Problem with connecting to subnetwork

[TheCynicalCris]

Hi,

 

I've got a network configured like this:

Internet ->

router (on 10.10.10.1) to provide addresses to devices in 10.10.10 network ->

router (on 10.20.20.1) to provide wireless to other devices

 

Problem is that from devices in 10.10.10.x I can't even get a ping to devices in 10.20.20.x network. 

 

Both routers operate on OpenWRT. 

[APasz]

Do you even understand how a sub-network works?

Think of them as two phyisical network that can't interract with each other unless a bridge is put in place which most routers shouldn't do automatically as it would defeat the purpose of the sub-network.

[TheCynicalCris]

Do you even understand how a sub-network works?

Think of them as two phyisical network that can't interract with each other unless a bridge is put in place which most routers shouldn't do automatically as it would defeat the purpose of the sub-network.

I'm not a pro in networks by any definition. Just wanna know what should I do to be able to interact with devices in 10.20.20.x from 10.10.0.x and the other way around. That's all.

[APasz]

Sorry if I sounded hostile.

Sub-networks can't interact with each other unless a bridge is put in place, this could be a pc with 2 NIC's that are set to [in your case] 10.10.10.x and 10.20.20.x sub-IP's and then bridging the two NIC's within the OS.

I'm not 100% sure which OS would work best, but just about any network focused Linux distro should able to do it with the least amount of problems.

 

Your second, quickest and easiest option is to simply have a single sub-net instead of 2.

 

I'll give a real simple breakdown of an IP address, www.xxx.yyy.zzz, W,X,Y are sub-network ID's and Z is a PC ID.

Clients/Servers with IP 1.1.1.x will be able to see any other clients/servers with an IP 1.1.1.x but not 1.2.1.x or 1.2.2.x

Clients/Servers with IP 1.2.1.x will be able to see any other clients/servers with an IP 1.2.1.x but not 1.1.1.x or 1.2.2.x

Clients/Servers with IP 1.2.2.x will be able to see any other clients/servers with an IP 1.2.2.x but not 1.1.1.x or 1.2.1.x

It's like a tree with 4 major splits but up to 127-255 branches per split and that's just IP/v4, It gets 90x more complicated with IP/v6.

Anyway it's really a lot more complicated but I'll leave that up to you to learn if you want.

[MeshFile]

You just lack routing. Use RIPv2 for the most simplest one or static routing.

[TheCynicalCris]

Is there any way I can set it up within those two Linux routers or do I really need another computer between those networks?

[TheCynicalCris]

There's a way to simply install RIP on OpenWrt. But should I install it on first or the second router (or both)?

[unijab]

Just setup static routes on each router for the other subnet

[MeshFile]

 

Is there any way I can set it up within those two Linux routers or do I really need another computer between those networks?

Both of them needs RIPv2. If you want to do static routing, just setup the following:

 

 

PC1 belongs to subnet1(10.10.10.0); PC2 belongs to subnet2 (10.20.10.0)

[LAN:x.x.x.x] and [WAN:x.x.x.x] indicates what port on that router and what IP that port is assigned.

PC1 10.10.10.2-----------[LAN:10.10.10.1] Router1 [WAN:192.168.1.1]------------[WAN:192.168.1.2] Router2 [LAN:10.20.10.1]---------- 10.20.10.2 PC2

config on Router1

# uci add network route# uci set network.@route[-1].interface=lan# uci set network.@route[-1].target=10.20.10.0# uci set network.@route[-1].netmask=255.255.255.0# uci set network.@route[-1].gateway=192.168.1.2# uci commit network

config on Router2

# uci add network route# uci set network.@route[-1].interface=lan# uci set network.@route[-1].target=10.10.10.0# uci set network.@route[-1].netmask=255.255.255.0# uci set network.@route[-1].gateway=192.168.1.1# uci commit network

Not entirely sure if that's the correct syntax for it; I was remembering the iOS commands for Cisco and I'm a little bit rusty on it now.

 

Basically, Router1 is configured to point to Router2's IP (facing Router1) whenever someone asks for an IP from 10.20.10.0/24 network.

For the line to/from the Internet, you'll need to decide which router will be connected to it. Either Router1 or Router2. That is to assume those routers can different network for each interfaces.

 

I got the commands from here: https://forum.openwrt.org/viewtopic.php?id=16962

Just skimmed it so commands might be wrong, but the logic for static route is right.

[brwainer]

As people have said above, you have to tell Router2 that the subnet on Router2 exists, and how to get packets to it, which can be done via static rules or by setting up RIP. I would just go with static rules for this simple setup, routing protocols are really only needed when things can change often or there are multiple routes possible and you want the network to handle a device going down.

It sounds like Router2 is a member of Router1's network, like it's "WAN" or outside IP would be 10.10.10.2. If that's the case, you may want to look at disabling NAT on Router2. I think OpenWRT can do that, but I'm really not sure if eo and how to do it.

