Using 2 Subnets

[Elkycali]

Good Day and Merry Christmas To All

I need help in configuring a second router behind my gateway and first router so that it has access to the Internet and handles DHCP on its own subnet. I will start by identifying the hardware in this config with current settings.

Gateway:
Motorola NVG589 (ATT)
Wireless Disabled
Internal IP 192.168.2.2
DHCP Mask 255.255.255.0
DHCP 192.168.2.50...60

Router 1
Linksys WRT54G w/Firmware DD-WRT
Wireless Disabled
DHCP Disabled
LAN IP 192.168.2.1
Mask 255.255.255.0
Gateway 192.168.2.2
DNS 192.168.2.2

Router 2 (addition)
Linksys WRT 1900AC v1
Wireless Disabled
DHCP Disabled
LAN 192.168.2.4
Mask 255.255.255.0
Gateway 192.168.2.2
DNS 192.168.2.2

Router 2 is the one I am having issues with in the set up. Currently everything is running fine and I probably shouldn't mess with it. However, I want to add a second subnet in this network to divide and distinguish what DHCP is serving the devices. Why? It doesn't matter.

The 1900 has a network map feature that I just love because it helps me identify the devices connected to my network. So anyone scavenging an IP will show up on that map as unidentified (esp wireless) and I can take action.

I have tried the following so far and no joy.
1. Config router 2 as an ap, connected LAN to LAN but I lost the network map. When I did this, I could not set a second subnet without losing some of the features.
2. Config router 2 WAN connected to gateway LAN. This did give me a second subnet but I lost Internet connectivity, network map and those on 2.x could not see the new subnet.
3. Connected WAN (router2) to LAN using static routing to point back to gateway as follows:
destination LAN 192.168.2.2
subnet 255.255.255.0
gateway 192.168.2.2
4. Tried using a VLAN to static address one of the 4 LAN ports on the device but the 1900 does not support this type of VLAN config.
5. LAN to LAN, under the Internet setting used static for type of connection
Internet IPV4 address 192.168.2.5
Subnet 255.255.255.0
Gateway & DNS set to 192.168.2.2

Unfortunately none of these main configs worked. I also tried a slew of others but no joy. The closest I came was when I connected router 2 on its WAN port to a LAN port on the Gateway. This did give me a second subnet but I could not DHCP leases that would be seen by the 192.168.2.x devices.

I believe if the 1900 allowed its VLAN feature to be configured in a way to static address one of its LAN ports to 192.168.2.x then I could probably connect through there and be done. But I don't know for sure. Any help on this would be appreciated as I am exhausted. Thank you in advance.

 

[pcm81]

connecting router 1 and 2 wan ports to gateway isolates routers from eachother. If you connect router 2 wan port to router 1 lan port, then devices connected to router 2 lan ports will see devices connected to router 1 lan ports, but not the other way around.

EDIT:
The above assumes you have NAT enabld on both routers. If you disable NAT on router 2 and connect router 2 wan port to router 1 lan port and have dhcp server on router 2 pointing to router 1, then it should work. See here: http://superuser.com/questions/604286/lan-to-wan-setup-how-to-connect-two-subnets

 

[JackMDS]

You can not have one cohesive Local Network with two different subnets.

This might give you an idea of what can be done in general.

http://www.ezlan.net/shield.html

 

[Elkycali]

Thanks for the replies. @pcm81...I will try the configuration you suggested although I believe I did try it previously with the exception of the NAT being disabled on (see #2 and #3 description) router 2. I will get some screen shots to help in getting directed towards a resolution. Thanks again and in advance

 

[pcm81]

Thanks for the replies. @pcm81...I will try the configuration you suggested although I believe I did try it previously with the exception of the NAT being disabled on (see #2 and #3 description) router 2. I will get some screen shots to help in getting directed towards a resolution. Thanks again and in advance

What Jack said above is correct. My suggestion is a trick to give an appearance of 2 subnets with 2 ip spaces, but unless you reserve IP numbers for the hosts connected to the child router, the parent router will simply assign the hosts ips from it's own subnet.

 

[Elkycali]

Thanks again. Yes, I understood that and my apologies for not mentioning that on the gateway I had reserved the IP spaces for specific devices. Router 1 is acting as a extension of the LAN only so there is no conflict there. Router 2 on the other hand would be set up to administer a second subnet and hand out IP spaces for WIFI devices only. The idea is to segregate and identify any rogue devices coming through the wireless subnet.

The wired subnet is finite in that there are only a specific number of devices allowed such as 50 for example. Each device has/will have a static IP assigned to it directly and a reservation on the Gateway has been set up with the same IP spaces. MAC filtering has/will be engaged as well for the wireless devices although I do understand that MAC spoofing is possible, so that security measure is not very tight but still may add a layer of protection.

