1

I am trying to add a "local-only" subnet to my DD-WRT setup to prevent wireless devices from "phoning home". This "local only" subnet should still be able to connect to the main local network, but not to the internet. The main network (ath0, eth0) is bridged on br0 on 192.168.254.0/24 and I have added a VLAN (ath0.2), with the address range 192.168.101.0/24 assigned.
DD-WRT uses dnsmasq as a DHCP server. The setup seems to be OK, since I see IP addresses being assigned in the correct address ranges depending on the WLAN used. The file /tmp/dnsmasq.leases shows IP addresses from both subnets and the associated MAC addresses. Forwarding is enabled for the kernel and all involved interfaces. I have added rules to iptables to allow forwarding between both the interfaces br0 and ath0.2 and between the two ip address ranges.
iptables -I FORWARD -i ath0.2 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o ath0.2 -j ACCEPT
iptables -I FORWARD -s 192.168.254.0/24 -d 192.168.101.0/24 -j ACCEPT
iptables -I FORWARD -s 192.168.101.0/24 -d 192.168.254.0/24 -j ACCEPT
I have connected PCs to both the main and the "local only" subnet and can ping between both PCs.
The other devices on the "local only" subnet can not be pinged from the main network, with an error returned from the gateway: Reply from 192.168.254.253: Destination host unreachable.. The same devices respond to pings from the PC in the "local only" network. (other connection types, e. g. HTTP work and fail like ping does)

Here's the working/not working ping overview:

  • Main network PC -> Local only PC YES
  • Local only PC -> Main network PC YES
  • Local only PC -> Local only device YES
  • Main netwwork PC -> Local only device NO

When connecting directly to the gateway via SSH, the same response: The "local only" PC responds to pings, but the other devices don't. How can ping fail when dnsmasq is able to assign ip addresses?

EDIT: 192.168.254.253 is the gateway for the main network. 192.168.101.0 is the gateway for the "local only" network. I understand that DHCP working has nothing to do with the pings not working, it's just that obviously the IP addresses and the MAC addresses of the involved devices are known to the router, but somehow no route is found to only some devices on the "local only" network. I'm not familiar with TCPdump, but I can use wireshark on the PCs.
ip route get 192.168.101.XXX to both the reachable and unreachable devices results in
192.168.101.XXX dev ath0.2 src 192.168.101.0

Improve this question
2
  • 1
    The ping involves routing, so that's something to check. I don't fully understand your setup: Which device is 192.168.254.253? The "local device", or some intermediate device? How are the local devices connected to the network? Can you debug with tcpdump on the main network PC and on the various interfaces to the router, to see how far the ping packets go before they are dropped? Can you test with ip route get 1.2.3.4 that routing is correct on all jumps?
    – dirkt
    Commented Aug 16, 2020 at 5:58
  • I don't even understand the problem. You can not ping "the other devices" if they are on your "local only" subnet but you can ping them if they are on your "Main" subnet (both from your "Main" subnet PC), right?
    – Albin
    Commented Aug 16, 2020 at 7:52

1 Answer 1

Reset to default
0

DHCP has nothing to do with routing. DHCP works on network layer 2, Routing works on layer 3. There's something wrong on layer 3. If you clear up your "question mess" ;) we should be able to help you further.

Improve this answer
1
  • clarified that DHCP was not part of the problem
    – KayBee
    Commented Aug 16, 2020 at 15:08

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .