US Telco Support > Verizon > Verizon Fiber Optics > Need networking help - 2 routers, can't reach other subnet

Need networking help - 2 routers, can't reach other subnet

Is there are reason you're running LAN-to-WAN and not LAN-to-LAN?

LAN-to-WAN creates routing issues and also means the devices behind the second router are double NATed.

See the following FAQ for a walk-through of setting up the LAN-to-LAN configuration:
»Verizon Online FiOS FAQ »Can I use my wireless or an extra router along with the Verizon provided router?
--
There are 10 kinds of people in the world; those who understand binary and those who don't.

I went LAN-to-WAN because I wanted separate subnets -- the primary is the regular network that the family uses, and the secondary is one I use for work and personal stuff. However, I would like the subnets to talk to each other, and then I can restrict things further with a firewall.

With double NAT you will need to set up port forwarding rules. If you want to use different sub-nets I would do away with the Action-Tec and buy a real Soho firewall.

reply to plammie
If I understand your config correctly, it doesn't sound like the Actiontec is the problem. If your goal is to simply subnet, and not restrict traffic in any way between 192.168.1.x (Actiontec) and 192.168.2.x (Belkin), you'd need to:

1) totally disable the firewall on the Belkin and set it up in classical routing mode
2) make sure the appropriate network routes are in place on both routers.

You would not want to put the Belkin in the Actiontec DMZ. This would make the router and any client on 192.168.2.x vulnerable, since the Belkin firewall is disabled.

Alternatively, if you leave the Belkin firewall enabled, you'd have to set up port forwards on it to the services you want to access from 192.168.1.x, e.g., to your NAS server. You probably wouldn't want the Belkin in the Actiontec DMZ in this case, either, as any port forwards you setup would be accessible on the Internet.

Ok, I figured it out and everything is now working. The issue appears to be that the ActionTec router doesn't recognize traffic from Subnet 1 to Subnet 2 as internal traffic -- it treats it as external traffic and closes it off. To fix this, it required some Advanced Firewall Filters that were far from unituitive and took a lot of testing to get it just right. If anyone runs into a similar situation in the future, here's a rundown of what I did to make it all work:

Primary Router:
ActionTec, MI424WR Rev D
WAN IP/NETMASK:Assigned by ISP
LAN IP/NETMASK:192.168.1.1 / 255.255.255.0

Secondary Router:
Belkin N750 Gigabit w/ 802.11n
WAN IP/NETMASK:192.168.1.2 / 255.255.255.0
LAN IP/NETMASK:192.168.2.1 / 255.255.255.0

• Plug Secondary router's WAN port into a LAN port on the Primary router.
• Setup Secondary router to have static LAN address (192.168.1.2)
• At this point, you should have 2 separate subnets: Subnet 1 (192.168.1.*) and Subnet 2 (192.168.2.*).
• Systems on both subnets should be able to reach the internet. Also, Subnet 2 should be able to ping and reach systems on Subnet 1; however, systems on Subnet 1 should not be able to ping or reach systems on Subnet 2. For this, we need to create a static route so Subnet 1 can reach Subnet 2.
• Create and apply the following static route in the Primary router: (Advanced > Routing)

RULE NAME:Network (Home/Office)
DESTINATION:192.168.2.0(your secondary subnet)
GATEWAY:192.168.1.2(secondary router's WAN IP)
NETMASK:255.255.255.0
METRIC:1

• The router now has a route between Subnet 1 (192.168.1.*) and Subnet 2 (192.168.2.*). You should be able to ping systems on Subnet 1 from 2, and ping systems on Subnet 2 from 1. You should not be able to access any systems, though -- the firewall is still blocking all but ping traffic from Subnet 1 to Subnet 2. We need to create some firewall rules to allow this communication.
• Make sure Primary firewall is set to at least typical/medium (Firewall Settings > General).
• We need to create some network objects to make it easier to manage the rules we'll create. Go to Advanced > Network Objects and do the following:

