1

I have a device, the target device in the diagram, running a website providing service through HTTPS (and HTTP is necessary too for TLS certificate renewal) and also providing samba service for internal use.

The device is attached to the router A which is provided by the ISP to connect to the internet by optical fiber.

And all my other devices are attached to Router B as a sub LAN. Router B is connected to router A. I use router B to provide WiFi.

Both routers A and B are providing DHCP services.

enter image description here

I want to access the website on my Target Device both from the sub LAN managed by router B (②), and the devices in the internet (①), and access the samba provided by the target device from only the sub LAN (③).

How can I implement this?

I think I can configure the port forwarding on Router A to let the device with internet access the website (①), but I have no idea how I can make the target device reachable from the sub LAN (② and ③).

I know I can attach the target device to router B and configure the port forwarding on both Router A and B. But the problem is that my router B don't have enough LAN port for the target device and I don't want a wireless connection which is much slower than LAN cable since it is a server. So this is not currently an acceptable solution in my case.

I also know that I could set router B to AP mode (I am not sure whether this is the term I should use) that could merge the two LANs into one, and every device gets IP from router A's DHCP. But the router A only supports a limited number of devices and I have much more devices. So this is also not a good solution in my case. 😫

EDIT: my final solution

Well, I haven't really solved this problem, but found a way to bypass the problem.

I found a device attached to Router B that I haven't used it for more than 1 year. So I removed the device and got a spare port for the Target Device.

Now, I just set the port forwarding for HTTP/HTTPS on both Router A and Router B and give the Target Device a fixed IP in DHCP settings on Router B. Then done. Everything works like expect.

Furthermore, I also have some internal domain name, but my Router B don't support a custom DNS record, so I just set them on Router A.

This is the diagram.

solution

Improve this question

2 Answers 2

Reset to default
1

Correct, setting up the port forward on router A will make the server reachable from the Internet. Note that devices on your LAN will also be able to reach the server via its public IP address (assuming they have internet access).

Note: I assume the networks are /24 with the subnet mask 255.255.255.0 and I'm using the terminology "server" instead of "target device".

About the access via private IP (192.168.1.4): If the current setup is not working for LAN traffic, my guess is (additional causes are possible as well):

  • either router B doesn't route the traffic to the server since it's a private IP trying to leave through the WAN port, you could check this e.g by using Wireshark (but be aware that there will be IP translation because of the NAT). A simpler way to do a part-way test would be to check if you can ping router A (192.168.1.4) from a client on the router A subnet (192.168.1.0/24) and router B subnet (192.168.10.0/24), a failure to ping from subnet B (but not from subnet A) will mean most likely that the server can not be reached either.

  • and/or that router A doesn't "know" what to do with packets for 192.168.10.0/24 and sends them via the default route/interface (to the internet). Meaning although the server receives incoming packets from the LAN it can not send them back. In this case, you must manually add a route to router A (if possible). Note as Tom Yan points out: Setting a route on the server to route 192.168.10.0/24 to 192.168.1.2 might work as well, depending on the configuration of router B (it needs to allow packets for 192.168.10.0/24 to come through the WAN port).

An alternative setup/solution for access via private IP (in my view the "best" solution by paying a few bucks for an additional network adapter thus getting reducing configuration/testing necessities) would be to add another network interface to the server and connect it to router B. This way it would get a second IP address from 192.168.10.0/24 that can be used for access from the LAN.

Regarding your own solutions, they might work without running into the problems you described:

Another alternative solution would be to buy a switch for router B, this would give you more LAN ports to support all your devices. Note, then you could even turn off the routing capabilities of router A, using it just as a modem (if possible through the settings), making router B your only router. Maybe it's even possible to use router B to connect to your ISP without using router A.

To set Router B to AP mode is actually the "best" solution (especially since you get rid of the double NAT and you don't need a second network adapter for the server), why exactly is the number of devices supported by router A limited? What about router A?

Improve this answer
19
  • 1
    @Programus also I would suggest finding out what is technically causing a limit on clients there might be an easy solution or another option. It might be DHCP (a few things possible there), not sure how DNS could limit the number of clients.
    – Albin
    Commented Jun 15, 2022 at 6:13
  • 1
    You can always tcpdump or so on target device. It's not really a "theory" though, it's really just a "matter" of how your devices are configured (e.g. is SNAT enabled / is the subnet mask / prefix length correct, etc.). As I said, if your router B has SNAT enabled (which should be the case unless you disabled it), you shouldn't even need any additional route, which is why I think that the some firewall rules blocking traffics with private IP in their address fields from getting in from the WAN side is a more likely case.
    – Tom Yan
    Commented Jun 15, 2022 at 6:41
  • 1
    If you see traffics source address being 192.168.1.2 and destination address being 192.168.1.4 AND the other way round on target device when you access it with a host from the inner LAN, then it more or less proved my theory (of the private IP blocking firewall rules). Btw I bet you can't reach / ping router A from an inner LAN host either (but able to reach the Internet)? (Actually DNS should be broken if you use router B as your DNS server if it turn use router A as its DNS server...)
    – Tom Yan
    Commented Jun 15, 2022 at 6:52
  • 1
    @Programus if it's a limit of the DHCP and not the size of the subnet you can simply use your own DHCP instead or you could assign additional IPs manually. Assuming a "hidden firewall feature" doesn't block traffic outside of the DHCP range.
    – Albin
    Commented Jun 15, 2022 at 7:09
  • 1
    @Programus after thinking about it, personally I would do the "alternative setup/solution" (additional network adapter), in my view it's the easiest to implement (and you probably have a USB network adapter laying around anyway - if not it's a good idea to have a spare one lying around for testing purposes so you might want to get one anyway). The other solutions might be fundamentally better (no double NAT etc.) but they probably come with higher configuration effort and you'll always have the option to implement them anyway. Thanks for your feedback, +1 for that! Curious how this plays out.
    – Albin
    Commented Jun 15, 2022 at 10:54
0

Avoid Double NAT

  1. Your ISP provided modem/router should be set in bridge mode to avoid double NAT.
    Putting Huawei ONT into Bridge Mode
  2. Your Internal router/firewall should manage DHCP and control access to and from your LAN and the Internet.
  3. Router/firewall setup is a broad topic and you will need to deal with some or all of NAT, reverse proxy, Access Control Lists (ACL), etc.
  4. Roles can be split up between devices or multiple roles hosted on a single device.

Your basic layout would look more like this: enter image description here

Improve this answer
11
  • Thank you. But unfortunately the router from my ISP does not support bridge mode. 😩
    – Programus
    Commented Jun 15, 2022 at 4:48
  • I would be surprised. You may need to ask them to set it from their end. Look at this though: forum.level1techs.com/t/…
    – Blindspots
    Commented Jun 15, 2022 at 5:06
  • and this: forum.level1techs.com/uploads/default/original/3X/c/2/…
    – Blindspots
    Commented Jun 15, 2022 at 5:06
  • 1
    @BlindSpots the OP already suggested avoiding double NAT but it's not possible since router A doesn't support enough devices and router B doesn't have enough Ethernet ports. Maybe you could edit your answer to reflect that.
    – Albin
    Commented Jun 15, 2022 at 11:32
  • 1
    @Programus DMZ is not the same as bridge mode. Normally DMZ is used to give access to devices from the WAN/internet (bypass certain FW restrictions that apply to the LAN). DMZ can also be used to avoid double NAT for access from the WAN, but this is not your problem (you try to access from the LAN). However DMZ might still be able to solve your problem, I haven't thought it through just yet.
    – Albin
    Commented Jun 15, 2022 at 11:33

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .