Network config ( ISP router+ external router)

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
patou75
DD-WRT Novice


Joined: 02 Feb 2018
Posts: 13

PostPosted: Mon Feb 19, 2018 13:15    Post subject: Network config ( ISP router+ external router) Reply with quote
Hi,

If anyone can help me... I have searched about 2 weeks but can't resolve it by my own Sad

I bought a router (archer c7 v2 on dd wrt 02-12-2018-r34929) for better wifi coverage, firewall and to get openvpn.

My ISP is a combo modem/router. For now I've got Internet access on both but they do not communicate (can't see my ISP connected devices on DD WRT and vice versa).

My config :

ISP router LAN----WAN External router

I've got devices connected on my ISP router (ethernet), Wi-Fi disabled on it, DHCP enabled.

I've got devices connected on my external router (throught Wi-Fi only), DHCP enabled


IP ISP router : 192.168.0.X
IP External router (LAN config) : 192.1.X

On my ISP router I set the external on static IP : 192.168.10 (connected on LAN port)+ DMZ for the same IP. On DD WRT interface WAN config is "automatic". Archer C7 get the ISP router's IP (192.168.0.10), then on LAN Config I set 192.168.1.X.

If I disabled DHCP on external router I don't have internet access. I have enabled it I've got it. But they are not on the same network.


How can I make communicating both network ? For instance I've got an android box on my ISP router (ethernet) and I can't cast anything from my smartphone (Wi-Fi via external router) because DD WRT can't see it. Also I want to be able to activate VPN on DD WRT and get the VPN connection on my ISP router (for my android box + SMART TV via ethernet)


Anyone can't help me with this :/ ?


Thanks !!
Sponsor
patou75
DD-WRT Novice


Joined: 02 Feb 2018
Posts: 13

PostPosted: Mon Feb 19, 2018 16:15    Post subject: Reply with quote
Thanks for your respond !

I think this is a DNS issue because on my smartphone I can see the DNS and it shows 192.168.1.1 which is the LAN IP of the Archer.

Do I need to make a static route ? My ISP router does not allow this
patou75
DD-WRT Novice


Joined: 02 Feb 2018
Posts: 13

PostPosted: Mon Feb 19, 2018 17:22    Post subject: Reply with quote
Ok so I ping Frome the external network (192.168.1.X) to a device from ISP router (192.168.0.X)

All seems fine

Edit : ping from external to ISP router seems fine but from IPS router to external does not work.

On windows cms it says

respond of 192.168.0.254 (my ISP router) : Destination host unreachable
patou75
DD-WRT Novice


Joined: 02 Feb 2018
Posts: 13

PostPosted: Mon Feb 19, 2018 18:01    Post subject: Reply with quote
Added the following line on the second router (archer c7 on dd wrt), still can"t see devices from my primary router.

Tested a ping to 8.8.8.8 or 8.8.4.4 from a 192.168.1.X device, it says :

respond of 192.168.1.1 (LAN IP adress of second router) : Destination host unreachable

However if I ping a google ip adresse (216.58.209.67) all went ok

Edit : that is normal I blocked it in dd wrt to make my chromecast work. Deleled it and ping is ok from 192.168.1.X to 8.8.8.8 or 8.8.4.4 but still can't see primary router's devices
patou75
DD-WRT Novice


Joined: 02 Feb 2018
Posts: 13

PostPosted: Mon Feb 19, 2018 18:31    Post subject: Reply with quote
Yes sorry Smile I edited my post after I saw I didn't specify precisely which IP.

I added

no-resolv
server=8.8.8.8
server=8.8.4.4

to Additional DNSMasq Options

Ping From 192.168.1.X or 192.168.0.X to 8.8.8.8 and 8.8.4.4 (and 216.58.209.67) worked.

But still can"t view my ISP router's connected devices
patou75
DD-WRT Novice


Joined: 02 Feb 2018
Posts: 13

PostPosted: Mon Feb 19, 2018 19:28    Post subject: Reply with quote
Yes from 192.168.1.X


Here you go the result :




