I'm not quite sure of the question I should be asking. It may be a routing or a bridge problem.

I have a network that hangs off my internet router with addresses in the 192.168.1.0/24. The router handles the DHCP stuff and allocates numbers to computers on this network.

One of these computers operates a WiFi hotspot and allocates numbers in the 10.1.230.0/24 range to stuff on the WiFi.

If a tablet or something connects to the WiFi, then it gets a 10.1.239.0/24 number and then goes out over the 192.168.1.0/24 network to the internet and back because I have 'net.ipv4.ip_forward=1' set in the hotspot. At least, I think that is why it works.

Anyway, it works. So far so good.

Now I am starting get IoT gadgets connecting to the WiFi and as some of these have embedded web-server pages, I'd like to be able to sit at my desktop computer on the 192.168.1.0/24 network, and have a look at these pages even though they are on the 10.1.239.0/24 network. I am not sure how to achieve this.

Do I need to set up a route, or is it a bridge, or even something else I need ? I've never dealt with bridges before but from what I have read it involves loosing the I/P address at some stage during setup, and as the hotspot has neither a keyboard or screen, I'm a little wary of just seeing what happens if I try things out.

Some guidance is needed here.

Thanks.

192.168.1.0/24 will reach 192.168.1.0 - 192.168.1.255
https://en.wikipedia.org/wiki/CIDR

In my opinion it would be easier to make 2 subnets closer to each other so that they can reach each other.

Desktop
192.168.0.0/23

IoT thing can be reached at
192.168.1.0 - 255

Check that with

You probably want a bridge setup.

https://wiki.archlinux.org/index.php...e_access_point

Thanks for the replies.

I'm not sure I want to go down the route of the 192.168.0.0/23 type network with 198.168.0 on the Wifi and 192.168.1 on the router, because the WiFi hotspot is open so anyone can connect. So there's a security issue.

I'm looking into just adding a specfic route to get to one address at the moment.

Routes are not security barriers.

The way you describe your setup, you have two routers: The router from your ISP (the "Internet router") and a PC running a wireless hotspot.

Since the hotspot users on the 10.1.239.0/24 network access the Internet via your internal LAN (192.168.1.0/24), they already have full access to all computers on the LAN. Or to be exact, they have the same access to the LAN as they do the Internet.

The reason this works at all, is that the AP-managing PC is NATing traffic from the WLAN behind its own address in the 192.168.1.0/24 network. Otherwise, the ISP router wouldn't know where to send the reply packets, since it knows nothing about the 10.1.239.0/24 network.

The reverse, however, is not true: Any attempt to reach an address in the 10.1.239.0/24 network from 192.168.1.0/24 will go to the ISP router, which will either discard the packet or attempt to forward it to the upstream router at the ISP, where it will be summarily dropped.

Adding a route to a PC on the 192.168.1.0/24 network may or may not enable it to reach a host on the 10.1.239.0/24 network, depending on how the AP-managing PC is configured. And in any case, if that PC gets its IP via DHCP, there's an excellent chance the route will stop working at some indeterminate point in the future if/when the PC gets assigned a new IP.

The proper way to design a multi-zone network is to connect each network to a separate interface on a firewall. In a pinch, you could route outbound traffic from a secure zone through a less secure zone, assuming that the traffic is encrypted and/or not of a sensitive nature, but doing it the other way around just isn't a good idea.

Is the "hotspot PC" running Linux? If so, it could easily be used as a firewall.

Blimey. You are right.

As a quick fix, I plugged a WiFi dongle into my desktop, connected to the hotspot and then unplugged the ethernet cable. You are right, I can still connect to the computers in the wired network.

The hot spot is a linux machine. It currently has some firewall rules. Looks like I will have to tighten them up.