[TheCynicalCris]

 

 

 

Both of them needs RIPv2. If you want to do static routing, just setup the following:

 

 

PC1 belongs to subnet1(10.10.10.0); PC2 belongs to subnet2 (10.20.10.0)

[LAN:x.x.x.x] and [WAN:x.x.x.x] indicates what port on that router and what IP that port is assigned.

PC1 10.10.10.2-----------[LAN:10.10.10.1] Router1 [WAN:192.168.1.1]------------[WAN:192.168.1.2] Router2 [LAN:10.20.10.1]---------- 10.20.10.2 PC2

config on Router1

# uci add network route# uci set network.@route[-1].interface=lan# uci set network.@route[-1].target=10.20.10.0# uci set network.@route[-1].netmask=255.255.255.0# uci set network.@route[-1].gateway=192.168.1.2# uci commit network

config on Router2

# uci add network route# uci set network.@route[-1].interface=lan# uci set network.@route[-1].target=10.10.10.0# uci set network.@route[-1].netmask=255.255.255.0# uci set network.@route[-1].gateway=192.168.1.1# uci commit network

Not entirely sure if that's the correct syntax for it; I was remembering the iOS commands for Cisco and I'm a little bit rusty on it now.

 

Basically, Router1 is configured to point to Router2's IP (facing Router1) whenever someone asks for an IP from 10.20.10.0/24 network.

For the line to/from the Internet, you'll need to decide which router will be connected to it. Either Router1 or Router2. That is to assume those routers can different network for each interfaces.

 

I got the commands from here: https://forum.openwrt.org/viewtopic.php?id=16962

Just skimmed it so commands might be wrong, but the logic for static route is right.

 

Okay, this sounds like the easiest option for mi, since only a few devices work in 10.10.10.1 network. 

After I set it up, I'll let you know if it worked or not .

[TheCynicalCris]

As people have said above, you have to tell Router2 that the subnet on Router2 exists, and how to get packets to it, which can be done via static rules or by setting up RIP. I would just go with static rules for this simple setup, routing protocols are really only needed when things can change often or there are multiple routes possible and you want the network to handle a device going down.

It sounds like Router2 is a member of Router1's network, like it's "WAN" or outside IP would be 10.10.10.2. If that's the case, you may want to look at disabling NAT on Router2. I think OpenWRT can do that, but I'm really not sure if eo and how to do it.

What are some advantages and disadvantages of disabling NAT vs. Static routes?

[APasz]

I just want to clear something up. Why do you want 2 sub-nets in the first place?

The reason someone would want to create sub-nets is to prevent anything from interacting across those sub-nets.

[unijab]

I just want to clear something up. Why do you want 2 sub-nets in the first place?

The reason someone would want to create sub-nets is to prevent anything from interacting across those sub-nets.

 

Reduce broadcast domains.

Collect similar purpose things on same nets.

Security reasons, including a DMZ.

[TheCynicalCris]

Reduce broadcast domains.

Collect similar purpose things on same nets.

Security reasons, including a DMZ.

Exactly. First network is for a system of IP cameras monitoring property and couple of servers. Second network is a normal home WiFi. 

 

That's the main reason for separation of those networks. 

[TheCynicalCris]

 

 

 

Both of them needs RIPv2. If you want to do static routing, just setup the following:

 

 

PC1 belongs to subnet1(10.10.10.0); PC2 belongs to subnet2 (10.20.10.0)

[LAN:x.x.x.x] and [WAN:x.x.x.x] indicates what port on that router and what IP that port is assigned.

PC1 10.10.10.2-----------[LAN:10.10.10.1] Router1 [WAN:192.168.1.1]------------[WAN:192.168.1.2] Router2 [LAN:10.20.10.1]---------- 10.20.10.2 PC2

config on Router1

# uci add network route# uci set network.@route[-1].interface=lan# uci set network.@route[-1].target=10.20.10.0# uci set network.@route[-1].netmask=255.255.255.0# uci set network.@route[-1].gateway=192.168.1.2# uci commit network

config on Router2

# uci add network route# uci set network.@route[-1].interface=lan# uci set network.@route[-1].target=10.10.10.0# uci set network.@route[-1].netmask=255.255.255.0# uci set network.@route[-1].gateway=192.168.1.1# uci commit network

Not entirely sure if that's the correct syntax for it; I was remembering the iOS commands for Cisco and I'm a little bit rusty on it now.

 

Basically, Router1 is configured to point to Router2's IP (facing Router1) whenever someone asks for an IP from 10.20.10.0/24 network.

For the line to/from the Internet, you'll need to decide which router will be connected to it. Either Router1 or Router2. That is to assume those routers can different network for each interfaces.

 

I got the commands from here: https://forum.openwrt.org/viewtopic.php?id=16962

Just skimmed it so commands might be wrong, but the logic for static route is right.

 

 

Following your advice I've edited the network config file, but still no changes. 