Code:
bridge name   bridge id      STP enabled   interfaces
br0      8000.18d6c7fa010b   no      eth1
                     ath1
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2389  259K ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:68
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:1194
    0     0 ACCEPT     0    --  tun2   *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
    0     0 DROP       udp  --  br0    *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            192.168.1.1         tcp dpt:22
    2   124 DROP       icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       2    --  *      *       0.0.0.0/0            0.0.0.0/0           
    4   240 ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0           state NEW
 2285  395K ACCEPT     0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW
  882 64748 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0           
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 5713  545K ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     47   --  *      eth0    192.168.1.0/24       0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      eth0    192.168.1.0/24       0.0.0.0/0           tcp dpt:1723
    0     0 ACCEPT     0    --  tun2   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  *      tun2    0.0.0.0/0            0.0.0.0/0           
 1865  308K lan2wan    0    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     0    --  br0    br0     0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.59        udp dpt:62809
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.59        udp dpt:65302
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.19        udp dpt:49735
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.19        udp dpt:53530
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.109       udp dpt:53530
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.19        udp dpt:54849
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.1.19        udp dpt:65112
    0     0 TRIGGER    0    --  eth0   br0     0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
 1865  308K trigger_out  0    --  br0    *       0.0.0.0/0            0.0.0.0/0           
 1729  301K ACCEPT     0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW
  136  6964 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0           
Chain OUTPUT (policy ACCEPT 5408 packets, 2389K bytes)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_1 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_10 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_2 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_3 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_4 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_5 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_6 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_7 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_8 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain advgrp_9 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_1 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_10 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_2 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_3 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_4 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_5 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_6 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_7 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_8 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain grp_9 (0 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain lan2wan (1 references)
 pkts bytes target     prot opt in     out     source               destination         
Chain logaccept (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           
Chain logdrop (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0           
Chain logreject (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with tcp-reset
Chain trigger_out (1 references)
 pkts bytes target     prot opt in     out     source               destination         
[/url]
patou75
DD-WRT Novice


Joined: 02 Feb 2018
Posts: 13

PostPosted: Mon Feb 19, 2018 20:21    Post subject: Reply with quote
Yes sorry, noob here, though I sent you all you requested.
And my bad, I didn't even know openvpn server was enabled...Must be by mistake since I only use OpenVPN Client.


Here you go :

ifconfig

http://pasted.co/3c477a4c


brctl show

http://pasted.co/4e914d7c


ip route

http://pasted.co/6447c4e7


[b]iptables -t nat -vnL

http://pasted.co/1c648fcd

iptables -t filter -vnL
http://pasted.co/c75ae9e0


I used OpenVPN (client) but tried everything before using it (untouched router without openvpn, "stock dd wrt") however still with no success so I gave up and dealt with it and configured OpenVPN client...However everything is not ok so want to resolve it. So my config

On ISP Router (IP Adress 192.168.0.254, gateway adress is the same ip adress) : static IP for second routeur : 192.168.0.10 and DHCP enabled and Wi-Fi disabled

DMZ for this IP adress + all TCP and UCP port redirect to this "LAN" Adress.



On second router (wired from LAN of ISP router to WAN of it). WAN IP "AUtomatic DHCP" , LAN IP 192.168.1.1 and DHCP enabled.

What I only changed from stock config is :
- disabled 2,4ghz radio
- Change Wi-Fi restriction for 2,4Ghz and 5ghz to my country
- Change SSID + wireless security (WPA2 Personnal)
- enable SSHd on Service menu
- enable SSH management on administration menu

And...that's it ! nothing else !

This is without OpenVPN (ended the same result ---> can't see any devices from the second routeur (dd wrt) to the primary (isp) or vice versa.


For OpenVPN purpose (NordVPN)

I use this :
from setup-->basic setup


Static DNS 1 = 162.242.211.137
Static DNS 2 = 78.46.223.24
Static DNS 3 = 0.0.0.0 (default)
Use DNSMasq for DHCP = Checked
Use DNSMasq for DNS = Checked
DHCP-Authoritative = Checked

https://nordvpn.com/fr/tutorials/dd-wrt/openvpn-gui/
patou75
DD-WRT Novice


Joined: 02 Feb 2018
Posts: 13

PostPosted: Mon Feb 19, 2018 21:07    Post subject: Reply with quote
So sorry...yes it is 192.168.0.1 ...

Confusing ,after X time trying and re trying (something times 192.168.0.10, something 192.168.0.1)


Anyway I confirm on ISP router it is 192.168.0.1


So? Everything seems ok ? What should I have to do ?
patou75
DD-WRT Novice


Joined: 02 Feb 2018
Posts: 13

PostPosted: Mon Feb 19, 2018 22:36    Post subject: Reply with quote
Did what you advised me (disabled SFP + disabled then enabled UPnP).

