Multiple routers and subnets - can't access across subnets
jpml
Enthusiast - Level 2

Hey all, I'm having an issue with multiple routers and subnets on my FIOS connection. Here's how everything is setup:

Primary router:

  • ActionTec MI424WR Rev D (from Verizon)
  • WAN IP: From ISP
  • WAN NETMASK: From ISP
  • LAN IP: 192.168.1.1LAN NETMASK: 255.255.255.0

Secondary router (WAN connected to ActionTec LAN):

  • Belkin N750 gigabit w/ 802.11n
  • WAN IP: 192.168.1.2
  • WAN NETMASK: 255.255.255.0
  • LAN IP: 192.168.2.1
  • LAN NETMASK: 255.255.255.0

With this setup, I have the secondary router's WAN port connected to a LAN port on the primary router. Each are broadcasting an SSID and each are running DHCP to assign address to their respective subnets. Everything was well and good, except that I could reach 192.168.1.* systems from 192.168.2.*, but not vice versa -- anything connected to the Primary router was blind to systems connected to Secondary. Also, I could not ping anything on .2 from .1.

So, I added the following static route to the primary router:

DESTINATION: 192.168.2.0
NETMASK: 255.255.255.0
GATEWAY: 192.168.1.2

Once this was added to the router, I could ping everything, so that was good. However, even though .1 can now ping .2, I can't access certain things such as the web interface of my NAS (192.168.2.2). I can ping it, but accessing it in the browser from .1 doesn't work; however, accessing from .2 does work.

I think the ActionTec router might be blocking it, but that's just a guess. The firewall on this thing has me thoroughly confused. Currently, I have 192.168.1.2 in the DMZ on the ActionTec, but that didn't make a difference. I've also completely disabled the firewall on the secondary Belkin router, but still nothing.

Any help from the pros here? Much appreciated!

0 Likes
1 Solution

Correct answers
Re: Multiple routers and subnets - can't access across subnets
jpml
Enthusiast - Level 2

Ok, I figured it out and everything is now working. The issue appears to be that the ActionTec router doesn't recognize traffic from Subnet 1 to Subnet 2 as internal traffic -- it treats it as external traffic and closes it off. To fix this, it required some Advanced Firewall Filters that were far from unituitive and took a lot of testing to get it just right. If anyone runs into a similar situation in the future, here's a rundown of what I did to make it all work:

Primary Router:

ActionTec, MI424WR Rev D

WAN IP/NETMASK:Assigned by ISP

LAN IP/NETMASK:192.168.1.1 / 255.255.255.0

Secondary Router:

Belkin N750 Gigabit w/ 802.11n

WAN IP/NETMASK:192.168.1.2 / 255.255.255.0

LAN IP/NETMASK:192.168.2.1 / 255.255.255.0

    

  1. Plug Secondary router's WAN port into a LAN port on the Primary router.
  2. Setup Secondary router to have static LAN address (192.168.1.2)
  3. At this point, you should have 2 separate subnets: Subnet 1 (192.168.1.*) and Subnet 2 (192.168.2.*).
  4. Systems on both subnets should be able to reach the internet. Also, Subnet 2 should be able to ping and reach systems on Subnet 1; however, systems on Subnet 1 should not be able to ping or reach systems on Subnet 2. For this, we need to create a static route so Subnet 1 can reach Subnet 2.
  5. Create and apply the following static route in the Primary router:  (Advanced > Routing)

    RULE NAME:Network (Home/Office)
    DESTINATION:192.168.2.0(your secondary subnet)
    GATEWAY:192.168.1.2(secondary router's WAN IP)
    NETMASK:255.255.255.0
    METRIC:1
     
  6. The router now has a route between Subnet 1 (192.168.1.*) and Subnet 2 (192.168.2.*). You should be able to ping systems on Subnet 1 from 2, and ping systems on Subnet 2 from 1. You should not be able to access any systems, though -- the firewall is still blocking all but ping traffic from Subnet 1 to Subnet 2. We need to create some firewall rules to allow this communication.
  7. Make sure Primary firewall is set to at least typical/medium (Firewall Settings > General).
  8. We need to create some network objects to make it easier to manage the rules we'll create. Go to Advanced > Network Objects and do the following:

    1.Click Add. You are now on Edit Network Object screen. 
    2.Set Description to 'Subnet 1'.
    3.In Items section below, click Add.
    4.Set Network Object Type to 'IP Subnet'.
    5.Set Subnet IP Address to 192.168.1.0.
    6.Set Subnet Mask to 255.255.255.0.
    7.Click Apply. You are now back on Edit Network Object screen.
    8.Click Apply. You are now back on Network Objects Screen.
    9.Repeat the above steps again, but this time creating a second network object called 'Subnet 2':
    Name:Subnet 2
    IP Subnet:192.168.2.0
    Subnet Mask:255.255.255.0

  9. Now we create the firewall rules. Go to Firewall Settings > Advanced Filtering.
  10. In the Inbound/Input rules section, click the Add link next to Network (Home/Office) Rules.
  11. Create the following Advanced Filter:

    SOURCE ADDRESS:Select 'Subnet 1'
    DEST. ADDRESS:Select 'Subnet 2'
    PROTOCOL:'Any'
    OPERATION:'Accept Packet'
    OCCUR:'Always'

  12. Click Apply. You will now be back on the Advanced Filtering page.
  13. In the Outbound rules section, click the Add link next to Network (Home/Office) Rules.
  14. Create the following Advanced Filter:

    SOURCE ADDRESS:Select 'Subnet 1'
    DEST. ADDRESS:Select 'Subnet 2'
    PROTOCOL:'Any'
    OPERATION:'Accept Packet'
    OCCUR:'Always'

  15. Click Apply. You will now be back on the Advanced Filtering page.
  16. Click Apply.

You're all done. You should now have internet access on both subnets, be able to ping across subnets and also be able to access services across subnets (local webservers, SSH, telnet, mail, etc). You will not be able to see network file shares across subnets in Windows, however, as this requires a WINS server (which is well outside the scope of this post). For instance, I have a Western Digital NAS on the 192.168.2.0 subnet that I can access as \\Mybooklive\ from within Subnet 2; on Subnet 1, however, I have to access it by its IP \\192.168.2.10\. 

View solution in original post

Re: Multiple routers and subnets - can't access across subnets
lasagna
Community Leader
Community Leader

More than likely, the Belkin itself is blocking the traffic.   You don't specifically mention that you've done anything to the Belkin to put it into a "routing" mode vs NAT router.   If you're still in NAT router mode, than everything on .2 is hidden behind the single interface that the Belkin has assigned to it.   You would need to be running this router in "gateway" or "router" mode instead if it supports it.  These devices act well as NAT routers, but aren't so great as just a regular router and you often still need to configure the port forwarding / firwall on these devices even in router mode to make them functional.

Anyhow, you can take the ActionTec out of the picture by simply putting a static route on your .1 PC pointed toward the .2 network to see if things work.  If with the static route, it still doesn't work, then the issue is likely as I describe above.

On a Windows  box, open a command window and type the command:

route add 1912.168.2.0 mask 255.255.255.0 192.168.1.2

This will send packets for this network directly to the Belkin instead of boucing them off the ActionTec.

One other thing to note, if you don't employ NAT mde on the Belkin, then you'll have a different problem in that the ActionTEC will likely not let you reach the internet from these systems.   There is an issue with the ActionTec in that it only recognizes and fires the NAT rule for the locally attached subnet (.1 in your case).   So while it will let the packets from .2 exit toward the internet, it won't NAT them and thus the traffic will not know how to return.  I've not found a way to fix that although that issue is not unique to the ActionTec as several other consumer grade NAT routers suffer from the same issue.

Is there a reason why you have multiple subnets instead of just using the Belkin as an access point and putting everything on the .1 network?

0 Likes
Re: Multiple routers and subnets - can't access across subnets
jpml
Enthusiast - Level 2

Hey lasagna, thanks for the reply. Yes, I added the 192.168.2.0 route directly to a .1 computer earlier, and everything works fine when I do that. I really do not think it is the Belkin. After playing around in the ActionTec router further, I saw messages like these in the FIrewall Settings > Security Log: 

Inbounc Traffic ........Blocked - Packet invalid in connection.... TCP 192.168.1.12:1292->192.168.2.2:22 on br0

Inbound Traffic ....... Blocked - Default policy ...... TCP 192.168.1.12:1290 -> 192.168.2.2:22 on br0

This occurred when I tried to SSH from a .1 machine to a .2 machine. 

While searching fo an answer to this issue, I found a couple places that say to go to Firewall Settings > Advanced Filtering and add inbound and outbound filters to allow subnet .1 to talk to .2 and vice versa. Without these filters, the ActionTec supposedly doesn't recognize the .2 subnet as internal and will treat it as hostile. I tried this and couldn't get it working... admittedly, though, I may have done it wrong as the sites describing this step were extremely lacking in specific detail. Also, my ActionTec firewall is set to Low mode and the 192.168.1.2 WAN IP of the Belkin router is in the ActionTec's DMZ, if that makes a difference.

I dunno, I'm still at a loss. Any further ideas?

