What's new

Multiple routers/networks after RT-N66U

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

WildWurger

Occasional Visitor
Hi all gurus, I really need some help on my own test lab, I am creating multiple networks and building a test lab. So therefore i need to create a few networks.

As attached,

there is 1 internet from WAN then goes to Router A, which is RT-N66U from asus with Merlin firmware 3.0.0.4.270.26b. it has 2 OpenVPN instance currently.
This is the first network segment 10.0.1.0/24 which all my usual clients will connect to like wireless, wired and so on.

then i want to create 3 more networks as shown,

and there are 3 more routers connected to the switch which the switch is connected to Router A.

10.1.0.0/24 (Router 1, Tomato USB) WAN: 10.0.1.30
10.1.1.0/24 (Router 2, Linksys Stock) WAN: 10.0.1.31
10.1.2.0/24 (Router 3, OpenWRT) WAN: 10.0.1.32
I did try on TomatoUSB, Linksys, OpenWRT, dd-WRT, Microsoft RRAS, pfSense.... with similar settings

in my Router A, i have the static routing set as shown as attached

an all the router below the Router A. I had set to "Router Mode" which disable NAT.

I can ping from Router A segment to all the hosts of other segments no problem.

however i cannot ping in reverse, that is a Host from 10.0.1.100 can ping to 10.1.0.100 and 10.1.1.100 and 10.1.2.100 (sorry for the IP addressing convention) but not the other way round, host 10.1.0.100, 10.1.1.100 and 10.1.2.100 are unable to ping 10.0.1.100

IF, i set to "Gateway Mode", which i believe not the right way... the situation reverse, all the 10.1.0.100, 10.1.1.100 and 10.1.2.100 can ping 10.0.1.100 but not the other way round.

In either way, all networks can access internet alright.

Router 1, 2 and 3 can ping host in 10.0.1.0/24 no problem, but its DHCP leases cannot....

clients from the 10.1.0.100, 10.1.1.100 and 10.1.2.100 can ping each other hosts no problem.

Please all gurus take a look and enlighten me, where did i do wrong... it driving me nuts!

Thanks in advance
 

Attachments

  • problem.gif
    problem.gif
    11.7 KB · Views: 601
Suggestion: try to access each router, and check both the configured interfaces and their routing tables, in case something might be incorrectly configured by the firmware. Also make sure that packet forwarding is enabled in each router's kernel:

Code:
cat /proc/sys/net/ipv4/ip_forward

Also, is the firewall disabled? Otherwise, you might have iptable rules blocking traffic. You can check the tables:

Code:
iptables -L
 
Hi thanks for the reply =D i will check on it later, however for an update, i can Ping to 10.0.1.0/24 network from all the Router 1, Router 2 and Router 3 themselves. Just that the clients after the routers are able to ping/access the 10.0.1.0/24 network.
 
Kernel forwarding in RT-N66u.

admin@RT-N66U:/tmp/home/root# cat /proc/sys/net/ipv4/ip_forward
1


iptables on RT-N66U, thanks for all the patience..

admin@RT-N66U:/tmp/home/root# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:1194
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,ESTAB LISHED
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt: bootpc
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:1723
ACCEPT gre -- anywhere anywhere
DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
TCPMSS tcp -- anywhere anywhere tcp flags:FIN,SYN,R ST,ACK/SYN TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere state RELATED,ESTAB LISHED
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp flags:FIN,SYN,R ST,ACK/SYN limit: avg 1/sec burst 5
ACCEPT tcp -- anywhere anywhere tcp flags:FIN,SYN,R ST,ACK/RST limit: avg 1/sec burst 5
ACCEPT icmp -- anywhere anywhere icmp echo-request l imit: avg 1/sec burst 5
ACCEPT all -- anywhere anywhere ctstate DNAT
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain FUPNP (0 references)
target prot opt source destination
ACCEPT tcp -- anywhere 10.0.1.40 tcp dpt:https
ACCEPT tcp -- anywhere 10.0.1.40 tcp dpt:www

Chain PControls (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain logaccept (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT all -- anywhere anywhere

Chain logdrop (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP'
DROP all -- anywhere anywhere
 
Last edited:
I would try disabling the firewall to see if it's your problem:

Code:
iptables -F
iptables -P FORWARD ACCEPT
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT


If it is, then you'll at least know where to look.
 
Hi thanks =)

Are these commands equivalent with "Enable Firewall" = No under Firewall page?

Probably - they are just a quick way to flush the existing rules.
 
Hi Thanks, i tried disabled the firewall as you advice, everything is ok.

Right after that, i restarted the router, and it went back to blocked, and after i reinput the commands again, it works again.

however, after the next reboot, it seems that it somehow worked even without disabling the firewall. but the behaviour is unpredictable. sometimes it gets blocked back after some time...

and there is unusually timeouts between clients in both subnets (but not from router to clients)...

very strange behaviour...

can please advice how i should put fix iptables on the networks that i want them permanently allowed in firewall 2 ways (without NAT), Thanks for all the help!

admin@RT-N66U:/tmp/home/root# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.10.2 * 255.255.255.255 UH 0 0 0 tun21
10.0.11.2 * 255.255.255.255 UH 0 0 0 tun22
175.136.15.254 * 255.255.255.255 UH 0 0 0 ppp0
10.0.1.0 * 255.255.255.0 U 0 0 0 br0
10.1.4.0 10.0.1.34 255.255.255.0 UG 1 0 0 br0
10.1.0.0 10.0.1.30 255.255.255.0 UG 1 0 0 br0
10.1.1.0 10.0.1.31 255.255.255.0 UG 1 0 0 br0
10.0.10.0 10.0.10.2 255.255.255.0 UG 0 0 0 tun21
10.1.2.0 10.0.1.32 255.255.255.0 UG 1 0 0 br0
10.0.11.0 10.0.11.2 255.255.255.0 UG 0 0 0 tun22
10.1.3.0 10.0.1.33 255.255.255.0 UG 1 0 0 br0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 175.136.15.254 0.0.0.0 UG 0 0 0 ppp0
 
Hi Thanks, i tried disabled the firewall as you advice, everything is ok.

Right after that, i restarted the router, and it went back to blocked, and after i reinput the commands again, it works again.

however, after the next reboot, it seems that it somehow worked even without disabling the firewall. but the behaviour is unpredictable. sometimes it gets blocked back after some time...

and there is unusually timeouts between clients in both subnets (but not from router to clients)...

very strange behaviour...

can please advice how i should put fix iptables on the networks that i want them permanently allowed in firewall 2 ways (without NAT), Thanks for all the help!

admin@RT-N66U:/tmp/home/root# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.10.2 * 255.255.255.255 UH 0 0 0 tun21
10.0.11.2 * 255.255.255.255 UH 0 0 0 tun22
175.136.15.254 * 255.255.255.255 UH 0 0 0 ppp0
10.0.1.0 * 255.255.255.0 U 0 0 0 br0
10.1.4.0 10.0.1.34 255.255.255.0 UG 1 0 0 br0
10.1.0.0 10.0.1.30 255.255.255.0 UG 1 0 0 br0
10.1.1.0 10.0.1.31 255.255.255.0 UG 1 0 0 br0
10.0.10.0 10.0.10.2 255.255.255.0 UG 0 0 0 tun21
10.1.2.0 10.0.1.32 255.255.255.0 UG 1 0 0 br0
10.0.11.0 10.0.11.2 255.255.255.0 UG 0 0 0 tun22
10.1.3.0 10.0.1.33 255.255.255.0 UG 1 0 0 br0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 175.136.15.254 0.0.0.0 UG 0 0 0 ppp0

Just disabling both Firewall and NAT on the webui should have the same effect as flushing the iptables. If it still doesn't work then do an "iptables -L" after a reboot to check which default policy the router uses for each chain (especially the FORWARD chain, make sure the defaul policy will be ACCEPT).
 
just an update... this will fix all the static routing issues.

iptables -D FORWARD -m state --state INVALID -j DROP

and if using log traffic, need this

iptables -D FORWARD -m state --state INVALID -j logdrop

:)
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top