A. Click Add. You are now on Edit Network Object screen.
B. Set Description to 'Subnet 1'.
C. In Items section below, click Add.
D. Set Network Object Type to 'IP Subnet'.
E. Set Subnet IP Address to 192.168.1.0.
F. Set Subnet Mask to 255.255.255.0.
G. Click Apply. You are now back on Edit Network Object screen.
H. Click Apply. You are now back on Network Objects Screen.
I. Repeat the above steps again, but this time creating a second network object called 'Subnet 2':

Name:Subnet 2
IP Subnet:192.168.2.0
Subnet Mask:255.255.255.0

• Now we create the firewall rules. Go to Firewall Settings > Advanced Filtering.
• In the Inbound/Input rules section, click the Add link next to Network (Home/Office) Rules.
• Create the following Advanced Filter:

SOURCE ADDRESS:Select 'Subnet 1'
DEST. ADDRESS:Select 'Subnet 2'
PROTOCOL:'Any'
OPERATION:'Accept Packet'
OCCUR:'Always'

• Click Apply. You will now be back on the Advanced Filtering page.
• In the Outbound rules section, click the Add link next to Network (Home/Office) Rules.
• Create the following Advanced Filter:
SOURCE ADDRESS:Select 'Subnet 1'
DEST. ADDRESS:Select 'Subnet 2'
PROTOCOL:'Any'
OPERATION:'Accept Packet'
OCCUR:'Always'

• Click Apply. You will now be back on the Advanced Filtering page.
• Click Apply.

You're all done. You should now have internet access on both subnets, be able to ping across subnets and also be able to access services across subnets (local webservers, SSH, telnet, mail, etc). You will not be able to see network file shares across subnets in Windows, however, as this requires a WINS server (which is well outside the scope of this post). For instance, I have a Western Digital NAS on the 192.168.2.0 subnet that I can access as \\Mybooklive\ from within Subnet 2; on Subnet 1, however, I have to access it by its IP \\192.168.2.10\.

I'm a bit confused. It makes sense that the AT would think 192.168.2.x is external and would send that traffic out the WAN interface, BEFORE you set up the route to 192.168.2.0 via 192.168.1.2 (the Belkin).

Once that route is set up, the Actiontec's firewall shouldn't touch the traffic at all.

After that, it should just be a case of deciding whether or not you want the Belkin firewall to be active or not active, and setting up port forwards if you do.

Did I miss something that would make all those other rules necessary?

Haha you're not the only one confused, claibourne. It didn't really make sense to me, either, which is why it took so long to figure out. Its as if the routes are done post-firewall. Logically speaking, if the 'Network (Home/Office)' connection is defined with an IP of 192.168.1.1, and you add a route to 192.168.2.1 to it, you'd think the firewall would apply the same rules. But that is not the case. Perhaps there's a way to modify the 'Network (Home/Office)' connection properties so that it knows the second subnet is part of it, and thusly treat the traffic the same as it would on the primary subnet? I couldn't get it to work that way, but perhaps someone more experienced with this router knows the trick.

Oh well. Who knows?

On the \\Mybooklive\ thing, you should be able to put an entry in the actiontec DNS server to map the name. Under advanced settings, go into the DNS server, and add a manual entry for Mybooklive with 192.168.2.10 as its IP (assuming it's static or a DHCP reservation on the Belkin side).

Cool, nice trick -- I hadn't even got to the DNS part of this thing yet. Thanks!

reply to plammie

reply to plammie
I am with More Fiber on this. am also confised by this - you say you want traffic separated but the only thing this accomplishes is having traffic unseparated??? Your giving conflicting statements about what you want. If you dont want traffic separate its easier to just remove secondary router rather than the setup you have.

The only time you want traffic traversing different subnets locally is in a large lan environment where this is too much broadcast traffic going on and want to separate your broadcast domains.