access second router network from the first router

Question

I have a router (R1) of my ISP on 192.168.0.1, it gives the second router (R2) the ip 192.168.0.2 and is connected lan to wan port.
R2 is an archer c20 and has the network 192.168.5.0/24, it's on 192.168.5.1
I can access the R1 LAN from R2 but not to access the R2 LAN from R1. I reviewed a few questions here but I'm not clear why it's not possible or if there's a workaround.

I thought that if I do sudo ip route add 192.168.5.0/24 via 192.168.0.2 when I ping 192.168.5.1 it will work because router 2 knows his network but it doesn't work.
Is there a way to get to the second's subnet from the first?

Update: There were three goals: to isolate the two networks, to have only one service (a vpn) on the first network who can access to the second one (to do a wakeonlan), and to make a subnet to scape from overlaping subnets on vpn without touching isp R1 LAN.
But the first network is still reachable from the second one because it's the main gw, so it doesnt' work as I expected to protect my home network, probably I'm moving to switch my router mode to an AP, and to limit the vpn to some devices only.

---

Conclusions and notes learned:

Finally the R2 network could be reachable from lan on R1, the issue was with the firewall as pointed @user1686, I didn't see that the router has an option in security "Enable SPI Firewall", dissabling it solves the issue, that's why I selected that answer.
From there you need to add a static route in the router or in this case only in the dessired devices like sudo ip route add 192.168.5.0/24 via 192.168.0.2 (and dev wlan0 if it's necessary), make sure it's all right with route -n or ip route get 192.168.5.12 and a ping. Then you can make it persistent in a file /etc/dhcpcd.exit-hook
Added the static route, I can ping to inners LAN ips, I can't ping R2 on its WAN or in its local ip but that's a default option router's restriction. But I couldn't get into its admin on 192.168.5.1 from a browser, a bit odd.

DOUBLE NAT

BUT as pointed by @harrymc it's an overly setup, and @davidgo led me to a research about this case. This is a case of double NAT, for most users it won't be noticiable, but on some games consoles or to expose services, it will add an overhead:
For example, if I had a page in the innner router, there are 3 options: open port 80 twice (PAT), make R2 a DMZ, or to add a static route there (if R1 has the option).
The primary goal of isolating the main home network is not possible (is still reachable from R2) and the management of the routing is complex.
Therefore, it's not a good solution to use double nat as a firewall (check double nat and double nat forum). And security still depends on which ports are exposed, wich services and passwords are used.

SOLUTION

So if you are double natting, don't.

• Put R2 as an access point, disabling its dhcp, and keep R1 to manage the ips. (LAN to LAN recommended, or LAN to WAN in AP mode) (and if a vpn is wanted, check the network setup to solve overlap issues).
• Option two if you want full management, put ISP R1 on bridge mode, and make R2 the main router.

Thanks to all

Answer 1

Your route seems to be correct; most likely as TomYan mentioned the problem is with the router's firewall configuration.

Practically every "home wireless router" is built with the assumption that the WAN interface will, in fact, connect to the Internet and with a default firewall ruleset that blocks all connections from that direction.

(Even though the WAN port isn't connected to the Internet in your current layout, the router really has no way to tell the difference – the private IP addresses are not a good enough hint. For all it "knows", it might be connected to a WAN connection that just happens to use CGNAT, or to a university campus network, or something like that. So there is no auto-detection, the WAN interface is just always untrusted.)

So if you want to reach Network2 from Network1, you also need to specifically permit those connections in Router2's firewall. (No exact instructions as each router's firewall settings look different.)

Similarly, whenever you want to block some specific access from one network to the other (in either direction), you can do that through firewall rules. For example, it should be easy to write a rule that allows traffic from Network2 to any address except Network1, letting the former still access the Internet while isolating it from the "outer" network.

---

Generally my impression is that most "wireless routers" just aren't very suitable for internal routing (though some are more okay than others). If you're looking for flexibility, OpenWRT or similar might be needed; so far the only remaining "out of the box" alternative seems to be Mikrotik's RouterOS-based devices. Sometimes it's actually easier to set up your own router from a generic PC running Debian or OpnSense.

Answer 2

There are multiple possibilities as to what the problems are -

The most likely is that router2 is applying NAT to everything forwarded through the WAN interface - so when router 1 pings an IP on the LAN side of router 2 the response is being natted and thus never received from tje destination IP.

Somewhat less likely is there is an incorrect netmask somewhere. If any device in the chain has a /16 netmask it will dump tje traffic directly on tjat interface rather then route it.

Without knowing your hardware I cant advise exactly how to duagnose it, but I use tcpdump on my routers/devuces to see pacjets entering and leaving various points on tje network to diagnose problems - of-course this is not aleays an option.

If you are doing this to isolate traffic from router2 to clients of router1 it wont work unlrss you add firewalling on router2.

If you havnt already and these are typical home/small business routers , investigate amore powerful firmware like dd-wrt or tomato on router1. These may let you turn a LAN port into a second WAN port which will allow you to do the kind of network isolation you want - otherwise turning router 2 into an AP is a good idea - its a lot simpler to manage.

Answer 3

You're aiming to a complex setup that will require routing rules in most computers, which will also be fragile and prone to errors.

I would rather go for a simple solution that doesn't require lots of network savvy.

For my taste, as this is a rather small network, trying to hide some computers from the others via a secondary sub-network and still allow one-directional access is an overkill. There are simpler solutions.

You could simply make the whole thing into one network, just keep your login passwords secret. This would be similar enough to a VPN as it also requires a password.

You could use just one router for the entire network, or if two routers are required then see LAN to LAN in the post Expanding wireless coverage: What are the differences between LAN to LAN and LAN to WAN when it comes to connecting two wireless routers?

Another solution that comes to mind is to use one router that supports VLANs, isolating the two subnets each in a separate VLAN, with access rules.