Disabling NAT (as "secondary" router)

[CalB]

I have 2 Asus routers, both running Merlin wrt:
- an RT-AX86U - the ISP facing router, 192.168.a.0/24 local plan
-an older RT-AC87U (wan IP on 192.168.a.0/24 lan, and it's local plan is 192.168.b.0/24).
I am trying to use the older router as a normal router,... as in route between different networks.
The main router does have a route pointing back to 192.168.b.0/24, yet, as soon as I disable NAT, everything but ping stops working. I can ping Google and stuff without any issues, which is weird.

This is a capture of a random stream, but all of them are like this (192.168.20.3 is 192.168.b.0/24). There is obviously some traffic going back and forth, so the routing should be fine. From a MAC perspective all lookig good as well
Capture from the laptop behind the 2nd router

capture from the ISP facing router, same stream

Ping looks very weird as well (capture is from the ISP-facing router. For some reason tcpdump on the router does not capture the destination MAC, which makes it kinda hard to check if both repeating packets go toward the same interface.

Can anyone help me out and point to the obvious thing I'm overlooking?

 

[ColinTaylor]

Turn off the firewall on the RT-AC87U.

 

[CalB]

Turn off the firewall on the RT-AC87U.

It's off

 

[ColinTaylor]

I can't think why this wouldn't work. I had the same setup a few years ago with my RT-AX86U and RT-AC68U and it "just works".

I presume your RT-AC87U is minimally configured, e.g. no AiProtection, No QoS, no VPN, standard WAN DHCP, etc.? How about the main router, AiProtection on that?

 

[CalB]

I can't think why this wouldn't work. I had the same setup a few years ago with my RT-AX86U and RT-AC68U and it "just works".

I presume your RT-AC87U is minimally configured, e.g. no AiProtection, No QoS, no VPN, standard WAN DHCP, etc.? How about the main router, AiProtection on that?

Correct, no AI protection, no QoS on either of them, no skynet. VPN & Firewall only on the ISP-facing one
I do have DHCP on both, but I don't see how that would impact things, each has its own lan (I did try with static IP as well)
As for the WAN, nothing fancy on this one

That's my Adguard DNS, but I tried without (and pointing the main router to Google for DNS as well) and nothing. Besides what I can tell from the packet captures, the client sitting behind the 2nd router gets the DNS resolved.

 

[jzchen]

I noticed you set the DNS server of the AC router to the IP of the AX router, but they are on different subnets?

The AC router needs to change subnet to include the AX router I believe. (Sorry still sleepy)...

 

[CalB]

The DNS is on the local lan of the AX router, the same one with the "internet" facing interface of the AC router. DNS is fine, the name is resolved. That's why, if you look at the packet captures, an initial TCP connection is established. The 3-way handshake completes.

I've got sidetracked by a different project, but I suspect the ARP cache is the issue. I was using the same laptop, moving it from one lan to another, but at the time I could not find any command for the router to clear the ARP cache in order to rule that in or out.

 

[jzchen]

Not sure I understand enough. For example CIDR is very new to me.

But I do not think the first router will service IPs in the second router if they are outside of the subnet. For example I set IP Passthrough on my AT&T gateway to my TP-LInk router and I set it to receive a WAN IP dynamically, the TP-Link automatically changes the subnet to include the IP of the gateway in front of the RG.

Or the first router will not want to service any IPs outside of its subnet. Either way I suggest trying to change the subnet on one, the other, or both, to include each other...

Something like that...

 

[CalB]

Not sure I understand enough. For example CIDR is very new to me.

But I do not think the first router will service IPs in the second router if they are outside of the subnet. For example I set IP Passthrough on my AT&T gateway to my TP-LInk router and I set it to receive a WAN IP dynamically, the TP-Link automatically changes the subnet to include the IP of the gateway in front of the RG.

Or the first router will not want to service any IPs outside of its subnet. Either way I suggest trying to change the subnet on one, the other, or both, to include each other...

Something like that...

That's why you need to setup a route on the main router, to know where to send the packets for the second subnet.

Basically that tells the main router (AX): "Please send all the packets for the 2nd router's lan (192.168.20.0/24) to its "internet" facing IP". The same setup works perfectly fine with the IPs below the highlighted one, and that's a much more complex openwrt setup, with like 6 vms behind it.

 

[jzchen]

So it is not working once you disable NAT on the 2nd/AC router, but the DHCP server settings (on the AX router) have a subnet that includes IPs on the AC router's LAN?

 

[CalB]

No, the DHCP on the AX router does not include any assignments that would fall under the "local lan" of the other router.

 

[jzchen]

No, the DHCP on the AX router does not include any assignments that would fall under the "local lan" of the other router.

I "think" it won't NAT to any IPs outside of the subnet. That's why when you turn off the NAT of the 2nd router the setup stops working....

(Sorry if I'm confused or worse totally lost)...

 

[ColinTaylor]

I've got sidetracked by a different project, but I suspect the ARP cache is the issue. I was using the same laptop, moving it from one lan to another, but at the time I could not find any command for the router to clear the ARP cache in order to rule that in or out.

I don't think it's an ARP issue, but anything is possible. Use the following command to flush the ARP table.

ip neigh flush all

A bit of a long shot, but if your AC87U has the option to disable hardware (NAT) acceleration under LAN - Switch Control try that.

 

[CalB]

I don't think it's an ARP issue, but anything is possible. Use the following command to flush the ARP table.

ip neigh flush all

A bit of a long shot, but if your AC87U has the option to disable hardware (NAT) acceleration under LAN - Switch Control try that.

I'm not sure if it was yours or mine, but something made it to start working.

I disabled NAT ACC on the secondary router. Considering how long it took for the setting to apply, I imagined it did reboot the router. It did not work. A couple of minutes after I decided to manually reboot it, and while waiting for it to do its thing, I decided to clear the arp cache on the main one. Afterwards everything seems to be working. I'm still seeing some weird behaviour but it's working.

Thank you.