So in a concise matter of explanation, all wired devices will go through the Gateway for their Internet connection and DHCP reception. Wireless devices are to go through Router 2 to receive their respective IP spaces.

Thanks again to both of you and as soon as I am able to try out the configs you both mentioned I will post the results.

 

[pcm81]

What you want, the wifi isolation is done in rather simple way, in fact i am doing it now in my house. In my case router1 is connected to modem so terminology is backwards from yours.
Router1 has wifi (Netgear 4300 in my case)
Router 2 either has no wifi or it's wifi is turned off (Netgear 3700 in my case with wifi disabled)
Router 2 WAN port is connected to router 1 LAN port. Router 1 has LAN IP address of 192.168.0.1 and it assigns to Router 2 IP address of 192.168.0.2. IP numbers 3-254 are assigned to wifi devices connecting to router 1.
Router 2 has a LAN ip of 192.168.1.1 and it assigns ip numbers 192.168.1.2 through 254 to hardwired devices that connect to router 2.

*** Both routers have NAT turned on.

All devices that connect to router 2 are in a "private" network. All devices that are connected to router 2 can see all devices connected to router 1, because when device 192.168.1.x asks for device 192.168.0.x the router 2 goes up its wan port and asks router 1 if it knows how to get to that IP. Router 1 knows that IP, b/c it assigned it. On the other hand any device that is connected to router 1 asks for IP 192.168.1.x and router 1 has no idea how to get to it, b/c it does not know of internal ip space of router 2, so the ip returns as unreachable.

You may have problems with MFC printers hanging from router 1 reaching computers on private subnet. The most secure solution would be to hardwire MFC printers to router 2. Regular printers can hang on router 1, since they do not initiate connection to other devices.

 

[Elkycali]

Just an update that I am still trying to find the config that works with what I have and still no joy. Neither the ATT Gateway/router (no surprise) or the linksys 54wrtgs or the 1900ac have capabilities of either VLAN or port designation so that I can get these 2 subnets to talk to each other both ways. The VLAN on the ATT device is strictly for IPTV and something else and it does not allow itself to be reconfigured. VLAN options on both Linksys devices appear not to function as I need. The only other thing I can think of is to purchase a managed switch with DHCP relay capabilities and call it done but I hate to but another device to make this work.

Before I go that route I would just have everything run on a single subnet as it is right now but now this has almost become a challenge to make it work with what I have. I know its possible but I am just not finding the right config. I will now reset the 1900 to factory specs and start at the beginning. The wrtg54 is fine as a slave on the same subnet as the gateway so its okay.

 

[sdifox]

Just set your router to deny access to unknown mac and call it a day.

 

[Elkycali]

Yep, been there done that but MAC's can be compromised so I need to look into another layer of protection. Thought about putting a Linux box right after the gateway but haven't fully accepted that idea yet. Thanks anyhow for the suggestion.

 

[sdifox]

Yep, been there done that but MAC's can be compromised so I need to look into another layer of protection. Thought about putting a Linux box right after the gateway but haven't fully accepted that idea yet. Thanks anyhow for the suggestion.

So run pfsense.

 

[Elkycali]

Looking into that as well. What I'm hearing is that Pf is device/appliance structured and not software based alone. So that would mean another device in my network stream. After reading up on their home page, PFsense appears to be similar to a managed switch with DHCP relay capabilities. If that is correct then it all comes down to reliability and pricing.

Have you used or are you now using PF? If so, what are your thoughts?

 

[sdifox]

Looking into that as well. What I'm hearing is that Pf is device/appliance structured and not software based alone. So that would mean another device in my network stream. After reading up on their home page, PFsense appears to be similar to a managed switch with DHCP relay capabilities. If that is correct then it all comes down to reliability and pricing.

Have you used or are you now using PF? If so, what are your thoughts?

I have it running in a vm under hyper-v. I like it. It is software based, but there are ready built hardware units as well. It is open source.

 

[Elkycali]

Yeah I got the open source part of it which is something I try to stick to as it allows for greater versatility. Can always go back to OEM if opensource doesn't work otherwise you have to wait for a FW upgrade which is always a PITA. Thanks for the info.

Edit: I'm also waiting on DDWRT or another Opensource FW that would allow me to open up the 1900's 4 ports for port designation. I want to give that a go first and if that fails, then its on to another remedy.

 

[sdifox]

Yeah I got the open source part of it which is something I try to stick to as it allows for greater versatility. Can always go back to OEM if opensource doesn't work otherwise you have to wait for a FW upgrade which is always a PITA. Thanks for the info.

I have it running with 2gb of ram and 2 vcores. Mind you I am just using the vanilla setup without tons of packages.

I would never go back to consumer router.

 

[Elkycali]

Well after much searching on several forums to find the answer on how to configure for 2 subnets so that each subnet could see each other, I think I have found the answer. I configured my LAN accordingly last night and thus far it is working. There are no VLAN's, forwarding, double NAT or reservations involved which makes this quite interesting. Both router1 which is on same subnet 192.168.2.x as gateway and router2 which is on a different 192.168.3.x subnet altogether can see each other and share their respective information.

It is too early to tell if this is infact going to work out but I am putting it through some testing at the moment and once I am comfortable with the resolution, I will post back the results and remedy I found. Al

 

[JackMDS]

Both router1 which is on same subnet 192.168.2.x as gateway and router2 which is on a different 192.168.3.x subnet altogether can see each other and share their respective information.

The above is basically the definition of Double NAT.

 

[Elkycali]

@Jack...I agree with the caveat that both NAT features are enabled

 

[Elkycali]

Greets..so here is my final documentation on the setup that has worked thus far with no glitches since implementing it.

RG:
Motorola NVG589 (ATT)
WAN IP from ISP
Gateway ISP provided
DNS ISP provided
Static LAN IP 192.168.2.2
Subnet Mask 255.255.254.0
DHCP 192.168.2.50 to 192.168.3.5
Wireless Disabled
NAT Enabled

Router 1
Linksys WRT54G w/Firmware DD-WRT
Connected to RG via LAN/LAN
WAN IP none
Wireless Disabled
DHCP Disabled
NAT Disabled
Static LAN IP 192.168.2.1
Subnet Mask 255.255.255.0
Gateway 192.168.2.2
DNS 192.168.2.2

Router 2
Linksys WRT 1900AC v1
Connected to RG via LAN/LAN
WAN IP none
Wireless Disabled
DHCP Enabled
NAT Disabled
Static LAN IP 192.168.3.10
Subnet Mask 255.255.255.0
Gateway 192.168.2.2
DNS 192.168.2.2

Security cameras receiving their IP's from R2 and set up on 192.168.3.x and PC hosting camera platform can see/access 192.168.2.x devices. PC's on 192.168.2.x subnet are blocked out of access to cameras with exception of my PC running on 192.168.2.x which can see/access everything.

All devices running on either subnet are accounted for and no intrusions via wireless because there is no wireless connection available. Very secure. Next step will be to access security cameras via browser from WAN side.

 

[mv2devnull]

PC's on 192.168.2.x subnet are blocked out of access to cameras with exception of my PC running on 192.168.2.x which can see/access everything.

How are they blocked?

I see only one subnet in your description: 192.168.2.0/23

 

[Elkycali]

It is a concept called supernet and determined by the RG

 

[JackMDS]

In general connecting from the WAN side entails changing the viewing port of each camera to a unique port.

as an example camera 1 port 60000, Camera 2 port 60001, etc.

Then you open each port in the Router's firewall toward the internal IP of the camera.

Next step, you get a DNS account in a place like DYNDNS.org

You set the Router's WAN to work with your DNS account.

Assuming (as an example) that you established an account Elkycali.DYNDNS.Org

Then typying into the Browser (from outside you LAN) Elkycali.DYNDNS.org:60000 will connect you to the camera that port 60000 was assigned to.

 

[Elkycali]

Thanks for the input Jack. If I am understanding your approach, I may run into some challenges without incorporating another device. I have over 20 cameras and a maximum of 8 LAN ports (currently) upon which to assign the cameras to. In this case I believe I would have to put a Layer 3 managed switch with at least 36 ports or buy 2 or more managed switches with at least 24 configurable LAN ports on each managed switch.
If however, you are speaking in terms of virtual ports 60001, 60002 etc., then yes maybe DYNDNS could be utilized. If you could elaborate a little more so that I can be clear of your vision, it would be appreciated. I am also going to look into some software that could be implemented locally and may help in configuring. I ama visual person so CLI would not work for me so it would have to be GUI based. Thanks again...Al

 

[Gryz]

This setup with 2 routers doing NAT is suboptimal. And can cause more problems. E.g. changing portnumbers if you have multiple devices using the same portnumber.

The proper way to set it up is via plain old routing. It seems this is a lost art nowadays.

Suppose you have this setup:

Internet - router A - network X - router B - network Y

All you need is two static routes configured. One on each router.
On router A, you have to configure a static route towards network Y, with nexthop B's IP-address on network X.
On router B, you have to configure a static default route (towards 0.0.0.0/0), with nexthop A's IP-address on network X.

You have to configure router B so that it hands out DHCP-addresses only on network Y, and not on network X. On network X, PCs will get addresses via DHCP from router A. Or you can disable DHCP altogether on router A, and let router B give out IP-addresses on both network X and Y.

In any case, I would configure manually IP-addresses on all the interfaces of the routers on network X and Y. Use addresses outside the DHCP-pools for that.

This would be the most straightforward way to deal with the problem.

 

[BarkingGhostar]

Wow, while I like this network discussion I have to wonder if this is a commercial application of a consumer budget.