Hi fellow LQers,

Problem Summary:
- Linksys WRT54G dd-wrt NOT able to route when in Router mode

Env:
- Linksys WRT54G running dd-wrt v24 firmware
- LAN Subnet: 10.0.0.0/8
- WAN Subnet: 172.16.0.0/16
- Linux FC13 configured as a IPv4 router
- LAN 172.16.0.0/16
- WAN ISP/Public IP

Setup:
wired/wireless client -> Linksys WRT54G -> Linux FC13 router -> Internet

Problem Details:
When I have the dd-wrt configured as a 'Gateway' (ie: NAT), all-is-well. That is my client is able to "talk" to other computers on the LAN as well as the Internet. However, when I change the operating mode to 'Router', I run into the following problem:
- client is no longer able to communicate to the Internet
- client is no longer able to communicate to other computers on the LAN
- client is ONLY able to ping the LAN & WAN IPs of the Linksys DDWRT
- However, I am able to ping LAN computers & ping public/internet hosts if I SSH into the ddwrt itself.

Analysis:
- Linksys/dd-wrt box itself has LAN & internet connectivity
- Wired and Wireless clients connecting to the Linksys/dd-wrt do *not* have the LAN or the Internet connectivity

Troubleshooting done so far:
- When changing Operating mode (ie: Gateway<->Router), the routing
table on dd-wrt, as expected, do not change.
Here is the routing table just in case its of any interest:
192.168.66.2 255.255.255.255 0.0.0.0 tun0
192.168.66.0 255.255.255.0 192.168.66.2 tun0
172.16.0.0 255.255.0.0 0.0.0.0 WAN
169.254.0.0 255.255.0.0 0.0.0.0 LAN & WLAN
10.0.0.0 255.0.0.0 0.0.0.0 LAN & WLAN
0.0.0.0 0.0.0.0 172.16.150.254 WAN
------------------------

Since I need inbound connectivity to the hosts connected to the LAN interface of the Linksys/dd-wrt, I need to have the Linksys/dd-wrt
configured as a Router and not as a Gateway. Any help/suggestion would be greatly appreciated.

-itsecx

Hi, Welcome to LQ. First, I'd suggest not using your email address in your user name.

Second, did you disable DHCP on one of the devices? Have you tried AP mode on the DD-WRT router? Perhaps I'm misunderstanding something?

Good luck. ;-)

I don't understand why you can't have inbound access in gateway mode? I have a vpn via openVPN and I occasionally host a web server with apache from behind my dd-wrt router in gateway mode. According to the configuration page:So do you have another router? It would seem from that quote that routing is disabled when in router mode. Maybe I'm missing something in your setup?

Thanks for responding, @peacedog.

It doesn't look like I can now change/edit the username to something other than what is currently setup.

I'm guessing you're referring to the Linksys and the Linux box as the two devices. No, I have not disabled DHCP on either devices as I need DHCP services on both (ie: need dhcp for the local clients (lan) that connect to the linksys. The linux box also needs a dhcp server as it distributes IP to the clients on its subnet. Note, both devices are on a separate subnets and there's one/unique DHCP server for each subnet.

Finally, there's no "AP" mode. There's a Gateway mode, a Router (static) mode, and RIP (dynamic routing) mode.

Again, thanks for taking time for responding.

-itsecx

Thanks for responding, @damgar. Here's the response to your note:

Outbound requests are handled by NAT; however, inbound request origination could only be made to the WAN interface/IP; thus, there would be no way for the router to know which internal host is the target. Ofcourse, one could put a particular host in a DMZ or do port forwarding for certain services; however, that not the intent here.

Scenario:
3 Subnets: 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24
2 Routers:
R1 (LAN) 192.168.1.1, (WAN) 192.168.2.2
R2 (LAN) 192.168.2.1, (WAN) 192.168.3.1
1 Client: (C) 192.168.1.100
1 Server: (S) 192.168.3.100

Client 'C' wants to initiate a SSH session to Server 'S'

*What we want is that 'S' should know that the client connected from 192.168.1.100 and not the masqueraded IP of the router (192.168.1.1) that is doing the NAT.

Hope that makes things a bit clearer.

Regards,
-itsecx

1 members found this post helpful.

This thread: https://www.linuxquestions.org/quest...289/page4.html, has a solution to making things work within the NAT environment. Maybe that will do for you? I'll just repeat it here.

