What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

accessing second router behind first router

paboski

New Around Here
I have my main router (RT-AC68U) with IP 192.168.2.1. From LAN port 1 there is a second Router (RT-AC51U) connected with the WAN port.
The second router IP is 192.168.3.1
I want to be able to connect to the administrator web page of the second router from my pc which is connected to the first router.
Is this possible ?
thx!
 
I have my main router (RT-AC68U) with IP 192.168.2.1. From LAN port 1 there is a second Router (RT-AC51U) connected with the WAN port.
The second router IP is 192.168.3.1
I want to be able to connect to the administrator web page of the second router from my pc which is connected to the first router.
Is this possible ?
thx!

I think you would need to enable Web Access from WAN on the second router. Then browse to it's WAN IP address and login.

Although router Web Access is a security concern, it may not be when still behind your main router WAN firewall.

OE
 
For the above to work you'd have to browse to the second routers WAN IP 192.168.2.X (X being whatever IP its getting from your main router). But it would work just fine.

Another option would be to disable NAT and the Firewall on the second router, then create a static route on your main router to 192.168.3.0 via 192.168.2.X (X being the WAN IP of the second router)

With this you can access any 192.168.3.X address from any device on the main network including browsing direct to 192.168.3.1 your secondary router without enabling web access on the secondary router.

I guess it should be mentioned as well, DO NOT disable NAT/firewall or ENABLE WAN access on your main router.

Example... this is on my main router. My second router gets WAN IP 10.1.1.2 from the main router. The second router network is 10.2.2.0 range DHCP

Capture.JPG
 
For the above to work you'd have to browse to the second routers WAN IP 192.168.2.X (X being whatever IP its getting from your main router). But it would work just fine.

Another option would be to disable NAT and the Firewall on the second router, then create a static route on your main router to 192.168.3.0 via 192.168.2.X (X being the WAN IP of the second router)

With this you can access any 192.168.3.X address from any device on the main network including browsing direct to 192.168.3.1 your secondary router without enabling web access on the secondary router.

I guess it should be mentioned as well, DO NOT disable NAT/firewall or ENABLE WAN access on your main router.

Example... this is on my main router. My second router gets WAN IP 10.1.1.2 from the main router. The second router network is 10.2.2.0 range DHCP

View attachment 26876
Hi,
I have more or less the same situation but static route does not work: what am I missing ?

main router: 192.168.1.1
second router : 192.168.1.98 WAN port connected to LAN port of main router. its LAN IP is 192.168.98.1

Have defined static route as "192.168.98.0 mask:255.255.255.0 gateway: 192.168.1.198 via LAN"

Thanks,
GS.
 
Last edited:
What are you doing that "doesn't work"? What error do you get?

Yes, sorry:

I want to access the second router admin page at 192.168.98.1 from my "main network" which is 192.168.1.x (main router is 192.168.1.1). When I put either 192.168.98.1 or 192.168.1.98 (which is the WAN IP the second router gets from main), then the browser return a time out error
 
Yes, sorry:

I want to access the second router admin page at 192.168.98.1 from my "main network" which is 192.168.1.x (main router is 192.168.1.1). When I put either 192.168.98.1 or 192.168.1.98 (which is the WAN IP the second router gets from main), then the browser return a time out error
I have several sandpit routers that get plugged into the main router, so I have the following in firewall-start

You probably need something similar.

e.g. Pseudo code
Code:
# If WAN is Private then allow that subnet access to the Router.
#
#     wan0_dns=172.16.8.1
#     wan0_gateway=172.16.8.1
#     wan0_ipaddr=172.16.8.254
WANIPADDR=$(nvram get wan0_ipaddr)
if [ -n "$(echo $WANIPADDR | Is_Private_IPv4)" ];then
    WAN_SUBNET=${WANIPADDR%.*}
    iptables -I INPUT -s $WAN_SUBNET.0/24 -j ACCEPT
    Say "WAN is private IP - allowing upstream subnet" $WAN_SUBNET".0/24 access to router"
fi
 
Using the solution in post #2 you would "Enable Web Access from WAN" on the second router and access it using 192.168.1.98. No need for any static routes or changes to NAT and firewall.

P.S. There appears to be an error in the static route you posted in #5. You say the second router's WAN IP is 192.168.1.98 but your static route is using 192.168.1.198.
 
Last edited:
Using the solution in post #2 you would "Enable Web Access from WAN" on the second router and access it using 192.168.1.98. No need for any static routes or changes to NAT and firewall.

P.S. There appears to be an error in the static route you posted in #5. You say the second router's WAN IP is 192.168.1.98 but your static route is using 192.168.1.198.

Thanks. I am getting a bit lost/confused ... I also want any devices connected to the second router be accessible to any devices connected on the "main network" and vice-versa. On the above post (thanks @Martineau ), the command Say returns an error on my second router ...

I do not think only enabling WAN access on second router would achieve this, correct ?

So, to recap:
main router => 192.168.1.1
second router gets WAN IP => 192.168.1.98 (defined as static ip on main)
second router LAN IP => 192.168.98.1

Thanks!

EDIT: I manually issue this command on second router: iptables -I INPUT -s 192.168.1.0/24 -j ACCEPT ==> this allows me to have access to any devices connected on main network via their ip address (not their name) ... how do I do now the opposite, I mean accessing any devices connected to second router from a device connected to main router ? ... I tried iptables -I INPUT -s 192.168.98.0/24 -j ACCEPT pn main router, but that does not make it !
 
Last edited:
@Martineau ), the command Say returns an error on my second router ...
The Say command is my custom function in scripts which simply calls 'logger -st (basename $0) ........ ' with the text - makes my scripts (IMHO) a little tidier and saves time typing if an edit macro isn't defined.

