Linking Subnets with Static Routes

From DD-WRT Wiki

Jump to: navigation, search

Contents

[edit] Introduction

This guide aims to explain how to link different subnets together using static routes to forward traffic to the desired subnet of another router. I will avoid going into too much detail about subnetting in general, though I will say that there are benefits to using subnets such as reducing network traffic (less broadcast frames) and better access control between hosts. One important thing to note for those unfamiliar is that linking subnets is called routing, and the interfaces you use should be unbridged to do it correctly.

[edit] Creating the Subnets

There are many ways to create subnets within DD-WRT. By default only the WAN port is unbridged while the LAN switch (which is a hardware bridge) and wireless interfaces are software bridged together.

Ways to create additional subnets include:

  • Set the wireless interface to 'Unbridged'
  • Configure VLAN's if your switch supports them
  • Add virtual interfaces to any existing interface which is poor design but can overcome hardware limitations such as switches without vlans.
ifconfig eth0:1 [NEW SUBNET ROUTER IP] netmask [NETMASK] broadcast [BROADCAST]

[edit] Baseline Reference Example

Now let's say you have three routers connected together. Router1's WAN port is connected to the internet which makes it the gateway of your entire LAN, and Router2 and Router3 have their WAN ports connected to Router1's LAN ports. Router2 and/or Router3 could also be using Client or Repeater mode (not bridged!).


Image:Static_Routes_1.png


By default all of these routers will be operating in 'Gateway' routing mode which means they do Network Address Translation (NAT) which makes their LAN subnet addresses invisible on their WAN side. Because each router has an interface connected to the 192.168.1.0/24 subnet, they all have routes to this subnet. However, Router1 doesn't have a route to 192.168.2.0/24 or 192.168.3.0/24, Router2 doesn't have a route to 192.168.3.0/24, and Router3 doesn't have a route to 192.168.2.0/24.

[edit] Configuring the Static Routes

For this particular topology only Router1 will need to be configured with static routes because the others have default routes that will cause them to forward traffic to Router1 for any subnet they don't explicitly have routes to.

The static routes should be configured with:

  • Destination LAN NET - The remote subnet that you are creating the route for.
  • Subnet Mask - The subnet mask of the remote subnet. Typically a Class C subnet mask of 255.255.255.0 is used, which in slash notation is /24 as used in the diagram above.
  • Gateway - This must be set to the IP address of the next hop to the destination subnet which in this case is the WAN IP of Router2 and Router3. In networks with more devices the next hop may not be the device that is directly connected to the subnet.
  • Interface - This must be set to the interface that the next hop is connected to. For this example, Router2 and Router3 are connected to the LAN/WLAN (br0) interface of Router1.


Configure Router1 with the following information:


Image:Static_Routes_2.png

Image:Static_Routes_3.png


With the routes configured it is now safe to disable NAT on Router2 and Router3 by switching their Operating Mode from 'Gateway' to 'Router' on the Setup->Advanced Routing page.

You will also need to use Iptables commands to allow the traffic through the firewalls of Router2 and Router3 to allow full communication between subnets. Iptables commands need to be saved to your firewall script on the Administration->Commands page. Here are a few examples of how you might choose to do so.

# Allow everything to be forwarded through the router (simple but do not use on routers directly connected to the internet)
iptables -I FORWARD -j ACCEPT
# Allow Router2 to forward traffic from Router1 and Router3's subnets
iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT
iptables -I FORWARD -s 192.168.3.0/24 -j ACCEPT
# Allow Router3 to forward traffic from Router1 and Router2's subnets
iptables -I FORWARD -s 192.168.1.0/24 -j ACCEPT
iptables -I FORWARD -s 192.168.2.0/24 -j ACCEPT
# Allow the entire 192.168.0.0/16 block to be forwarded through the router
iptables -I FORWARD -s 192.168.0.0/16 -j ACCEPT

[edit] Wrapping Up

If you've configured the routes and firewalls correctly then you should now be able to communicate to devices throughout your network without having to rely on bridging. If you have software firewalls running on your PC's then you will need to configure or disable them to allow connections from other subnets.

If you want devices to appear in Networking Neighborhood on windows then you need to set up a WINS servers and configure your DHCP servers to advertise the WINS server.