0 Likes
Re: Multiple routers and subnets - can't access across subnets
jpml
Enthusiast - Level 2

Ok, I figured it out and everything is now working. The issue appears to be that the ActionTec router doesn't recognize traffic from Subnet 1 to Subnet 2 as internal traffic -- it treats it as external traffic and closes it off. To fix this, it required some Advanced Firewall Filters that were far from unituitive and took a lot of testing to get it just right. If anyone runs into a similar situation in the future, here's a rundown of what I did to make it all work:

Primary Router:

ActionTec, MI424WR Rev D

WAN IP/NETMASK:Assigned by ISP

LAN IP/NETMASK:192.168.1.1 / 255.255.255.0

Secondary Router:

Belkin N750 Gigabit w/ 802.11n

WAN IP/NETMASK:192.168.1.2 / 255.255.255.0

LAN IP/NETMASK:192.168.2.1 / 255.255.255.0

    

  1. Plug Secondary router's WAN port into a LAN port on the Primary router.
  2. Setup Secondary router to have static LAN address (192.168.1.2)
  3. At this point, you should have 2 separate subnets: Subnet 1 (192.168.1.*) and Subnet 2 (192.168.2.*).
  4. Systems on both subnets should be able to reach the internet. Also, Subnet 2 should be able to ping and reach systems on Subnet 1; however, systems on Subnet 1 should not be able to ping or reach systems on Subnet 2. For this, we need to create a static route so Subnet 1 can reach Subnet 2.
  5. Create and apply the following static route in the Primary router:  (Advanced > Routing)

    RULE NAME:Network (Home/Office)
    DESTINATION:192.168.2.0(your secondary subnet)
    GATEWAY:192.168.1.2(secondary router's WAN IP)
    NETMASK:255.255.255.0
    METRIC:1
     
  6. The router now has a route between Subnet 1 (192.168.1.*) and Subnet 2 (192.168.2.*). You should be able to ping systems on Subnet 1 from 2, and ping systems on Subnet 2 from 1. You should not be able to access any systems, though -- the firewall is still blocking all but ping traffic from Subnet 1 to Subnet 2. We need to create some firewall rules to allow this communication.
  7. Make sure Primary firewall is set to at least typical/medium (Firewall Settings > General).
  8. We need to create some network objects to make it easier to manage the rules we'll create. Go to Advanced > Network Objects and do the following:

    1.Click Add. You are now on Edit Network Object screen. 
    2.Set Description to 'Subnet 1'.
    3.In Items section below, click Add.
    4.Set Network Object Type to 'IP Subnet'.
    5.Set Subnet IP Address to 192.168.1.0.
    6.Set Subnet Mask to 255.255.255.0.
    7.Click Apply. You are now back on Edit Network Object screen.
    8.Click Apply. You are now back on Network Objects Screen.
    9.Repeat the above steps again, but this time creating a second network object called 'Subnet 2':
    Name:Subnet 2
    IP Subnet:192.168.2.0
    Subnet Mask:255.255.255.0

  9. Now we create the firewall rules. Go to Firewall Settings > Advanced Filtering.
  10. In the Inbound/Input rules section, click the Add link next to Network (Home/Office) Rules.
  11. Create the following Advanced Filter:

    SOURCE ADDRESS:Select 'Subnet 1'
    DEST. ADDRESS:Select 'Subnet 2'
    PROTOCOL:'Any'
    OPERATION:'Accept Packet'
    OCCUR:'Always'

  12. Click Apply. You will now be back on the Advanced Filtering page.
  13. In the Outbound rules section, click the Add link next to Network (Home/Office) Rules.
  14. Create the following Advanced Filter:

    SOURCE ADDRESS:Select 'Subnet 1'
    DEST. ADDRESS:Select 'Subnet 2'
    PROTOCOL:'Any'
    OPERATION:'Accept Packet'
    OCCUR:'Always'

  15. Click Apply. You will now be back on the Advanced Filtering page.
  16. Click Apply.

You're all done. You should now have internet access on both subnets, be able to ping across subnets and also be able to access services across subnets (local webservers, SSH, telnet, mail, etc). You will not be able to see network file shares across subnets in Windows, however, as this requires a WINS server (which is well outside the scope of this post). For instance, I have a Western Digital NAS on the 192.168.2.0 subnet that I can access as \\Mybooklive\ from within Subnet 2; on Subnet 1, however, I have to access it by its IP \\192.168.2.10\. 

Re: Multiple routers and subnets - can't access across subnets
pmacdee
Newbie

Thanks for these directions, they definitely helped me.  I can ssh acros subnets, but I can't run apt-get the ubuntu package manager.  THis is the typical error message I get:

Feb 12 11:38:15 2013Outbound TrafficBlocked - Default policyTCP 192.168.2.65:52188->63.245.217.161:443 on clink1

the 192.168.2.0/24 is the subnet

0 Likes