0

I have 2 home routers and want to allow (some) devices to communicate across subnets.

  • ROUTER#1 (ASUS RT-AC87U), subnet 192.168.1.0/24, acting as the main router connected to the ISP
  • ROUTER#2 (NETGEAR WGR614 v7), subnet 192.168.2.0/24, connecting its WAN port to ROUTER#1 LAN port

[INTERNET] -> [WAN] ROUTER#1 [LAN] -> [WAN] ROUTER#2 [LAN] -> PC#2

How do I allow devices connected directly to ROUTER#1 to talk to devices on ROUTER#2 (by their IP on ROUTER#2's subnet) but not vice-versa?

For example, given PC#1 (192.168.1.217) connected to ROUTER#1 LAN, reach PC#2 (192.168.2.10) connected to ROUTER#2's LAN port. As a test, I'm trying to reach a dummy web server hosted on PC#2 port 80 via http://192.168.2.10/index.html or ping 192.168.2.10.

If I configure port forwarding on ROUTER#2 on port 80 to forward to PC#2 (192.168.2.10), and access it via ROUTER#2 IP on ROUTER#1 subnet (192.168.1.5) it works as expected, but that's not the goal.

ROUTER#1 needs to stay has the main router connecting to ISP. Also, ROUTER#2 needs to provide it's own subnet and DHCP.

ROUTER#1 allows me to configure static routes, firewall (iptable). ROUTER#2 is a lot more limited in configurations, allowing me to enable/disable SPI firewall and configure static routes. I've searched, but couldn't find any control over NAT on ROUTER#2.

FYI: I'm a NOOB on networking, but trying to learn during the process.

SETUP SUMMARY

ROUTER#1 (ASUS RT-AC87U)

  • WAN port connected to ISP Modem
  • ROUTER#2 (192.168.1.5) connected to LAN port
  • PC#1 (192.168.1.217) connected to LAN port
  • reserved IP for ROUTER#2 (192.168.1.5)
  • static route entry to forward 192.168.2.0/24 via 192.168.1.5 interface br0
  • entry on iptables FORWARD chain to ACCEPT src 192.168.1.0/24 dst 192.168.2.0/24 if br0

ROUTER#2 (NETGEAR WGR614 v7)

  • WAN port connected to ROUTER#1 LAN port
  • PC#2 (IP: 192.168.2.10) connected to Router#2 LAN port (running dummy web server on port 80)
  • port forward to bind 80:80 dst 192.168.2.10
  • SPI Firewall disabled
  • Respond to ping on internet port enabled

From PC#1

  • can ping Router#2 on 192.168.1.5
  • cannot ping Router#2 on 192.168.2.1
  • cannot ping PC#2 on 192.168.2.10
  • cannot reach web server on 192.168.2.10:80

SETUP DETAILS

ROUTER #1 (ASUS RT-AC87U)

WAN

  • (PPPoE to ISP)

LAN

  • IP Address: 192.168.1.1
  • Subnet Mask: 255.255.255.0
  • DNS Server: 1.1.1.1

DHCP Server

  • IP Pool Start: 192.168.1.200
  • IP Pool End: 192.168.1.254
  • Manually Assigned: 192.168.1.5 to Router #2

LAN Route - Static Route

  • Network/Host IP: 192.168.2.0
  • Netmask: 255.255.255.0
  • Gateway: 192.168.1.5
  • Metric: 1
  • Interface: LAN (br0)

Route Table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
(...)
169.254.39.0    0.0.0.0         255.255.255.0   U     0      0        0 br0
192.168.2.0     192.168.1.5     255.255.255.0   UG    1      0        0 br0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
(...)

iptables FORWARD

Chain FORWARD (policy ACCEPT)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  tun21  *       0.0.0.0/0            0.0.0.0/0
2     6558  363K TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 TCPMSS clamp to PMTU
3       60  3120 ACCEPT     all  --  br0    br0     192.168.1.0/24       192.168.2.0/24
4        0     0 SECURITY   all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0

ROUTER #2 (NETGEAR WGR614 v7)

WAN (Static IP)

  • IP Address: 192.168.1.5
  • IP Subnet Mask: 255.255.255.0
  • Gateway IP Address: 192.168.1.1

LAN

  • IP Address: 192.168.2.1
  • Subnet Mask: 255.255.255.0
  • DNS Server: 192.168.1.1

DHCP Server

  • IP Pool Start: 192.168.2.10
  • IP Pool End: 192.168.2.20
cwoodix
  • 3

1 Answers1

1

How do I allow devices connected directly to ROUTER#1 to talk to devices on ROUTER#2 (by their IP on ROUTER#2's subnet) but not vice-versa?

In this case, you don't – ROUTER#2's functionality is not sufficient for that. You need to be able to configure the "SPI firewall" to allow and block packets according to your description.

("SPI" pretty much just means it has a --state established -j ACCEPT rule, so that it allows reply packets in, but doesn't allow new connections in. Unfortunately, in your case, it's in the opposite direction vs what you're asking for.)

Routing configuration will not help here, as Router#2 already has a route to Router#1's network (due to its WAN interface literally being part of that network) and you kind of need that route so that Router#2 would be able to deliver reply packets to the authorized PCs on Router#1's network; if it has a route for replies, it has a route for "new" packets as well.

I've searched, but couldn't find any control over NAT on ROUTER#2.

In theory this wouldn't be a problem; such a control would only disable NAT in the direction #2→#1 (and you don't want any packets to go that way anyway). There is no NAT for #1→#2 by default (just the "port forwarding" rules); it's most likely the firewall that discards the inbound packets.

grawity
  • 501,077