Posted: Thu Jul 23, 2015 13:50 Post subject: Help With LAN --> WAN setup
Guys,
I'm trying to setup a LAN --> WAN, two router network where the secondary router will act as a physically separate 'guest' network. I've done the LAN --> WAN hookup before and had basic success by means of internet access etc. What I'd like to learn to do is to setup the routing of traffic between the networks as needed.
What currently happens from my 'default' setup is:
SecTest (secondary router with WAN port connected to the LAN port of the primary)
WAN: 192.168.1.2
LAN: 192.168.2.1
ALL IPs on PrimeTest can ping the SecTest router at 192.168.1.2
NO IPs on PrimeTest can ping any IP on the SecTest network at 192.168.2.x
ALL IPs on SecTest can ping the PrimeTest router at 192.168.1.1
ALL IPs on SecTest can ping ANY IP on the PrimeTest network at 192.168.1.x
Ideally, I'd like to learn how to allow IPs from SecTest to ONLY ping/hit particular IPs on PrimeTest - like a file share for instance. I'd also like to learn how to allow ALL/ANY IPs on PrimeTest to be able to ping/hit ANY IP on SecTest.
I'm hoping to learn if this is possible and being to wrap my mind around networking as I want to do CCNA later this year.
Joined: 28 Jun 2011 Posts: 580 Location: Vilnius, Lithuania
Posted: Thu Jul 23, 2015 17:49 Post subject:
I think I can answer the first part of your question
On main router:
Put devices that you don`t want to be reached from the second router on 192.168.1.1-126
Put devices that you want to be reached from the second router on 192.168.1.128-254
On second router:
Block all access from secondary router to first router first subnet:
iptables -I FORWARD -s 192.168.1.0/255.255.255.128 -j DROP _________________ [Ramips] Nexx WT3020F Openwrt @kernel #4.14.167 (OpenVPN server, Wireguard server, AD blocking, SQM QOS, USB)
Thanks! Could you walk me through it though? I'm trying to understand so that I can apply, modify, test and learn. This seems to be a matter of sunbathing(?) and understanding subnets maybe?
Quote:
On main router:
Put devices that you don`t want to be reached from the second router on 192.168.1.1-126
Put devices that you want to be reached from the second router on 192.168.1.128-254
Is it that the higher range by default can be seen without the second bit? I'm thinking no...
Quote:
On second router:
Block all access from secondary router to first router first subnet:
iptables -I FORWARD -s 192.168.1.0/255.255.255.128 -j DROP
Is the 192.168.1.0 the broadcast(?)(all IPs) of my primary network a la 192.168.1.x? Does 255.255.255.128 qualify the traffic 'dropped' from 192.168.1.1 to 192.168.1.126?
Sorry if this is overbearing. Please let me know if me reading up on subnets will be any benefit.
Joined: 28 Jun 2011 Posts: 580 Location: Vilnius, Lithuania
Posted: Thu Jul 23, 2015 18:28 Post subject:
Thing is, if you make a real /25 mask on your main router you wont be able to communicate between those subnets. So leave it /24.
Correct. If you do 255.255.255.128, traffic is 'dropped' from 192.168.1.1 to 192.168.1.126
If you would do:
iptables -I FORWARD -s 192.168.1.128/255.255.255.128 -j DROP
Traffic is 'dropped' from 192.168.1.128 to 192.168.1.254 _________________ [Ramips] Nexx WT3020F Openwrt @kernel #4.14.167 (OpenVPN server, Wireguard server, AD blocking, SQM QOS, USB)