To make it work with NAT, you first set both to gateway mode, and do as before. Then, in the first router's routing table, add a static route:

Then, in the second router, you save a firewall script as follows:

That's what you do. Then, it works with NAT. Why they recommend having the second router on router mode, instead of this, is beyond me... I couldn't make it work as they said it should either, but this is what I chose to do.

When you have the WRT54G configured in router mode, how do machines on your 172.16.0.0/16 network know how to route packets to your 10.0.0.0/8 network? If you don't have either (a) your Linux FC13 (horribly out of date, BTW) box or (b) all other machines that need to communicate with 10.0.0.0/8 configured to route all 10.0.0.0/8 packets via your WRT54G's WAN address, your Linux box is going to send those packets via its default route, which will be to your ISP, which will promptly drop them as unroutable.

1 members found this post helpful.

Sorry, I'm now the one asking this question, but I believe this information benefits everyone...

Does this mean that you cannot use the private IPs, behind a router mode router, but only NAT, and must use public ones instead? For example:

Am I right in assuming that, based off of your information?

While those addresses are unroutable on the public internet, you can certainly use them in your private network. You just have to make sure that the machines upstream of that private network know how to route packets to that network, i.e. by having the router's WAN address as a gateway for that address block. Nothing except Router 2 has any knowledge of that 192.168.22.0/24 network. Machines on the 10.0.0.0/8 network will send those packets via their default route to gateway 10.0.0.1, and that router will send them on its default route, which will be to the upstream gateway on the public network**.

You can solve that just by telling Router 1 that packets for 192.168.22.0/24 should be routed via gateway 10.0.0.100. You can avoid having packets hairpin through Router 1 by setting up that gateway route in all machines on the 10.0.0.0/8 network, or at least on the ones likely to have a lot of traffic to route that way.

The need to set that up manually can be avoided by using ICMP Router Discovery, and is pretty much automatic in IPv6.

**Really, if Router 1 is well-behaved it will refuse to send those unroutable packets upstream and either drop them or send back an ICMP error response.

And what would a route add command look like in DD-WRT GUI, or Linux BASH command line? What about a Linksys router, with default firmware, if it's any different than those two? Use this scenario, since so far we may not know actual IP addresses.

Do you have a link to more information?

...I guess DD-WRT isn't well behaved...

For the network I showed in the diagram:Since the interface for 10.0.0.0/8 is already known, there's no need to specify it again. I tried it via telnet into a DD-WRT router. You can do the same thing in the Administration -> Commands command shell, or in Setup -> Advanced Routing, though I find that GUI more awkward than just typing in the command.Nothing beyond the Wikipedia article I referenced or whatever Google might turn up. ICMP Router Discovery is a bit above my pay grade.
I haven't looked into what DD-WRT does there. My DD-WRT router does not face the public network.

1 members found this post helpful.

Oh. OK. This is what I meant for connecting using NAT.

However, in my experiments, doing this was simply not enough to make the second router work, if it's in router mode, on DD-WRT. Somehow, it must still think that there's a problem with routing the IPs. It DOES let you connect to the router's stuff from the first place. Everything there functions as normal.

But when you try to use the Internet, if the first router is connected to the Internet, it will not work. Maybe this has to do with the fact that it's within those special subnets, and must be in a routable one. But I didn't experiment there to be able to tell you.

In my case, for now, I'd settled for using NAT on my guestrouter, but punching the hole in the firewall, which for that, may not have been a bad idea. I was trying to make airprint work, and for that, I had to flatten it, and have my second router (clientrouter) behave like a special kind of access point. Then, airprint worked. Maybe router mode working according the the documentation, rather than in other ways, is broken? It works, but maybe the documentation is what is broken.

P.S. - Then, I'd saw this thread, which was too late to find some of my answers on for my problem, as I'd found a solution that worked for then. But I thought I might help others, and maybe find out more that might make me change my mind about what I'd done. While I had a different objective in mind, part of the solution might apply here for this objective. Whether or not it solves your problem or not, I don't know, but it might!

I think, after you are done here, for security purposes, you should only use your e-mail for this, and open another for other things. Maybe begin to make this a public one or something. Maybe, just so that people can fix mistakes like this, LQ should try to allow to change the username somehow, without opening a new account? If changing constantly is a problem, just limit the amount of times they may change it within a time period.