What is of is that I can access my primary router via his IP address (192.168.0.254l on the "subnet" 192.168.1.X + I have Philips Hue (connected bulb) which requires a "bridge" wired directly to the router. Wired either on the secondary nor the primary router, my Philip Hue android app which can control de bulbs (via smartphone on the 192.168.1.X over WiFi) detect well the bridge.
So second router can and does forward package from the primary but it just can see devices on it...
patou75
DD-WRT Novice


Joined: 02 Feb 2018
Posts: 13

PostPosted: Mon Feb 19, 2018 22:40    Post subject: Reply with quote
If I disabled DHCP server on external router, I can't have internet access (some if I disabled DHCP server on primary router). But if I disabled DHCP on external router and I wore to lan port (and not wan) I've got internet and by ISP router see all devices behind external router. But the Archer become just a simple switch and I can't have OpenVPN client...(+no true firewall)
patou75
DD-WRT Novice


Joined: 02 Feb 2018
Posts: 13

PostPosted: Tue Feb 20, 2018 8:40    Post subject: Reply with quote
Ok I understand. But with WAP my archer c7 will only be a simple switch right ?

No more firewall, no more OpenVPN Client (for Wi-Fi and upstream device=primary router) on the secondary router.

As I understand I need a static route from primary router in order to "see" all devices connected from my ISP lan port to dd wrt router right ? My ISP router does not allow me this unfortunatly.

I want a simple thing : My ISP router will be a simple switch (just androidbox TV+ Rasberry pi + Smart TV connected by ethernet port) and my DD WRT router (secondary router) will be used for Wi-Fi + OpenVPN client + better FireWall.

So mostly I will used Wi-Fi but want to cast content on SmartTV(ethernet port from ISP router) from Wi-Fi devices. And Mostly use OpenVPN for Wi-Fi devices (for now it works) BUT also to smartTV + Raspberry pi + androidBox.


Basicaly since my router are not on the same subnet (192.168.1.X and 192.168.0.X) I can't cast on TV (192.168.0.X) from Wi-Fi devices (192.168.1.X) because smartphone (Wi-Fi) just can't detect the device (SmartTv) to cast to. It's the same for OpenVPN. All Wi-Fi devices do have VPN but not wired devices.


Am I enough clear ? ^^


What I have right now. Just want to cast or transfert files from Wi-Fi devices to AndroidBox/SmartTV+ OpenVPN client on devices wired behind ISP router
patou75
DD-WRT Novice


Joined: 02 Feb 2018
Posts: 13

PostPosted: Tue Feb 20, 2018 16:07    Post subject: Reply with quote
Ok I understand...:/

Well I can't change gateway for specifics devices on my ISP router but I can change manually gateway on theses devices. So...Will it work ? 192.168.0.X IP adresse, subnet mask 255.255.255.0 and gateway not 192.168.0.254 (my ISP IP adress) but 192.168.1.1 (LAN IP Adress of DD WRT router from the LAN Config).


I can change to bridge mode on my ISP Router but I did not do that for the same reason you invoked --> devices are wired on it. So exposed to the Internet if I'm on bridge mode + on bridge mode no IPTV...


I will investigate on Entware and the AVAHI package. With this, am I more exposed to vulnerability ?


If I set a config LAN to LAN port for router, on DD WRT setup page, do I have to disbaled WAN, change DHCP server to DHCP forwarder and point to my ISP DHCP server ?


Again, thank you for all your help and patience
patou75
DD-WRT Novice


Joined: 02 Feb 2018
Posts: 13

PostPosted: Wed Feb 21, 2018 18:20    Post subject: Reply with quote
eibgrad wrote:

Since the secondary router, even when configured as a WAP, is still capable of routing, you can simply change the default gateway on those devices you want routed over the VPN to the LAN ip of that WAP. If the VPN is up, they get routed over the VPN. If the VPN is down, they get routed over to the WAP's default gateway, which should be the primary router. Just make sure you configure the gateway IP (and DNS server) on the WAP in the LAN settings section, not the WAN. You could (optionally) disable the WAN and assign it back to the LAN since the WAN isn't used in a WAP config anyway.


Thanks for the clarification. So... everything work, LAN to LAN with OpenVPN for devices on ISP router thank to your message.

Such a pitty I bought this router just for WAP (also for OpenVPN which is not available on stock firmware) but no advanced firewall...
Beside after flashing dd wrt wifi speed decreased because of no hardware NAT Sad


Anyway, than youu !
Anyway
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum