0

I have 2 home routers and want to allow (some) devices to communicate across subnets.

  • ROUTER#1 (ASUS RT-AC87U), subnet 192.168.1.0/24, acting as the main router connected to the ISP
  • ROUTER#2 (NETGEAR WGR614 v7), subnet 192.168.2.0/24, connecting its WAN port to ROUTER#1 LAN port

[INTERNET] -> [WAN] ROUTER#1 [LAN] -> [WAN] ROUTER#2 [LAN] -> PC#2

How do I allow devices connected directly to ROUTER#1 to talk to devices on ROUTER#2 (by their IP on ROUTER#2's subnet) but not vice-versa?

For example, given PC#1 (192.168.1.217) connected to ROUTER#1 LAN, reach PC#2 (192.168.2.10) connected to ROUTER#2's LAN port. As a test, I'm trying to reach a dummy web server hosted on PC#2 port 80 via http://192.168.2.10/index.html or ping 192.168.2.10.

If I configure port forwarding on ROUTER#2 on port 80 to forward to PC#2 (192.168.2.10), and access it via ROUTER#2 IP on ROUTER#1 subnet (192.168.1.5) it works as expected, but that's not the goal.

ROUTER#1 needs to stay has the main router connecting to ISP. Also, ROUTER#2 needs to provide it's own subnet and DHCP.

ROUTER#1 allows me to configure static routes, firewall (iptable). ROUTER#2 is a lot more limited in configurations, allowing me to enable/disable SPI firewall and configure static routes. I've searched, but couldn't find any control over NAT on ROUTER#2.

FYI: I'm a NOOB on networking, but trying to learn during the process.

SETUP SUMMARY

ROUTER#1 (ASUS RT-AC87U)

  • WAN port connected to ISP Modem
  • ROUTER#2 (192.168.1.5) connected to LAN port
  • PC#1 (192.168.1.217) connected to LAN port
  • reserved IP for ROUTER#2 (192.168.1.5)
  • static route entry to forward 192.168.2.0/24 via 192.168.1.5 interface br0
  • entry on iptables FORWARD chain to ACCEPT src 192.168.1.0/24 dst 192.168.2.0/24 if br0

ROUTER#2 (NETGEAR WGR614 v7)

  • WAN port connected to ROUTER#1 LAN port
  • PC#2 (IP: 192.168.2.10) connected to Router#2 LAN port (running dummy web server on port 80)
  • port forward to bind 80:80 dst 192.168.2.10
  • SPI Firewall disabled
  • Respond to ping on internet port enabled

From PC#1

  • can ping Router#2 on 192.168.1.5
  • cannot ping Router#2 on 192.168.2.1
  • cannot ping PC#2 on 192.168.2.10
  • cannot reach web server on 192.168.2.10:80

SETUP DETAILS

ROUTER #1 (ASUS RT-AC87U)

WAN

  • (PPPoE to ISP)

LAN

  • IP Address: 192.168.1.1
  • Subnet Mask: 255.255.255.0
  • DNS Server: 1.1.1.1

DHCP Server

  • IP Pool Start: 192.168.1.200
  • IP Pool End: 192.168.1.254
  • Manually Assigned: 192.168.1.5 to Router #2

LAN Route - Static Route

  • Network/Host IP: 192.168.2.0
  • Netmask: 255.255.255.0
  • Gateway: 192.168.1.5
  • Metric: 1
  • Interface: LAN (br0)

Route Table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
(...)
169.254.39.0    0.0.0.0         255.255.255.0   U     0      0        0 br0
192.168.2.0     192.168.1.5     255.255.255.0   UG    1      0        0 br0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
(...)

iptables FORWARD

Chain FORWARD (policy ACCEPT)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  tun21  *       0.0.0.0/0            0.0.0.0/0
2     6558  363K TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 TCPMSS clamp to PMTU
3       60  3120 ACCEPT     all  --  br0    br0     192.168.1.0/24       192.168.2.0/24
4        0     0 SECURITY   all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0