... I tried iptables -I INPUT -s 192.168.98.0/24 -j ACCEPT pn main router, but that does not make it !
The -t FILTER FORWARDchain is used for LAN access (-t FILTER INPUT CHAIN is for access to the Router)
 
The -t FILTER FORWARDchain is used for LAN access (-t FILTER INPUT CHAIN is for access to the Router)

Do you mean that on the main router the correct statement is
iptables -I FORWARD -s 192.168.98.0/24 -j ACCEPT
?
 
Do you mean that on the main router the correct statement is
iptables -I FORWARD -s 192.168.98.0/24 -j ACCEPT
?
yup...and if you want to add a comment
Code:
modprobe xt_comment
iptables -I FORWARD -s 192.168.98.0/24 -j ACCEPT -m comment --comment "Downstream Router"
 
Last edited:
yup...and if you want to add a comment
Code:
iptables -I FORWARD -s 192.168.98.0/24 -j ACCEPT -m comment --comment "Downstream Router"

I must do something wrong. The command is accepted but no way to reach any 192.168.98.x devices from my "main" PC (192.168.1.13) ....
 
I must do something wrong. The command is accepted but no way to reach any 192.168.98.x devices from my "main" PC (192.168.1.13) ....
You may need the corresponding rule on the downstream router to allow LAN access from the upstream router's LAN
 
Last edited:
You also need the corresponding rule on the downstream router to allow LAN access from the upstream router's LAN

... sorry for my difficulties to understand: when I issue iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT on the second router, I get the following error message:
iptables: No chain/target/match by that name
 
... sorry for my difficulties to understand: when I issue iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT on the second router, I get the following error message:
iptables: No chain/target/match by that name
Its likely you mis-typed something, or is your firewall still disabled on router 2?

Quite honestly though, if you control both the main router (internet facing) and trust all clients on the second network, disabling the nat/firewall on router two and correctly inputting the static route (as Colin pointed out your address error on your first attempt at static routes) on router 1 is the easiest to accomplish and can be done entirely in the webgui, punching holes with iptables is fine if you need to control which clients have access across the 2 networks. But static routes is my personal preference as its easiest to maintain.
 
Its likely you mis-typed something, or is your firewall still disabled on router 2?

Quite honestly though, if you control both the main router (internet facing) and trust all clients on the second network, disabling the nat/firewall on router two and correctly inputting the static route (as Colin pointed out your address error on your first attempt at static routes) on router 1 is the easiest to accomplish and can be done entirely in the webgui, punching holes with iptables is fine if you need to control which clients have access across the 2 networks. But static routes is my personal preference as its easiest to maintain.

Thanks for you feedback.
See attached the static route on main router, I believe this is correct.
nat/firewall are disabled on second router, and despite that I cannot access a PC connected to the second router having ip 192.168.98.4 ...
 

Attachments

  • Capture d’écran 2021-03-01 172051.png
    Capture d’écran 2021-03-01 172051.png
    24.8 KB · Views: 227
If the firewall was disabled when your tried that iptables command that is why it failed. It was a command to punch a hole in the firewall.

Just to be clear there is two suggestions in this thread, follow one or the other. Static routes/disabling nat/firewall or leave nat/firewall enabled and use iptables to allow access

For static route, are you 100% the WAN ip of router 2 is 192.168.1.98?

If nat/firewall is disabled on Router 2 and the WAN address for router 2 is correct in router 1 static route and you hit apply after adding the static rule, things should be good.

Try just pinging each other first to see if its your client blocking the connection and you're thinking its the router, depending on what you're trying to access it may be blocking connections from different subnets.
 
If the firewall was disabled when your tried that iptables command that is why it failed. It was a command to punch a hole in the firewall.

Just to be clear there is two suggestions in this thread, follow one or the other. Static routes/disabling nat/firewall or leave nat/firewall enabled and use iptables to allow access

For static route, are you 100% the WAN ip of router 2 is 192.168.1.98?

If nat/firewall is disabled on Router 2 and the WAN address for router 2 is correct in router 1 static route and you hit apply after adding the static rule, things should be good.

Try just pinging each other first to see if its your client blocking the connection and you're thinking its the router, depending on what you're trying to access it may be blocking connections from different subnets.

Thanks for your feeback.

Just to be clear there is two suggestions in this thread, follow one or the other. Static routes/disabling nat/firewall or leave nat/firewall enabled and use iptables to allow access
Yes, I understood that and I have re-started from "scratch" trying to apply the static/route solution which seems best fitted to my current skills
For static route, are you 100% the WAN ip of router 2 is 192.168.1.98?
Yes, 100% sure, see this:
1614665162620.png


If nat/firewall is disabled on Router 2 and the WAN address for router 2 is correct in router 1 static route and you hit apply after adding the static rule, things should be good.
Yes, nat/firewall are disabled and yes the static route is correct and yes things "should be good" .... but they are not (at least the way I want):

From PC connected to second router with IP 192.168.98.4, if I issue a ping to 192.168.1.13 ("main" PC) I get a timeout 100% paket loss while ping to 192.168.1.1 is 100% OK but I cannot access router page with browser ... This PC cannot access internet !!!

From "main" PC (connected with IP 192.168.1.13) ping to 192.168.98.4 gives timeout 100% paket loss, and ping to 192.168.98.1 (second router) gives 100% OK and I can access router main page it via browser !

Besides that, the second router cannot sync date/time:
1614666074595.png



In addition, may be showing here the routing table from the GUI could help:
this is main router (AX86U Merlin 386.1_2)
1614666754579.png


this is second router (AC87U Merlin 384.13_10)
1614666372275.png
 
Last edited:

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Back
Top