Firewall settings for wan to lan setup

[skezo]

I am trying to setup a network with two routers and seem to be stuck on setting up the firewall on router 2 (I use Router 2 as a dedicated VPN client).

Legend:
Router 1 = Netgear N900 ( running stock firmware )
Router 2 = RT-N66U (running Asuswrt-Merlin 3.0.0.4_374.39_0 )

Setup:
{modem}<----{(wan)Router 1 (lan)}<-----{(wan) Router 2}

Router 1 has a static route setup

Issue / Current Outcome:

• Computers on Router 1 cannot access computers on Router 2 when the firewall on Router 2 is enabled.
• Computers on Router 2 can access computers on Router 1

If I disable the firewall on Router 2 everything works as expected. All computers can see each other and communicate with each other. My understanding is to fix this I just need to add a static route on Router 2 but when I add this it has not effect.

Expected/Desired Outcome:
Computers on Router 1 can access computers on Router 2
Computers on Router 2 can access computers on Router 1
While having the firewall enabled

Any help on the is would be greatly appreciated.

 

[sinshiva]

they're talking about a default route.

here; i haven't tested anything yet, but adding this to /jffs/scripts/wan-start should fix the router in router mode, so that the WAN port is bridged and will allow LAN traffic to pass. set the LAN gateway IP in the script. use the webui to set the router's LAN IP/subnet to something different on your LAN, while setting the static WAN IP to gibberish

#!/bin/sh
# 
# set the LAN gateway IP to $default
default="192.168.0.1"
#
# nuke eth0 settings
ifconfig eth0 0.0.0.0 up
#
route default gw $default
#
# fix the WAN port
brctl addif br0 eth0

chmod a+rx /jffs/scripts/*

 

[skezo]

Thanks for this. If I understand correctly, what I should do is run the script you provided on router 2 and it should allow LAN traffic on the WAN?

If this understanding is correct where it says:

# set the LAN gateway IP to $default
default="192.168.0.1"

I should change this of the gateway of which router? e.g Router 2 runs on 192.168.2.1 while Router 1 runs on 192.168.1.1

 

[sinshiva]

no, this script keeps the router 2 on the same network as router 1.

if router 1 is 192.168.0.1, router 2 should be 192.168.0.2 with the gateway set as 192.168.0.1

there's no way to have them as separate networks and have the router 1 net get to router2's net, with a double nat. if you want to keep a double nat setup, all you can do is port forwarding to access servers on router2 net from the router1 net.

basically, this is like 'ap mode', but without disabling the extra features

 

[skezo]

Thanks. I do not believe double NAT is needed for my setup. I am going to go read about double nat...

Question for this:

• Why does disabling my firewall on router 2 "fix" it even with double nat?

 

[skezo]

I tried disabling NAT on router 2 but once I did that I was unable to communicate with router 1 from router 2.

I have added some more details about by setup below and what is currently enabled on each router. What I do not understand is that when I disable the firewall on router 2 everything works exactly as desired (meaning I can access information from each network). However, if I enable to firewall on router 2 I am unable to access computers behind router 2 from computer on connected to router 1.

You mentioned that this could be resolved by adding port forwarding on router 1 but I am not sure I understand how this would resolve the issue as the problem seems to be with firewall on router 2.


Router 1 Setup:
WAN IP Address - Dynamic (connects to ISP)
NAT Enabled
UPnP Enabled
LAN IP Address - 192.168.1.1
DHCP Enabled
Static Route:
Destination: 192.168.2.0
Subnet: 255.255.255.0
Gateway: 192.168.1.3


Router 2 Setup:
WAN IP Address - 192.168.1.3
NAT Enabled
UPnP Enabled
LAN IP Address - 192.168.2.1
DHCP Enabled
Firewall Enabled

 

[skezo]

Note: I am very open to changing my setup if there is better way to do it.

Currently I am stuck with this firewall issue and do not understand how to resolve it. Any help on this would be greatly appreciated.

 

[jlake]

Note: I am very open to changing my setup if there is better way to do it.

Currently I am stuck with this firewall issue and do not understand how to resolve it. Any help on this would be greatly appreciated.

On the second router, make sure you go in to the settings and allow ICMP.

Use the link below to guide you on setting up a static route. I've never setup a static route for anything but linksys routers and that was years ago. Getting it to work was probably blind luck on my part......

http://kb.linksys.com/Linksys/ukp.aspx?pid=80&vw=1&articleid=17589

 

[Ford Prefect]

IMHO running router2 (ASUS) in AP-mode should give you what you want,
unless you want clients on router1 to use the Internet via the vpn-connection
on router2 as well.

With the ASUS in AP-mode, (re-)enable the DHCP server on router1 and, if possible, assign a dedicated IP to the ASUS.

 

[skezo]

@jlake
Thanks I am going to have play with it this weekend. Quick question on the ASUS router how do you check if ICMP is allowed? I was looking through the GUI and could not locate it. Does it need to be done on the CLI?


@Ford Prefect
I was originally trying to do that but when I put it the ASUS into AP mode I lost access to the VPN client. Is there a way to put it into AP mode while retaining access to the VPN settings?

 

[Ford Prefect]

@Ford Prefect
I was originally trying to do that but when I put it the ASUS into AP mode I lost access to the VPN client. Is there a way to put it into AP mode while retaining access to the VPN settings?

...arrgh!
I actually have been under the impression that this is not the case, but this is a show stopper for sure.
...and in AP-mode, the firewall will be disabled as well, I think.
Looks like a dead end, sorry

 

[elorimer]

Maybe just plug the ethernet cable from Router 1 into a LAN port of Router 2, disable DHCP and the firewall on Router 2, give router 2 a fixed IP/subnet/default gateway, and do whatever you want with the wireless on Router 2? I don't know if that means you could use the VPN client, but that should put everything on the same net.