Вы находитесь на странице: 1из 4

login register

site
Home Reviews Tools Forums FAQs Find Service News Maps About

All Forums Hot Topics Gallery
how-to block ads
Forums US Telco Support Verizon Verizon FiOS > Need networking help - 2 routers, can't reach
other subnet
Search Topic:
uniqs
5101
share
[Northeast] Moca bridge works but can't file share So I hopped on the 150 mbps train and I get erratic results
plammie
@verizon.net
Need networking help - 2 routers, can't reach other subnet
Hey all, I'm having an issue with multiple routers and subnets on my FIOS
connection. Here's how everything is setup:
Primary router:
ActionTec MI424WR Rev D (from Verizon)
WAN IP: From ISP
WAN NETMASK: From ISP
LAN IP: 192.168.1.1
LAN NETMASK: 255.255.255.0
Secondary router (WAN connected to ActionTec LAN):
Belkin N750 gigabit w/ 802.11n
WAN IP: 192.168.1.2
WAN NETMASK: 255.255.255.0
LAN IP: 192.168.2.1
LAN NETMASK: 255.255.255.0
With this setup, I have the secondary router's WAN port connected to a LAN port on
the primary router. Each are broadcasting an SSID and each are running DHCP to
assign address to their respective subnets. Everything was well and good, except
that I could reach 192.168.1.* systems from 192.168.2.*, but not vice versa --
anything connected to the Primary router was blind to systems connected to
Secondary. Also, I could not ping anything on .2 from .1.
So, I added the following static route to the primary router:
DESTINATION: 192.168.2.0
NETMASK: 255.255.255.0
GATEWAY: 192.168.1.2
Once this was added to the router, I could ping everything, so that was good.
However, even though .1 can now ping .2, I can't access certain things such as the
web interface of my NAS (192.168.2.2). I can ping it, but accessing it in the
browser from .1 doesn't work; however, accessing from .2 does work.
I think the ActionTec router might be blocking it, but that's just a guess. The
firewall on this thing has me thoroughly confused. Currently, I have 192.168.1.2 in
the DMZ on the ActionTec, but that didn't make a difference. I've also completely
disabled the firewall on the secondary Belkin router, but still nothing.
Any help from the pros here? Much appreciated!
actions 2012-Feb-2 5:15 pm
More Fiber
Premium,MVM
Is there are reason you're running LAN-to-WAN and not LAN-to-LAN?
LAN-to-WAN creates routing issues and also means the devices behind the second
router are double NATed.
See the following FAQ for a walk-through of setting up the LAN-to-LAN
Most commented news this week
[104] Verizon: Our Review Shows No Congestion; Netflix to Blame
[95] Wall Street Whines About New 10 Mbps Min. Broadband
Definition
[66] Aereo's Plan B: Argue It's a Bonafide Cable Company
[58] Sprint Testing New Lower Cost Data Plans
[52] Alcatel Lucent Sets New 10 Gbps Copper Speed Record
[49] Comcast Latest to Test Super Ultra Mega DVR
[48] Groups, Leaders Want Verizon Investigated for Network Neglect
[45] FCC Shot Clock on Comcast Merger Begins
[42] Dish Internet TV to Target Cord Cutters and 'Cord Haters'
[40] Public Knowledge Criticizes T-Mobile's Speed Test Cap
Exemption
Hot Forum Topics
Problems again with Rcable [Start Communications]
ABP being sued for blocking ads. [Security]
[rCable] CBC FIFA football stream keeps choking
[Start Communications]
[Updated] Flash Player 14.0.0.145 [Software]
Microsoft Security Bulletins for July 8 2014 [Security]
Theoretical question about MD5 sum, Not about how secure it's not.
[Security]
Been waiting 3 mths for U-Verse installation...what are our options?
[AT&T U-verse]
[Electrical] Laser printer and A/C on same circuit
[Home Improvement]
pir motion detector question [Home Improvement]
[Plumbing] Pipe bang when water turn off [Home Improvement]
Need networking help - 2 routers, can't reach other subnet - Verizon FiOS... http://www.dslreports.com/forum/r26846307-Need-networking-help-2-...
1 of 4 12.7.2014 13:54
actions 2012-Feb-3 9:04 am reply
claibourne
join:2011-07-04
Garland, TX
reply to plammie
If I understand your config correctly, it doesn't sound like the Actiontec is the
problem. If your goal is to simply subnet, and not restrict traffic in any way
between 192.168.1.x (Actiontec) and 192.168.2.x (Belkin), you'd need to:
1) totally disable the firewall on the Belkin and set it up in classical routing mode
2) make sure the appropriate network routes are in place on both routers.
You would not want to put the Belkin in the Actiontec DMZ. This would make the
router and any client on 192.168.2.x vulnerable, since the Belkin firewall is
disabled.
Alternatively, if you leave the Belkin firewall enabled, you'd have to set up port
forwards on it to the services you want to access from 192.168.1.x, e.g., to your
NAS server. You probably wouldn't want the Belkin in the Actiontec DMZ in this
case, either, as any port forwards you setup would be accessible on the Internet.
actions 2012-Feb-3 11:14 am
plammie
@verizon.net
Ok, I figured it out and everything is now working. The issue appears to be that the
ActionTec router doesn't recognize traffic from Subnet 1 to Subnet 2 as internal
traffic -- it treats it as external traffic and closes it off. To fix this, it required some
Advanced Firewall Filters that were far from unituitive and took a lot of testing to
get it just right. If anyone runs into a similar situation in the future, here's a
rundown of what I did to make it all work:
Primary Router:
ActionTec, MI424WR Rev D
WAN IP/NETMASK:Assigned by ISP
LAN IP/NETMASK:192.168.1.1 / 255.255.255.0
Secondary Router:
Belkin N750 Gigabit w/ 802.11n
WAN IP/NETMASK:192.168.1.2 / 255.255.255.0
LAN IP/NETMASK:192.168.2.1 / 255.255.255.0
Plug Secondary router's WAN port into a LAN port on the Primary router.
Setup Secondary router to have static LAN address (192.168.1.2)
At this point, you should have 2 separate subnets: Subnet 1 (192.168.1.*) and
Subnet 2 (192.168.2.*).
Systems on both subnets should be able to reach the internet. Also, Subnet 2
should be able to ping and reach systems on Subnet 1; however, systems on Subnet
1 should not be able to ping or reach systems on Subnet 2. For this, we need to
create a static route so Subnet 1 can reach Subnet 2.
Create and apply the following static route in the Primary router: (Advanced >
Routing)
RULE NAME:Network (Home/Office)
DESTINATION:192.168.2.0(your secondary subnet)
GATEWAY:192.168.1.2(secondary router's WAN IP)
NETMASK:255.255.255.0
METRIC:1
The router now has a route between Subnet 1 (192.168.1.*) and Subnet 2
(192.168.2.*). You should be able to ping systems on Subnet 1 from 2, and ping
systems on Subnet 2 from 1. You should not be able to access any systems, though
-- the firewall is still blocking all but ping traffic from Subnet 1 to Subnet 2. We
need to create some firewall rules to allow this communication.
Make sure Primary firewall is set to at least typical/medium (Firewall Settings >
General).
We need to create some network objects to make it easier to manage the rules
we'll create. Go to Advanced > Network Objects and do the following:
A. Click Add. You are now on Edit Network Object screen.
B. Set Description to 'Subnet 1'.
C. In Items section below, click Add.
D. Set Network Object Type to 'IP Subnet'.
E. Set Subnet IP Address to 192.168.1.0.
F. Set Subnet Mask to 255.255.255.0.
G. Click Apply. You are now back on Edit Network Object screen.
H. Click Apply. You are now back on Network Objects Screen.
I. Repeat the above steps again, but this time creating a second network object
called 'Subnet 2':
Name:Subnet 2
IP Subnet:192.168.2.0
Subnet Mask:255.255.255.0
DSLReports Est.1999 Saturday, 12-Jul 07:45:53 feedback terms Mobile mode
Need networking help - 2 routers, can't reach other subnet - Verizon FiOS... http://www.dslreports.com/forum/r26846307-Need-networking-help-2-...
2 of 4 12.7.2014 13:54
Now we create the firewall rules. Go to Firewall Settings > Advanced Filtering.
In the Inbound/Input rules section, click the Add link next to Network
(Home/Office) Rules.
Create the following Advanced Filter:
SOURCE ADDRESS:Select 'Subnet 1'
DEST. ADDRESS:Select 'Subnet 2'
PROTOCOL:'Any'
OPERATION:'Accept Packet'
OCCUR:'Always'
Click Apply. You will now be back on the Advanced Filtering page.
In the Outbound rules section, click the Add link next to Network (Home/Office)
Rules.
Create the following Advanced Filter:
SOURCE ADDRESS:Select 'Subnet 1'
DEST. ADDRESS:Select 'Subnet 2'
PROTOCOL:'Any'
OPERATION:'Accept Packet'
OCCUR:'Always'
Click Apply. You will now be back on the Advanced Filtering page.
Click Apply.
You're all done. You should now have internet access on both subnets, be able to
ping across subnets and also be able to access services across subnets (local
webservers, SSH, telnet, mail, etc). You will not be able to see network file shares
across subnets in Windows, however, as this requires a WINS server (which is well
outside the scope of this post). For instance, I have a Western Digital NAS on the
192.168.2.0 subnet that I can access as \\Mybooklive\ from within Subnet 2; on
Subnet 1, however, I have to access it by its IP \\192.168.2.10\.
actions 2012-Feb-3 1:36 pm
claibourne
join:2011-07-04
Garland, TX
I'm a bit confused. It makes sense that the AT would think 192.168.2.x is
external and would send that traffic out the WAN interface, BEFORE you set up the
route to 192.168.2.0 via 192.168.1.2 (the Belkin).
Once that route is set up, the Actiontec's firewall shouldn't touch the traffic at all.
After that, it should just be a case of deciding whether or not you want the Belkin
firewall to be active or not active, and setting up port forwards if you do.
Did I miss something that would make all those other rules necessary?
actions 2012-Feb-3 2:04 pm
plammie
@verizon.net
Haha you're not the only one confused, claibourne. It didn't really make sense to
me, either, which is why it took so long to figure out. Its as if the routes are done
post-firewall. Logically speaking, if the 'Network (Home/Office)' connection is
defined with an IP of 192.168.1.1, and you add a route to 192.168.2.1 to it, you'd
think the firewall would apply the same rules. But that is not the case. Perhaps
there's a way to modify the 'Network (Home/Office)' connection properties so that it
knows the second subnet is part of it, and thusly treat the traffic the same as it
would on the primary subnet? I couldn't get it to work that way, but perhaps
someone more experienced with this router knows the trick.
actions 2012-Feb-3 2:17 pm
claibourne
join:2011-07-04
Garland, TX
Oh well. Who knows?
On the \\Mybooklive\ thing, you should be able to put an entry in the actiontec DNS
server to map the name. Under advanced settings, go into the DNS server, and add
a manual entry for Mybooklive with 192.168.2.10 as its IP (assuming it's static or a
DHCP reservation on the Belkin side).
actions 2012-Feb-3 2:24 pm
plammie
@verizon.net
Cool, nice trick -- I hadn't even got to the DNS part of this thing yet. Thanks!
actions 2012-Feb-3 2:35 pm
More Fiber
Premium,MVM
reply to plammie
said by plammie :
Its as if the routes are done post-firewall.
Correct. The firewall only applies to the WAN port.
Need networking help - 2 routers, can't reach other subnet - Verizon FiOS... http://www.dslreports.com/forum/r26846307-Need-networking-help-2-...
3 of 4 12.7.2014 13:54
join:2005-09-26
West Chester, PA
kudos:29
said by plammie :
Perhaps there's a way to modify the 'Network (Home/Office)' connection properties so
that it knows the second subnet is part of it, and thusly treat the traffic the same as it
would on the primary subnet?
Create a VLAN for the 2nd subnet, then add it to the Network H/O group.
Although if you do that I don't see why you don't put everything on one subnet.
Yes, I saw your post that you wanted to segregate traffic, but you're defeating that.
--
There are 10 kinds of people in the world; those who understand binary and those who don't.
actions 2012-Feb-3 6:47 pm
kevnich24
join:2006-04-19
Mulberry, FL
reply to plammie
I am with More Fiber on this. am also confised by this - you say you want traffic
separated but the only thing this accomplishes is having traffic unseparated??? Your
giving conflicting statements about what you want. If you dont want traffic separate
its easier to just remove secondary router rather than the setup you have.
The only time you want traffic traversing different subnets locally is in a large lan
environment where this is too much broadcast traffic going on and want to separate
your broadcast domains.
actions 2012-Feb-4 1:06 am
Forums US Telco Support Verizon
Verizon FiOS
[Northeast] Moca bridge works but can't file share So I hopped on the 150 mbps train
and I get erratic results
kasda.cc
Full Series ADSL Modem Router With Reliable Quality&Competitive Price
Need networking help - 2 routers, can't reach other subnet - Verizon FiOS... http://www.dslreports.com/forum/r26846307-Need-networking-help-2-...
4 of 4 12.7.2014 13:54