I have a child router with 192.x.x.x address space. On any machine here I can access the 10.x.x.x address space. The reverse is not true. A machine on 10.0.x.x cannot ping 192.168.x.x. How do I configure my router to make this possible?
asked Nov 27, 2017 at 0:24
-
4There is nothing inherently special about the 10.x.y.z and 192.168.x.y networks except that they are explicitly available to use for private networks. Hence, all you need to do is fix the routing which any system administrator worth his salt can fix.– Thorbjørn Ravn AndersenCommented Nov 27, 2017 at 15:14
-
Check routing on both sides. Check firewalls on both sides. Check firewalls on machines. That should cover it.– kafkaCommented Nov 27, 2017 at 17:29
-
1If one can ping the other but not the other way around it is a NAT or ip-filter Problem. Nothing in your question allows further diagnoses.– eckesCommented Dec 6, 2017 at 7:24
Add a comment
|
2 Answers
It sounds like you have more than one NAT gateway on a small network. Doing “Double NAT” — as this is called — usually causes several hassles, just one of which is the one you’re experiencing: part of your network is on the public/WAN/untrusted side of one of your NATs, and can’t reach the machines on the other side.
The best solution to avoid this and other hassles of Double NAT is to reconfigure the downstream router so it’s not doing NAT. Some routers let you disable NAT and make the WAN port become bridged in with the LAN ports. Others don’t have a way to do that, so you have to just disable the DHCP Server on them, and plug one of their LAN ports into a LAN port on the upstream router.
-
1While this answer is factually correct, there is additional work which needs to be done (ie setting a route from the parent to child router)– davidgoCommented Nov 27, 2017 at 0:57
-
8@davidgo, not really since doing this will eliminate the whole 192.168.x.x network and everything will be 10.x.x.x.– psusiCommented Nov 27, 2017 at 3:00
-
3@psusi Fair enough. I misread that Spiff was suggesting flattening the network.– davidgoCommented Nov 27, 2017 at 4:21
-
4@davidgo I misunderstood the suggestion the first time around as well. I think it is because it first suggests disabling NAT, which I took to imply that it would still be routing and addresses assigned to network interfaces would remain the same. When this answer says disable NAT it really means to disable routing altogether.– kasperdCommented Nov 27, 2017 at 9:24
You will need to make changes on both your routers -
On the child router - Assign the WAN interface a static IP address (you can either assign it on the child router by having it in the 10.x.x.x range but outside the DHCP range, or can use the parent router to do DHCP Reservation to assign an address from the parent router). Disable NAT on the child router.
On the parent router you need to set a static route for 192.168.x.x with a gateway of the child routers WAN IP address.
-
@davidgo can you elaborate on the last part of your answer? i.e. assigning a static route for that subspace of addresses. Commented Nov 27, 2017 at 1:19
-
3I cant give specifics without knowing the router, but the logic is thus: The router needs to know where to send any packet it receives. It does this by looking for the most specific route in the routing table it knows - and it knows about itself, the LAN its connected to, the WAN its connected to and its default route. It DOES NOT know (in this case) that 192.168.x.x devices should be reached through a router on its LAN, so you need to tell it, otherwise it will send the packets for 192.168.x.x out the WAN interface.– davidgoCommented Nov 27, 2017 at 1:23
-
dd-wrt.com/wiki/index.php/Linking_Subnets_with_Static_Routes explains how this works and how to do it on dd-wrt (but breaks down 192.168 into smaller blocks, rather then using 2 networks - but the logic is the same)– davidgoCommented Nov 27, 2017 at 1:26
-
Since the ping works in one direction (which means reply packets arrive too) it is not a routing problem.– eckesCommented Dec 6, 2017 at 7:25
-
@eckes Not true. The child router is, among other things, acting as a one way valve which lets ONLY packets incoming packets associated with outbound packets through - and it does this by fiddling with the source address if outgoing packets and reversing the fiddling for associated incoming ones.– davidgoCommented Dec 6, 2017 at 8:33