 

Router 1 (connected directly to the internet):

 

/etc/config/network

config route                              option interface 'lan'        option netmask '255.255.255.0'        option gateway '10.10.10.1'        option target '10.20.20.0'

IPv4 WAN Status:

Type: dhcpAddress: 10.5.5.2Netmask: 255.255.255.0Gateway: 10.5.5.1DNS 1: 192.168.0.1DNS 2: 192.168.0.2Connected: 52d 2h 5m 37s

Router 2 (connected to router 1):

 

/etc/config/network

config route                                  option interface 'lan'                option netmask '255.255.255.0'        option gateway '10.5.5.1'         option target '10.10.10.0'

IPv4 WAN Status:

Type: dhcpAddress: 10.10.10.226Netmask: 255.255.255.0Gateway: 10.10.10.1DNS 1: 10.10.10.1Connected: 19d 22h 37m 0s

Any ideas?

[MeshFile]

Following your advice I've edited the network config file, but still no changes. 

 

Router 1 (connected directly to the internet):

 

/etc/config/network

config route                              option interface 'lan'        option netmask '255.255.255.0'        option gateway '10.10.10.1'        option target '10.20.20.0'

IPv4 WAN Status:

Type: dhcpAddress: 10.5.5.2Netmask: 255.255.255.0Gateway: 10.5.5.1DNS 1: 192.168.0.1DNS 2: 192.168.0.2Connected: 52d 2h 5m 37s

Router 2 (connected to router 1):

 

/etc/config/network

config route                                  option interface 'lan'                option netmask '255.255.255.0'        option gateway '10.5.5.1'         option target '10.10.10.0'

IPv4 WAN Status:

Type: dhcpAddress: 10.10.10.226Netmask: 255.255.255.0Gateway: 10.10.10.1DNS 1: 10.10.10.1Connected: 19d 22h 37m 0s

Any ideas?

You need to draw first your network connection as the one I've drawn for you assumes the routers are connected via their WAN ports (or acting like one like setting one interface to a different network; not sure what wording openWRT has for that option).

 

The one on the left is the network I've drawn. If your network is on the right one, say so. I won't put on the time giving you configurations on the right one if there's a chance that's not it.

Circle with colors represent a network. Different colors means they are of different network.

[APasz]

Exactly. First network is for a system of IP cameras monitoring property and couple of servers. Second network is a normal home WiFi. 

 

That's the main reason for separation of those networks. 

Ok, I see now. In future please mention all things you have attached to the network.

[TheCynicalCris]

I hope that it clarifies the situations a lil bit =).

[leadeater]

I hope that it clarifies the situations a lil bit =).

 

Fairly sure this has been mentioned but to get proper interaction between the two networks if that is desired is to disable NAT on Router 2 and then setup routes on Router 1 for 10.20.20.x network using gateway 10.10.10.126 and Router 2 for 10.10.10.x using gateway 10.10.10.1.

 

You can leave NAT on for Router 2 and use port forwarding if devices on 10.10.10.x network need access to only a few devices on 10.20.20.x but double NAT is never a good idea if it can be avoided. You can just use ACL's for security if you are concerned about devices on 10.10.10.x accessing the other network. 

[TheCynicalCris]

How to easly disable NAT on OpenWRT router?

[leadeater]

How to easly disable NAT on OpenWRT router?

 

For the zone configuration for wan set the following option:

option masq 0

 

Since you are also wanting security you can also set the following option to enable stateful firewall:

option conntrack        1

 

I'm no OpenWRT expert since I don't use it, but if you want to research this a bit more in linux and OpenWRT (iptables) NAT is called masquerade. Someone else may also chime in who actually uses OpenWRT with some good advice also.

[TheCynicalCris]

For the zone configuration for wan set the following option:

option masq 0

 

Since you are also wanting security you can also set the following option to enable stateful firewall:

option conntrack        1

 

I'm no OpenWRT expert since I don't use it, but if you want to research this a bit more in linux and OpenWRT (iptables) NAT is called masquerade. Someone else may also chime in who actually uses OpenWRT with some good advice also.

After adding:

option masq '0'

to /etc/config/network (wan section) and reboot exactly nothing happened. Still no ping to 10.20.20.1 from 10.10.10.1

[TheCynicalCris]

For now, there's a device on 10.10.10.125 that needs to freely communicate with devices in 10.20.20.1 and vice versa. There's no physical way to connect it to the other network.

If there's any way to do that I'd be real happy.

[leadeater]

After adding:

option masq '0'

to /etc/config/network (wan section) and reboot exactly nothing happened. Still no ping to 10.20.20.1 from 10.10.10.1

 

That'll turn off NAT but you will still need to make sure the routing between the two routers is setup else they will not know how to deliver traffic destined to the other IP Range/Network. Until that is setup and working you won't be able to do any further configuration and testing.

 

If you are sure you have setup the router post the output from one of the computers in the 10.10.10.x network for 'tracert 10.20.20.1'.