ROUTER #2 (NETGEAR WGR614 v7)

WAN (Static IP)

  • IP Address: 192.168.1.5
  • IP Subnet Mask: 255.255.255.0
  • Gateway IP Address: 192.168.1.1

LAN

  • IP Address: 192.168.2.1
  • Subnet Mask: 255.255.255.0
  • DNS Server: 192.168.1.1

DHCP Server

  • IP Pool Start: 192.168.2.10
  • IP Pool End: 192.168.2.20
Improve this question
7
  • This question is basically a duplicate of this questions: https://superuser.com/questions/1250917/cascading-routers-accessing-secondary-routers-clients-from-first-router. With that said, the solution to that question pretty much says that your out of luck when it comes to accessing clients behind the second router unless you use port forwarding. I'm still looking to see if there is a solution to accomplish your goals but this is the best response I have been able to find.
    – Brian
    Commented Jul 2, 2023 at 19:46
  • Also, it sounds like you want all devices to be able to communicate with each other. If this is the case, why not setup the second router as a switch and put all the devices on the same subnet?
    – Brian
    Commented Jul 2, 2023 at 19:48
  • Here is another article that, while a bit old, says the same thing as the other link. It offers a nice discussion. https://www.smallnetbuilder.com/lanwan/lanwan-howto/howtotworoutersharing/. At the end of the day, if you want all devices to be able to talk to all the other devices, then you can't use your current setup.
    – Brian
    Commented Jul 2, 2023 at 20:23
  • And here is a general discussion on what the purpose of routing is. While your routes don't appear to be the problem, the problem is the the WAN of the second router blocks ports not explicitly forwarded and therefor you are unable to access clients behind the second router from upstream network. https://www.ipxo.com/blog/network-routing/
    – Brian
    Commented Jul 2, 2023 at 20:31
  • Thanks @Brian. The end goal is to allow only some of the devices on Subnet#1 to manage devices on Subnet#2, but having devices on Subnet#1 unreachable from #2. I was hoping to achieve this via firewall rules on Router#1
    – cwoodix
    Commented Jul 3, 2023 at 21:32

1 Answer 1

Reset to default
1

How do I allow devices connected directly to ROUTER#1 to talk to devices on ROUTER#2 (by their IP on ROUTER#2's subnet) but not vice-versa?

In this case, you don't – ROUTER#2's functionality is not sufficient for that. You need to be able to configure the "SPI firewall" to allow and block packets according to your description.

("SPI" pretty much just means it has a --state established -j ACCEPT rule, so that it allows reply packets in, but doesn't allow new connections in. Unfortunately, in your case, it's in the opposite direction vs what you're asking for.)

Routing configuration will not help here, as Router#2 already has a route to Router#1's network (due to its WAN interface literally being part of that network) and you kind of need that route so that Router#2 would be able to deliver reply packets to the authorized PCs on Router#1's network; if it has a route for replies, it has a route for "new" packets as well.

I've searched, but couldn't find any control over NAT on ROUTER#2.

In theory this wouldn't be a problem; such a control would only disable NAT in the direction #2→#1 (and you don't want any packets to go that way anyway). There is no NAT for #1→#2 by default (just the "port forwarding" rules); it's most likely the firewall that discards the inbound packets.

Improve this answer
2
  • Thanks. That makes perfect sense. My wishful thinking wanted to believe that disabling "SPI Firewall" would disable any firewall input rules on the WAN. As you mentioned, that's not the case. Not with the basic NETGEAR WGR614 v7 router at least.
    – cwoodix
    Commented Jul 3, 2023 at 21:34
  • Well, no, it should disable all of them... but your other request (preventing communications in a certain direction) requires the firewall being enabled, anyway.
    – grawity_u1686
    Commented Jul 4, 2023 at 4:00

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .