I have three routers. Router0's WAN interface connects to the ISP, and the WAN interface of Router1 and Router2 connect to Router0's LAN interfaces (i.e. hard wired). So this is what it looks like, including the IP space assignments:
(Motorola SBG6580 Cable Modem)
Router0 LAN IP: 192.168.0.1 (also the default route for both WAN connections shown next).
(Linksys E4200)
Router1 WAN IP: 192.168.0.3
Router1 LAN IP: 192.168.1.1 (also the default route for clients on the 192.168.1.xxx subnet).
(ASUS RT-AC66U)
Router2 WAN IP: 192.168.0.4
Router2 LAN IP: 192.168.2.1 (also the default route for clients on the 192.168.2.xxx subnet).
So in summary, the WAN port of Router1 & Router2 each connect to a LAN port of Router0, and both are NAT enabled (i.e. are NATting).
And here are the routing tables for Router1 and Router 2, respectively (i.e. netstat -rn):
Kernel IP routing table (Router1) ... eth0 here is the WAN interface.
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.0.1 * 255.255.255.255 UH 0 0 0 eth0
192.168.2.0 192.168.0.4 255.255.255.0 UG 0 0 0 eth0 <========== My Static Route Entry
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
Kernel IP routing table (Router2) ... vlan2 here is the WAN interface.
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 vlan2
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.1.0 192.168.0.3 255.255.255.0 UG 0 0 0 vlan2 <========== My Static Route Entry
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 vlan2
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 vlan2
Notice the static routes (pointed to by the arrowed line) that I have configured on each router (Router1 and Router2). Their intent is to allow clients on Router1 LAN subnet to reach clients on Router2 LAN subnet, and vice versa.
But it doesn't quite work yet because, next, I need to add "iptable" entries on both Router1 and Router2 to tell each to permit ALL WAN originating traffic to pass on to it's LAN side.
So at this point, using two wired PCs (one connected to Router1's LAN subnet and the other connected to Router2's LAN subnet), I can verify that the following pings work:
PC1 -- 192.168.1.4: Can ping 192.168.0.4 (the WAN interface of the opposite router) and can ping 192.168.2.1 (the LAN interface of the opposite router).
PC2 -- 192.168.2.4: Can ping 192.168.0.3 (the WAN interface of the opposite router) and can ping 192.168.1.1 (the LAN interface of the opposite router).
but at this point, neither PC can reach IP-clients inside the opposite router's LAN subnet. As mentioned above, they can ping the WAN IP of the opposite router, and they can ping the default route IP of the opposite LAN subnet, but they cannot ping IP-clients deeper inside the opposite LAN subnet.
This, I believe, is because there also needs to be an IPTABLES entry on Router1 and Router2 that permits ALL traffic originating on the WAN side to enter the LAN side — which is almost never a router's default behavior for security reasons. But in this case it is safe to do since the WAN interface of Router1 and Router2 aren't directly connecting to the ISP internet.
So I have to come up with the iptables(1) (firewall) commands to implement this. I will be re-reading the Unix man page to recall iptables syntax.
But perhaps some folks here who are good with iptables already, can suggest what those commands should be. To help, below is the NAT iptables entry for Router1 and Router2. They each need respective iptables rule(s) to allow all WAN originating traffic to reach the LAN network:
Router1 ... (output of 'iptables -L -t nat'):
admin@RT-AC66U:/tmp/home/root# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
VSERVER all -- anywhere 192.168.0.3
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- !192.168.0.3 anywhere
MASQUERADE all -- anywhere anywhere MARK match 0xd001
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain VSERVER (1 references)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:webcache to:192.168.1.1:80
DNAT tcp -- anywhere anywhere tcp dpt:8443 to:192.168.1.1:8443
VUPNP all -- anywhere anywhere
Chain VUPNP (1 references)
target prot opt source destination
Router2 ... (output of 'iptables -L -t nat'):
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere 192.168.2.0/24
WANPREROUTING all -- anywhere 192.168.0.4
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
SNAT all -- 192.168.2.0/24 192.168.2.0/24 to:192.168.2.1
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain WANPREROUTING (1 references)
target prot opt source destination
DNAT icmp -- anywhere anywhere to:192.168.2.1
I appreciate assistance with this (i.e. the iptables commands). If I get to the solution first, I will of course post the iptables commands.
As mentioned above, they can ping the WAN IP of the opposite router, and they can ping the default route IP of the opposite LAN subnet, but they cannot ping IP-clients deeper inside the opposite LAN subnet.-- sounds like it is already being permitted through. Runtcpdumpon R1 LAN interface and try to connect to a host on R1's LAN from one on R2's LAN.