I have 2 home routers and want to allow (some) devices to communicate across subnets.
- ROUTER#1 (ASUS RT-AC87U), subnet 192.168.1.0/24, acting as the main router connected to the ISP
- ROUTER#2 (NETGEAR WGR614 v7), subnet 192.168.2.0/24, connecting its WAN port to ROUTER#1 LAN port
[INTERNET] -> [WAN] ROUTER#1 [LAN] -> [WAN] ROUTER#2 [LAN] -> PC#2
How do I allow devices connected directly to ROUTER#1 to talk to devices on ROUTER#2 (by their IP on ROUTER#2's subnet) but not vice-versa?
For example, given PC#1 (192.168.1.217) connected to ROUTER#1 LAN, reach PC#2 (192.168.2.10) connected to ROUTER#2's LAN port. As a test, I'm trying to reach a dummy web server hosted on PC#2 port 80 via http://192.168.2.10/index.html or ping 192.168.2.10.
If I configure port forwarding on ROUTER#2 on port 80 to forward to PC#2 (192.168.2.10), and access it via ROUTER#2 IP on ROUTER#1 subnet (192.168.1.5) it works as expected, but that's not the goal.
ROUTER#1 needs to stay has the main router connecting to ISP. Also, ROUTER#2 needs to provide it's own subnet and DHCP.
ROUTER#1 allows me to configure static routes, firewall (iptable). ROUTER#2 is a lot more limited in configurations, allowing me to enable/disable SPI firewall and configure static routes. I've searched, but couldn't find any control over NAT on ROUTER#2.
FYI: I'm a NOOB on networking, but trying to learn during the process.
SETUP SUMMARY
ROUTER#1 (ASUS RT-AC87U)
- WAN port connected to ISP Modem
- ROUTER#2 (192.168.1.5) connected to LAN port
- PC#1 (192.168.1.217) connected to LAN port
- reserved IP for ROUTER#2 (192.168.1.5)
- static route entry to forward 192.168.2.0/24 via 192.168.1.5 interface br0
- entry on iptables FORWARD chain to ACCEPT src 192.168.1.0/24 dst 192.168.2.0/24 if br0
ROUTER#2 (NETGEAR WGR614 v7)
- WAN port connected to ROUTER#1 LAN port
- PC#2 (IP: 192.168.2.10) connected to Router#2 LAN port (running dummy web server on port 80)
- port forward to bind 80:80 dst 192.168.2.10
- SPI Firewall disabled
- Respond to ping on internet port enabled
From PC#1
- can ping Router#2 on 192.168.1.5
- cannot ping Router#2 on 192.168.2.1
- cannot ping PC#2 on 192.168.2.10
- cannot reach web server on 192.168.2.10:80
SETUP DETAILS
ROUTER #1 (ASUS RT-AC87U)
WAN
- (PPPoE to ISP)
LAN
- IP Address: 192.168.1.1
- Subnet Mask: 255.255.255.0
- DNS Server: 1.1.1.1
DHCP Server
- IP Pool Start: 192.168.1.200
- IP Pool End: 192.168.1.254
- Manually Assigned: 192.168.1.5 to Router #2
LAN Route - Static Route
- Network/Host IP: 192.168.2.0
- Netmask: 255.255.255.0
- Gateway: 192.168.1.5
- Metric: 1
- Interface: LAN (br0)
Route Table
Destination Gateway Genmask Flags Metric Ref Use Iface
(...)
169.254.39.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.2.0 192.168.1.5 255.255.255.0 UG 1 0 0 br0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
(...)
iptables FORWARD
Chain FORWARD (policy ACCEPT)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all -- tun21 * 0.0.0.0/0 0.0.0.0/0
2 6558 363K TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x02 TCPMSS clamp to PMTU
3 60 3120 ACCEPT all -- br0 br0 192.168.1.0/24 192.168.2.0/24
4 0 0 SECURITY all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
ROUTER #2 (NETGEAR WGR614 v7)
WAN (Static IP)
- IP Address: 192.168.1.5
- IP Subnet Mask: 255.255.255.0
- Gateway IP Address: 192.168.1.1
LAN
- IP Address: 192.168.2.1
- Subnet Mask: 255.255.255.0
- DNS Server: 192.168.1.1
DHCP Server
- IP Pool Start: 192.168.2.10
- IP Pool End: 192.168.2.20
https://superuser.com/questions/1250917/cascading-routers-accessing-secondary-routers-clients-from-first-router
. With that said, the solution to that question pretty much says that your out of luck when it comes to accessing clients behind the second router unless you use port forwarding. I'm still looking to see if there is a solution to accomplish your goals but this is the best response I have been able to find.https://www.smallnetbuilder.com/lanwan/lanwan-howto/howtotworoutersharing/
. At the end of the day, if you want all devices to be able to talk to all the other devices, then you can't use your current setup.https://www.ipxo.com/blog/network-routing/