Question Access another device with different subnet

[nospamever]

I setup my home network like below. Router A network is more secure and Router B network is less secure. How do I access the webgui of Router B from Device A1? I can't simply enter 10.0.0.1 in browser from Device A1. I hear static route is the solution but how? Any help is appreciated.

 

[mv2devnull]

All three routers do NAT, don't they?

If so, then your question is: How can machine 192.168.9.x connect to "webgui" of 192.168.9.3?
Or, more generally: Is it possible to connect to webgui of router, if you are on the "WAN-side"?

 

[nospamever]

All three routers do NAT, don't they?

If so, then your question is: How can machine 192.168.9.x connect to "webgui" of 192.168.9.3?
Or, more generally: Is it possible to connect to webgui of router, if you are on the "WAN-side"?

Yes all 3 serve the router function with DHCP enabled (if that means "do NAT"). I struggle to understand what is "WAN-side". I thought WAN is Internet-side?

 

[mv2devnull]

A cheap "home router" usually labels "outside" port "WAN" and the "inside" port(s) "LAN".
For your Router B, the 192.168.9.0/24 is "WAN" and the 10.0.0.0/24 is "LAN".

Dynamic Host Configuration Protocol and Network Address Translation are distinct functions, although both tend to be used on home routers.

 

[JackMDS]

You can use a freeware App to connect between the two subnets.

Download UltraVNC 32-Bit - MajorGeeks

UltraVNC software allows you to remotely control a computer over any TCP/IP connection. UltraVNC emulates the destination computer to make it look as if you were in front of it.

www.majorgeeks.com

 

[nospamever]

You can use a freeware App to connect between the two subnets.

Thanks but the remote device is Router B - just wanted to access the router's webgui.

 

[Fallen Kell]

It will all depend on what your routers are and the firmware they are running. With third party firmware such as DD-WRT, you can change the security settings on the 192.168.9.3 router. Specifically you want to enable management from the WAN port (under the "Administration"->"Management" tab).

For some other third party firmware and some first party firmware, you will need to add a firewall rule on the 192.168.9.3 router to allow connection, typically something like the following assuming it is using iptables as the firewall in the firmware:
iptables -I INPUT -p tcp -s <remote_location_ip> --dport 80 -j ACCEPT

Not all first party firmware will allow these kinds of changes, which is why I always recommend only buying a wifi router that supports running third party firmware such as DD-WRT, OpenWRT, or FreshTomato.

You will also need to setup static routes on all your routers so they know where to send the various traffic (i.e. the 192.168.9.2 router needs to know to send the traffic to 10.0.0.0 subnet out the WAN port, the 192.168.9.1 needs to know to send data to the 10.0.0.0 subnet to the port connected to the 192.168.9.3 router, and to send traffic to the 10.0.1.0 subnet to the port connected to the 192.168.9.2 router, and the 192.168.9.3 router needs to know to send traffic to the 10.0.0.0 subnet out the WAN port).

 

[nospamever]

A cheap "home router" usually labels "outside" port "WAN" and the "inside" port(s) "LAN".
For your Router B, the 192.168.9.0/24 is "WAN" and the 10.0.0.0/24 is "LAN".

Dynamic Host Configuration Protocol and Network Address Translation are distinct functions, although both tend to be used on home routers.

Thanks for that, I thought that could be the case and thanks for confirming.

 

[nospamever]

It will all depend on what your routers are and the firmware they are running. With third party firmware such as DD-WRT, you can change the security settings on the 192.168.9.3 router. Specifically you want to enable management from the WAN port (under the "Administration"->"Management" tab).

For some other third party firmware and some first party firmware, you will need to add a firewall rule to allow connection, typically something like the following assuming it is using iptables as the firewall in the firmware:
iptables -I INPUT -p tcp -s <remote_location_ip> --dport 80 -j ACCEPT

Not all first party firmware will allow these kinds of changes, which is why I always recommend only buying a wifi router that supports running third party firmware such as DD-WRT, OpenWRT, or FreshTomato.

You will also need to setup static routes on all your routers so they know where to send the various traffic (i.e. the 192.168.9.2 router needs to know to send the traffic to 10.0.0.0 subnet out the WAN port, the 192.168.9.1 needs to know to send data to the 10.0.0.0 subnet to the port connected to the 192.168.9.3 router, and to send traffic to the 10.0.1.0 subnet to the port connected to the 192.168.9.2 router, and the 192.168.9.3 router needs to know to send traffic to the 10.0.0.0 subnet out the WAN port).

I have wondered if static routes are required on my modem/router and both routers. Thanks for pointing that out.

 

[Fallen Kell]

A cheap "home router" usually labels "outside" port "WAN" and the "inside" port(s) "LAN".
For your Router B, the 192.168.9.0/24 is "WAN" and the 10.0.0.0/24 is "LAN".

Dynamic Host Configuration Protocol and Network Address Translation are distinct functions, although both tend to be used on home routers.

Thanks for that, I thought that could be the case and thanks for confirming.

On top of that, the "home routers" are also segregating traffic via internal VLANs, with the WAN port set as one VLAN and the other switch ports set as a different VLAN. They will also have VLANs set on the WiFi networks (really VAPs which are for Virtual Access Points) using the same VLAN id on the WiFi as on the wired switch ports, and if it has a "guest" network, that will use a different VLAN id to segregate that traffic and prevent it from accessing your other networks.

All of the above will possibly cause issues with you attempting to create routes and networks, so you need to be aware that it is happening under-the-hood on those home routers.

 

[Fallen Kell]

I have wondered if static routes are required on my modem/router and both routers. Thanks for pointing that out.

It is definitely required on the modem/router. It is not absolutely necessary on the other two routers since it should simply follow the "default" route, which is to send the traffic out to 192.168.9.x, but could be needed if you do other things with VLANs or different subnets, so it is best to simply specify it.

 

[mv2devnull]

The static routes are not necessary, if all three routers do NAT.

The modem/router is member of two subnets:
* the 192.168.9.0/24 ("LAN")
* ISP's public subnet (genuine "WAN")
It does know how to send these two subnets and gets "gateway" from ISP that is in the WAN.
Whatever goes out from LAN to WAN does get NATed (aka sNAT or masquerade). That way nobody in WAN knows that the LAN exists.

The router A is member of two subnets:
* the 192.168.9.0/24 ("WAN")
*the 10.0.1.0/24 ("LAN")
It does know how to send these two subnets and should get "gateway" (192.168.9.1) from modem/router.
Whatever goes out from LAN to WAN does get NATed (aka sNAT or masquerade). That way nobody in 192.168.9.0/24 knows that the 10.0.1.0/24 exists.

Equivalent setup for router B.

Now, device A1 (10.0.1.2) connects to 192.168.9.3. It sends the packet to it's gateway (router A, 10.0.1.1).
Router A does NAT, so it replaces "from-address" in the packet and forwards the packet to 192.168.9.3 (router B).
When (if) router B replies, it replies to router A (192.168.9.2). Router A "reverts" the NAT for the reply and must therefore forward the reply to A1.


If router A does not do NAT, then modem/router, router B, (and anyone else in 192.168.9.0/24 except router A) do indeed need static route:
to 10.0.1.0/24 via 192.168.9.2