Choose your cart
Choose your cart
Hey all, I'm having an issue with multiple routers and subnets on my FIOS connection. Here's how everything is setup:
Primary router:
Secondary router (WAN connected to ActionTec LAN):
With this setup, I have the secondary router's WAN port connected to a LAN port on the primary router. Each are broadcasting an SSID and each are running DHCP to assign address to their respective subnets. Everything was well and good, except that I could reach 192.168.1.* systems from 192.168.2.*, but not vice versa -- anything connected to the Primary router was blind to systems connected to Secondary. Also, I could not ping anything on .2 from .1.
So, I added the following static route to the primary router:
DESTINATION: 192.168.2.0
NETMASK: 255.255.255.0
GATEWAY: 192.168.1.2
Once this was added to the router, I could ping everything, so that was good. However, even though .1 can now ping .2, I can't access certain things such as the web interface of my NAS (192.168.2.2). I can ping it, but accessing it in the browser from .1 doesn't work; however, accessing from .2 does work.
I think the ActionTec router might be blocking it, but that's just a guess. The firewall on this thing has me thoroughly confused. Currently, I have 192.168.1.2 in the DMZ on the ActionTec, but that didn't make a difference. I've also completely disabled the firewall on the secondary Belkin router, but still nothing.
Any help from the pros here? Much appreciated!
Solved! Go to Solution.
Ok, I figured it out and everything is now working. The issue appears to be that the ActionTec router doesn't recognize traffic from Subnet 1 to Subnet 2 as internal traffic -- it treats it as external traffic and closes it off. To fix this, it required some Advanced Firewall Filters that were far from unituitive and took a lot of testing to get it just right. If anyone runs into a similar situation in the future, here's a rundown of what I did to make it all work:
Primary Router:
ActionTec, MI424WR Rev D
WAN IP/NETMASK:Assigned by ISP
LAN IP/NETMASK:192.168.1.1 / 255.255.255.0
Secondary Router:
Belkin N750 Gigabit w/ 802.11n
WAN IP/NETMASK:192.168.1.2 / 255.255.255.0
LAN IP/NETMASK:192.168.2.1 / 255.255.255.0
You're all done. You should now have internet access on both subnets, be able to ping across subnets and also be able to access services across subnets (local webservers, SSH, telnet, mail, etc). You will not be able to see network file shares across subnets in Windows, however, as this requires a WINS server (which is well outside the scope of this post). For instance, I have a Western Digital NAS on the 192.168.2.0 subnet that I can access as \\Mybooklive\ from within Subnet 2; on Subnet 1, however, I have to access it by its IP \\192.168.2.10\.
02-03-2012 05:08 AM
More than likely, the Belkin itself is blocking the traffic. You don't specifically mention that you've done anything to the Belkin to put it into a "routing" mode vs NAT router. If you're still in NAT router mode, than everything on .2 is hidden behind the single interface that the Belkin has assigned to it. You would need to be running this router in "gateway" or "router" mode instead if it supports it. These devices act well as NAT routers, but aren't so great as just a regular router and you often still need to configure the port forwarding / firwall on these devices even in router mode to make them functional.
Anyhow, you can take the ActionTec out of the picture by simply putting a static route on your .1 PC pointed toward the .2 network to see if things work. If with the static route, it still doesn't work, then the issue is likely as I describe above.
On a Windows box, open a command window and type the command:
route add 1912.168.2.0 mask 255.255.255.0 192.168.1.2
This will send packets for this network directly to the Belkin instead of boucing them off the ActionTec.
One other thing to note, if you don't employ NAT mde on the Belkin, then you'll have a different problem in that the ActionTEC will likely not let you reach the internet from these systems. There is an issue with the ActionTec in that it only recognizes and fires the NAT rule for the locally attached subnet (.1 in your case). So while it will let the packets from .2 exit toward the internet, it won't NAT them and thus the traffic will not know how to return. I've not found a way to fix that although that issue is not unique to the ActionTec as several other consumer grade NAT routers suffer from the same issue.
Is there a reason why you have multiple subnets instead of just using the Belkin as an access point and putting everything on the .1 network?
02-03-2012 07:09 AM
Hey lasagna, thanks for the reply. Yes, I added the 192.168.2.0 route directly to a .1 computer earlier, and everything works fine when I do that. I really do not think it is the Belkin. After playing around in the ActionTec router further, I saw messages like these in the FIrewall Settings > Security Log:
Inbounc Traffic ........Blocked - Packet invalid in connection.... TCP 192.168.1.12:1292->192.168.2.2:22 on br0
Inbound Traffic ....... Blocked - Default policy ...... TCP 192.168.1.12:1290 -> 192.168.2.2:22 on br0
This occurred when I tried to SSH from a .1 machine to a .2 machine.
While searching fo an answer to this issue, I found a couple places that say to go to Firewall Settings > Advanced Filtering and add inbound and outbound filters to allow subnet .1 to talk to .2 and vice versa. Without these filters, the ActionTec supposedly doesn't recognize the .2 subnet as internal and will treat it as hostile. I tried this and couldn't get it working... admittedly, though, I may have done it wrong as the sites describing this step were extremely lacking in specific detail. Also, my ActionTec firewall is set to Low mode and the 192.168.1.2 WAN IP of the Belkin router is in the ActionTec's DMZ, if that makes a difference.
I dunno, I'm still at a loss. Any further ideas?
Ok, I figured it out and everything is now working. The issue appears to be that the ActionTec router doesn't recognize traffic from Subnet 1 to Subnet 2 as internal traffic -- it treats it as external traffic and closes it off. To fix this, it required some Advanced Firewall Filters that were far from unituitive and took a lot of testing to get it just right. If anyone runs into a similar situation in the future, here's a rundown of what I did to make it all work:
Primary Router:
ActionTec, MI424WR Rev D
WAN IP/NETMASK:Assigned by ISP
LAN IP/NETMASK:192.168.1.1 / 255.255.255.0
Secondary Router:
Belkin N750 Gigabit w/ 802.11n
WAN IP/NETMASK:192.168.1.2 / 255.255.255.0
LAN IP/NETMASK:192.168.2.1 / 255.255.255.0
You're all done. You should now have internet access on both subnets, be able to ping across subnets and also be able to access services across subnets (local webservers, SSH, telnet, mail, etc). You will not be able to see network file shares across subnets in Windows, however, as this requires a WINS server (which is well outside the scope of this post). For instance, I have a Western Digital NAS on the 192.168.2.0 subnet that I can access as \\Mybooklive\ from within Subnet 2; on Subnet 1, however, I have to access it by its IP \\192.168.2.10\.
02-12-2013 08:41 AM
Thanks for these directions, they definitely helped me. I can ssh acros subnets, but I can't run apt-get the ubuntu package manager. THis is the typical error message I get:
Feb 12 11:38:15 2013 | Outbound Traffic | Blocked - Default policy | TCP 192.168.2.65:52188->63.245.217.161:443 on clink1 |
the 192.168.2.0/24 is the subnet