09 May 2021
Posts: 9
| | Posted: Sat May 15, 2021 22:15 Post subject: | | | I have the following settings but can't get an internet connection on Router A: Router 1 (Buffalo WZR-600DHP2 DD-WRT v3.0-r44715 std (11/03/20))(Public IP)
Advanced Routing
Operation Mode Gateway
Static Routing
Masquerade Route unchecked
Destination LAN NET: 192.168.11.0
Subnet Mask: 255.255.255.0
Gateway: 192.168.1.111
Interface: Any Administration > Commands > Firewall
iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT Router A (Buffalo WZR-600DHP 22084 Idexx v1.0 (02/13/14))
Basic Setup > WAN Connection Type
Connection Type: Static IP
WAN IP Address 192.168.1.111
Subnet Mask: 255.255.255.0
Gateway: 192.168.1.1
Static DNS 1-3 are all blank. What am I missing or have wrong? |
|
| Back to top | |
|
Per Yngve Berg
DD-WRT GuruJoined: 13 Aug 2013
Posts: 6904
Location: Romerike, Norway
| | Posted: Sat May 15, 2021 22:50 Post subject: | | | Masquerade Route (NAT) must be ticked. |
|
| Back to top | |
|
DDE12
DD-WRT NoviceJoined: 09 May 2021
Posts: 9
| | Posted: Sat May 15, 2021 23:28 Post subject: | | | I ticked it but that still did not allow me to connect to the internet. |
|
| Back to top | |
|
Per Yngve Berg
DD-WRT GuruJoined: 13 Aug 2013
Posts: 6904
Location: Romerike, Norway
| | Posted: Sun May 16, 2021 7:27 Post subject: | | | Put this is Firewall of Router 1 to make sure everything is NAT'ed out the WAN. iptables -t nat -A POSTROUTING -o `get_wanface` -j MASQUERADE Begin with the basics. Can you ping Router 1 from Router A?
Can you ping Router 1 from a client behind Router A? |
|
| Back to top | |
|
egc
DD-WRT GuruJoined: 18 Mar 2014
Posts: 13064
Location: Netherlands
| | Posted: Sun May 16, 2021 8:07 Post subject: | | | If there is no DNS set maybe a DNS problem? Try 9.9.9.9 for static DNS 1 If possible I would not use static IP for WAN but use a static lease from the primary router. That way you know what IP addresses are handed out
But that is just me
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087 |
|
| Back to top | |
|
DDE12
DD-WRT NoviceJoined: 09 May 2021
Posts: 9
| | Posted: Fri May 21, 2021 16:27 Post subject: | | I added the following to the firewall of Router 1.
iptables -t nat -A POSTROUTING -o `get_wanface` -j MASQUERADEPing testing:
Client on Router A can ping
192.168.11.1
192.168.1.111
Cannot ping
192.168.1.1
or a client on Router 1 Router A can ping
192.168.1.1
192.168.11.1
192.168.1.111
1.1.1.1
The WAN IP of Router 1
a client on Router 1 Client on Router 1 can ping
192.168.11.1
192.168.1.111
Cannot ping a client on Router A Router 1 can ping
192.168.11.1
192.168.1.111
Cannot ping client on Router A I tried a static DNS on Router A (9.9.9.9) but that did not help. |
|
| Back to top | |
|
Per Yngve Berg
DD-WRT GuruJoined: 13 Aug 2013
Posts: 6904
Location: Romerike, Norway
| | Posted: Fri May 21, 2021 17:28 Post subject: | | | Quote: | Client on Router 1 can ping
192.168.11.1
192.168.1.111
Cannot ping a client on Router A |
Change the default gateway on the Client on Router 1 from 192.1.1 to 192.1.111 and redo the test. If it goes through, check the routes on router 1. route 192.168.11.0/24 via 192.168.1.111 |
|
| Back to top | |
|
egc
DD-WRT GuruJoined: 18 Mar 2014
Posts: 13064
Location: Netherlands
| | Posted: Fri May 21, 2021 17:50 Post subject: | | On what router is the following firewall rule set:
| Quote: | Administration > Commands > Firewall
iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT |
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087 |
|
| Back to top | |
|
DDE12
DD-WRT NoviceJoined: 09 May 2021
Posts: 9
| | Posted: Mon May 31, 2021 18:38 Post subject: | | Setting the default gateway on client on Router 1 to 192.168.1.111 could not ping client on Router A and now client on Router 1 could no longer connect to the internet.
The following firewall command is on both routers.
iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT |
|
| Back to top | |
|
Alozaros
DD-WRT Guru
Joined: 16 Nov 2015
Posts: 6511
Location: UK, London, just across the river..
| | Posted: Mon May 31, 2021 21:13 Post subject: | | | just curious, is SPI firewall disabled on those in router mode ? have a look on those links... https://wiki.dd-wrt.com/wiki/index.php/Wireless_access_point https://wiki.dd-wrt.com/wiki/index.php/Category:Linking_Routers as well, follow the gurus guidance ! If i got you correctly...you want 3 separate networks...behind your router 1 ???
Your best bet is...if your router allows it,do a x3 separate Vlans...related to the router 1 LAN ports and than, all those routers will be on a different Vlan, either with net isolation or not, depends what do you need them for....
You may need to update to a newer build, as this build you have is old...sadly there is a lots of WIP on the newer builds especially Brodacom Vlans and ect.
_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 56490 WAP
TP-Link WR1043NDv2 -DD-WRT 56941 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 56941 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 56941 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 56932 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913 |
|
| Back to top | |
|
|
