Static Routes Query - Masquerade Route Checkbox

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Author Message
omorgan
DD-WRT Novice


Joined: 27 Jan 2020
Posts: 2

PostPosted: Tue Jan 28, 2020 0:46    Post subject: Static Routes Query - Masquerade Route Checkbox Reply with quote
Hi Everyone,

Sorry this will be slightly verbose, and may seem OT at first, but I need help ruling out potential problems which involve my home router (Netgear WNDR3700 V4, DD-WRT version: v3.0-r40559 std (08/06/19) ).

I'm configuring a Netgear GSM7352sv2 ProSAFE 48+4 Gigabit Ethernet L3 Managed Switch for a remote deployment in a volunteer organisation (I'm donating the equipment). I have done the majority of the configuration with multiple VLANs etc.. I have followed this example for configuring inter-vlan routing, but have not set up any ACLs (yet): https://kb.netgear.com/30818/How-to-configure-routing-VLANs-on-a-NETGEAR-managed-switch-with-shared-internet-access

My issue relates to the static routes on the gateway (in my case, my home dd-wrt router). I can only seem to get internet access (the aim of setting the static routes) when I check the 'Masquerade Route (NAT)' checkbox under the "Advanced Routing" tab.

My issue is, I have no idea really what that checkbox does, and why the system works as intended when its checked. I have no idea if that is just a quirk of DD-WRT, or if fundamentally there is a misconfiguration in the switch that means it only works when that checkbox is checked...

You may ask why it matters if the checkbox works? Fair Question.... The issue is, When I go to deploy the switch, I will only have a short 2hr window, and everything MUST work before I leave, AND (the crucial part) the gateway device at the place of deployment is a Draytek Vigor 2830, owned and operated by a 3rd party business (who are pulling me a favour or two to configure that static routes I request as we have 0 access to the admin gui)... That is to say, I need to know it will work, before attempting to deploy the switch. And I just have this looming question over my head as to if the issues I'm seeing are my fault with the switch config (in which case I will head over to more appropriate forums to solve them) or a quirk of the dd-wrt that can be safely ignored. (a quick look at the draytek manual shows no 'similar' options when setting up static routes through the web gui).


Sorry if that makes no sense, I'm more than willing to answer any questions to clear it all up Razz

Owen.
Sponsor
servicetech
DD-WRT User


Joined: 26 Jun 2019
Posts: 377

PostPosted: Tue Jan 28, 2020 11:47    Post subject: Re: Static Routes Query - Masquerade Route Checkbox Reply with quote
omorgan wrote:
Hi Everyone,

...
My issue relates to the static routes on the gateway (in my case, my home dd-wrt router). I can only seem to get internet access (the aim of setting the static routes) when I check the 'Masquerade Route (NAT)' checkbox under the "Advanced Routing" tab.

My issue is, I have no idea really what that checkbox does, and why the system works as intended when its checked. I have no idea if that is just a quirk of DD-WRT, or if fundamentally there is a misconfiguration in the switch that means it only works when that checkbox is checked...


Owen.


You have configured your dd-wrt device as gateway, that means an official Internet IPv4 adress on the WAN connection and a private IP range on the LAN/WLAN connects.

In any case with IPv4 internet on the WAN and private IP adresses (excluded from routing on the internet routers) on the LAN/WLAN you need network adress translation/ masquerading running on the gateway device, that translates private packets into internet routable packages

The combination of NAT/Masquerade and the default 0.0.0.0 netmask route pointing to the WAN interface on the gateway
establishes the connection between a client and internet destinations.

If the dd-wrt is the internet gateway at home you need nat and additional routes to all additional private networks connected to LAN ports.

If you add new private networks with the switch you need access to the routing on the draytek or do NAT on the switch port that is connected to the draytek. Then you have a chain with two NAT (one on the draytek and one on the switch), you should avoid this.

At home it must be possible with nat on the dd-wrt, without nat on the switch just use routing between switch and dd-wrt on the private networks. As egc says with dd-wrt you need to enable the NAT on the additional routes to the switches 172.x and 10.x subnet. Without I expect you are restricted to private LAN destinations.

Your routing table looks wrong to me

assume 192.168.1.1 is your dd-wrt and the 172.x.x.x and 10.x.x.x is on the switch and the switch uplink is 192.168.1.58 ?
The routes to the 172 and 10 network should point to the LAN interfaces not ANY (including the wlan and ppp0 !)

the switch need at least routing entries for the 172. and 10. networks, the 192.168.1.0/24 network on the uplink and every other destination the default route to 192.168.1.1 (dd-wrt) on the uplink interface

Is the 192.168.1.58 switch uplink outside client dhcp range and owns a manual configuration ? Make shure that at least ONE port on the switch is static configured for GUI access (emergency access if something goes bad).

With the draytek it is another challange depending on ability to add (static) routes if the private network layout on the destination now is different after the new switch installation and get the uplink running and how draytek handles the NAT.


Last edited by servicetech on Tue Jan 28, 2020 15:43; edited 8 times in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Tue Jan 28, 2020 13:00    Post subject: Reply with quote
In addition to @Servicetech's excellent explanation, the "problem" arises as DDWRT only NAT's its own subnet by default (NAT out on the WAN interface that is)

So any other subnet has to be NATted/MASQUERADEd and that is what the checkbox does.

A lot of stock firmwares and other firmwares NAT everything out but DDWRT is right in its settings (be as specific as possible as to not create unwanted holes)

Setting ANY will work but is not in line with my former remark, so indeed you should set in to LAN as @Servicetech already mentioned.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
omorgan
DD-WRT Novice


Joined: 27 Jan 2020
Posts: 2

PostPosted: Tue Jan 28, 2020 19:51    Post subject: Reply with quote
Thank you for your highly highly informative responses!!! Genuinely thanks!

You are correct to surmise that 192.168.1.x is my ddwrt gateway, 192.168.1.58 is the interface to the switch (statically set via the netgear switch) and 172... and 10... are the networks on the switch.

I did add the default route on the switch to point 0.0.0.0 to 192.168.1.1

I am now of the opinion, barring huge surprises it will all work as intended Smile thank you!!

It was one of those where either it was the switch config that was an issue, or the ddwrt config, if the latter (which to me it seems) it could be ignored, if the former, then not so, and I just couldn't work out which!!!

I have a port setup for a separate management VLAN, so will always be able to access that should things go awry!

Thank you!

Owen.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum