1

I have very little knowledge about computer networking. In fact I have never formally got any networking related education but learnt few things by reading myself. I am facing a networking related problem and I would be grateful if you could help me.

Here is my current network set up. All networking devices have DHCP server enabled and all ip addresses are static ip addresses.

Please click here to see setup image

Problem: I am able to connect to any device if I am connected to DIR 600L. For example I am able to ssh/ping to 192.168.0.3 from 192.168.2.2 or I am able to ssh to 192.168.1.3 from 192.168.2.5 and that is what I want- to be able to connect to any device from any device.

I am able to connect to those devices which are connected to DWR 720 or DIR 505 but not to those devices which are connected to DIR 600L if I am connected to DIR 505. For example I can ssh/ping from 192.168.1.4 to 192.168.0.3 or to 192.168.1.3 but not to 192.168.2.4

I am able to connect to only those devices which are connected to DWR 720 if I am connected to DWR 720 but not to any device connected to DIR 505 or DIR 600L . For example I can not ssh/ping to 192.168.0.3 to 192.168.1.4 or to 192.168.2.2

I don't understand why I can connect one way but not the other way. In firewall (ufw) settings I have added rules to allow all connections from IP range 192.168.0.1/24 , 192.168.1.1/24 and 192.168.2.1/24 on all devices. I am using following OSes on the devices in the set up - LibreElec Kodi on the RPi B+ (ip address: 192.168.0.3 ). Raspbian stretch server on RPi zero ( Ip address: 192.168.1.3). Raspbian Stretch Desktop on RPi 3B+ ( Ip address 192.168.2.4). Kde Neon on both laptops ( Ip Address 192.168.1.4 and 192.168.2.2).

How can I cinfigure the network in such a way that I am able to access any device from any other device? For some reason I can not connect all the devices to DIR 600L which works perfectly well. As I roam from one room to other I have to change the access point to which I am connected.

Improve this question

3 Answers 3

Reset to default
3

You have to understand the concept of subnets and routing tables. Networks are packet based. When your hosts connect to their routers, their routing table, IP address, etc. gets configured via the DHCP protocol (in your case, you could set these manually). Most endpoints have just one "default route", which says, if you want to send a package with address/subnet so and so, forward it to router with IP address so-and-so.

Nodes (another term for host) that are directly connected with each other can use the Ethernet layer ARP protocol to find out which Ethernet level host (uniquely identified via its MAC address) relates to the default route's IP address.

All of your computers can do this, so they will always be able to forward IP packages to "their" router and make use of to the router's IP based "services" such as the http configuration interface.

Now, when you are connected to 600L, all you do when you want to connect to an IP is forward packages to that router. This router acts itself as a "client" of the next router, the 505. So it also has a default route entry that lets it forward packages for IP addresses outside of its subnet. The same holds for the next router.

For example: If you send a package from 192.168.2.5 to google's 8.8.8.8 DNS server, it will correctly reach its destination, because all of your involved routers know how to forward the package via their default route entries.

The problem is that when the response package comes into your first router, this machine has no clue about the second and third router! You have to inform it about these two routers and the subnets by manually adding two routing table entries (usually via the web configuration interface).

The same situation applies for the 505, but you only need to add one routing table entry, because it already knows how to forward packages to the 720 via the default route. So you just add one additional entry that tells it to forward packages for 192.168.2/24 to 192.168.1.2.

Improve this answer
2

You probably don't need to mess with the firewall settings or static routes. All you have to do is switch the DIR 505 to repeater mode as described in the manual on page 97. And then connect the 505 to one of the LAN ports of the 600L instead of the internet port. That way all the routers should be part of the same network instead of forming 3 separate ones. The 600L will now only act as a switch and wifi access point with all additional routing and firewall features unused.

You should also deactivate the dhcp server in two of the 3 routers since a network should only have one of these. And you need to make sure all 3 routers have a different IP address but are all in the same subnet, e.g. 192.168.0.1/24

Improve this answer
1
  • Best solution but least educational in terms of how IP networking works! ;)
    – T Nierath
    Commented May 12, 2018 at 12:11
2

There are two problems, stemming from the fact that all these routers blindly assume a specific network layout (they all expect Internet on the uplink side, etc).

Most importantly, each your routers doesn't know anything at all about the other subnets. For example, the DIR 505 doesn't know about the existence of 192.168.2.0/24, and the DWR 720 has no clue that 192.168.1.0/24 exists.

They all default to a simple routing configuration that tells them

  1. 192.168.x.0/24 is direct on my LAN interface,
  2. 0.0.0.0/0 (everything else) goes through the WAN gateway.

That 2nd route (shove everything else through the WAN port) is what allows them to blindly reach the networks "on the left" (going by your image). But when you try to reach networks "on the right"... well, there's no known correct route, so the packets follow the default route through the WAN port again, ending up on the internet.

You can solve this by adding static routes to each of your routers. On the DWR-720, add routes for both networks:

  • to 192.168.1.0/24 (mask 255.255.255.0) via 192.168.0.2 (DIR-505)
  • to 192.168.2.0/24 via 192.168.0.2

Note how the gateway address is always from the perspective of the router you're configuring. (Also a single broader route would also work, but let's keep it simple.)

And on the DIR-505 itself, add just one route (the default route takes care of the rest):

  • to 192.168.2.0/24 via 192.168.1.2

The obvious question is, how come you're able to connect out from the "inner" network and still receive replies back in? The answer is that all these routers perform NAT; they rewrite the source IP of outgoing packets.

For example, when laptop 192.168.2.2 connects to printer 192.168.1.5, the printer actually thinks its client is 192.168.1.2 (the DIR-600L). So it sends replies back to 192.168.1.2, which recognizes an established connection and rewrites the address back to 192.168.2.2.

Once you have static routes configured, you can (and indeed should) disable NAT on both the DIR-505 and DIR-600L. It is only necessary on the outermost edge of your network (DWR-720 connecting directly to Internet).

The second problem is that all these routers very likely have a firewall active. They expect the WAN side to be the wide Internet, and so even if packets are correctly routed towards their LAN, they're blocked.

Try to find the firewall settings on both the DIR-505 and DIR-600L, and disable it completely.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .