Why am I having connection difficulties across two subnets?

Question

I'm attempting to wirelessly connect my neighbor's home network with mine. We each have our own internet services and subnets which we want to preserve, but still be able to access services between our subnets. To that end, I purchased two Ubiquiti NanoStation loco M2s and set them up in a test configuration as outlined in the diagram:

I have one M2 connected to a LAN port on my ASUS wireless router. The M2 has Wireless Mode configured as "Access Point" and Network Mode configured as "Router". The lan0 interface has 192.168.5.50/24 assigned (gateway 192.168.5.1, dns 192.168.5.1) and wlan0 is assigned 192.168.3.1/24. It has a static route, 192.168.2.0 via 192.168.3.2. From this point, I can successfully ping two existing hosts on my network, 192.168.5.10 and 192.168.5.13.

The other M2, connected to the 192.168.2.0/24 network, has Wireless Mode configured as "Station" and Network Mode also configured as "Router". The lan0 interface has 192.168.2.2 assigned (gateway 192.168.2.1, dns 192.168.2.1) and wlan0 has 192.168.3.2/24. This M2 has a static route, 192.168.5.0 via 192.168.3.1.

The ASUS router at 192.168.5.1 is handing out DHCP and has a static route, 192.168.2.0 via 192.168.5.50.

The laptop in the diagram is assigned a static address of 192.168.2.3. During testing, it was connected directly to the "far-side" M2. I could ping 192.168.2.2, 192.168.5.50, and 192.168.5.13 immediately.

This is where it starts to get strange.

When attempting to SSH from 192.168.2.3 to 192.168.5.13, the command would drag on forever, but I was eventually able to connect. I ran the command with verbose output and found that an error was occurring with GSSAPI authentication due to reverse DNS lookup failure. I added 192.168.5.1 to the list of DNS resolvers on the laptop, which fixed this issue and allowed me to connect immediately.

However, I was unable to SSH to 192.168.5.10 at all. I can ping it from the laptop, but unless I manually add a static route on the 5.10 host for 192.168.2.0 via 192.168.5.50, it won't connect. The odd thing is that the host at 192.168.5.13 does not need this static route; it connects regardless. The laptop at 192.168.2.2 doesn't have any static routes and there is no change if a static route is added.

I can ping the laptop from 192.168.5.13, however the ping output includes ICMP redirects.

1. How can it be that 192.168.5.13 can be accessed without a static route, but 192.168.5.10 cannot be?

2. Shouldn't the above access be covered by the static route entry at 192.168.5.1?

3. Is there any missing configuration or incorrect configuration? I was researching DHCP options 141 and 249, would that be the correct approach to fix this issue?

Answer 1

This sounds like a problem with reverse path filtering. Edit (as sudo) the file /etc/sysctl.conf on the Debian machine, make sure to have the two lines as follows:

net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.all.rp_filter=0

save, reboot the machine, see whether you still have the problems in question. If not, then the easiest way to solve would be to add the following rule to the Asus firewall,

iptables -o ethN -j MASQUERADE

where ethN is the name of the interface to which your Centos and Debian machines are connected. This would have the advantage of saving you a configuration on each pc, but I am afraid you have the proprietary firmware on the Asus, nothing like dd-wrt, openwrt, tomato, and so on, am I right? In this case you will have to study the FM to see whether anything to this effect exists at all. Or you may check whether the Ubiquities can do that (are they running EdgeOS? If so, then you can certainly enforce the rule above).