LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 10-20-2006, 12:07 PM   #1
ScottReed
Member
 
Registered: Dec 2005
Location: Montana
Distribution: Debian "squeeze"
Posts: 157

Rep: Reputation: 30
Question Routing between two subnets


Hi -

I've been pulling my hair out for the past two evenings trying to get packets to go between two subnets.

This is what I have:

D-Link DI-624 Router
- WAN PORT connected to internet
- LAN = 192.168.0.1

Linksys WRT54G Router
NOTE: Wireless disabled
NOTE: Set as Router instead of Gateway
- LAN = 192.168.0.4
- WAN PORT = 192.168.2.4

SMC Hotspot unit (CABLE/DSL Router)
- LAN = 192.168.2.1

The D-Link is connected to the Linksys via the LAN ports
The Linksys then connects to the SMC's LAN ports via it's WAN port

I have a PRIVATE WLAN/LAN on the D-Link and when my hotspot goes live I want my customers to use the PUBLIC WLAN/LAN on the SMC. The Linksys will act as a firewall between the two subnets, only allowing the SMC users access to the internet and to two laserjet printers which reside in the PRIVATE LAN.

Am I on the right track with this setup or am I lost?

Any help appreciated!

Thanks,
Scott
 
Old 10-20-2006, 12:41 PM   #2
alienux
Member
 
Registered: Sep 2006
Location: Dayton, Ohio
Distribution: Slackware 12, Fedora Core, PCLinuxOS
Posts: 194

Rep: Reputation: 30
From what I read, it sounds like you're on the right track. Just make sure that the WRT54G's default gateway is 192.168.0.1 and that the D-Link has 192.168.2.0 via 192.168.0.4 in its routing table.

Also, make sure that devices that will be on the 192.168.2.0 network have 192.168.2.4 as the default gateway, whether its by DHCP or static.

As far as restricting access from behind the WRT54G, are you going to use custom firmware or the default Linksys firmware? The dafault should be fine as long as the restricted machines are on the WAN port side, and you should be able to do this using port forwarding or port triggering. Custom firmware gives you some more options, but shouldn't be necessary in the configuration you described.

Last edited by alienux; 10-20-2006 at 12:43 PM.
 
Old 10-20-2006, 01:17 PM   #3
ScottReed
Member
 
Registered: Dec 2005
Location: Montana
Distribution: Debian "squeeze"
Posts: 157

Original Poster
Rep: Reputation: 30
Alienux -

Thanks for the quick reply.

Quote:
From what I read, it sounds like you're on the right track. Just make sure that the WRT54G's default gateway is 192.168.0.1
The WRT54G's default gateway can not be set manually. On the WAN port it can. The WAN port is statically set as 192.168.2.4 and the gw is set to 192.168.2.1 (The SMC address)

Quote:
...and that the D-Link has 192.168.2.0 via 192.168.0.4 in its routing table.
The D-Link DI-624 has no accessible routing table like the Linksys does.

Quote:
are you going to use custom firmware or the default Linksys firmware?
I'm using the factory firmware on all my devices.

Scott
 
Old 10-20-2006, 01:43 PM   #4
alienux
Member
 
Registered: Sep 2006
Location: Dayton, Ohio
Distribution: Slackware 12, Fedora Core, PCLinuxOS
Posts: 194

Rep: Reputation: 30
Quote:
Originally Posted by ScottReed


The WRT54G's default gateway can not be set manually. On the WAN port it can. The WAN port is statically set as 192.168.2.4 and the gw is set to 192.168.2.1 (The SMC address)
Ahh, that's right. I have a WRT54G and should have caught that. The only way to get traffic to the internet is for the WRT54G to have the D-Link as its gateway. You'd have to reverse the cabling. If the gw is 192.168.2.1, it will send all requests to the SMC, which doesn't sound like it has any further route. Reversing the cabling would defeat the security that you want to set up b/c the WRT54G doesn't block "outgoing" traffic, only incoming. There are some basic outgoing restricion options available, but they're mostly for blocking Internet access by URL, keyword, or service.


Quote:
The D-Link DI-624 has no accessible routing table like the Linksys does.
This will be a problem no matter how you set the Linksys device. Even if you get the 192.168.2.0 network routing to the D-Link, the D-link will need to know the route back to that network for return traffic.

Last edited by alienux; 10-20-2006 at 01:48 PM.
 
Old 10-20-2006, 02:03 PM   #5
xinxin
LQ Newbie
 
Registered: Sep 2006
Posts: 5

Rep: Reputation: 0
I could use RIP version 1 or 2 on each device, so I don't need to input statice routing list if there is no manual input. As my knowledge, the topology you are setting up should have no problem. Hope things going well.

Regards,

- Eric
 
Old 10-20-2006, 02:12 PM   #6
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,982
Blog Entries: 4

Rep: Reputation: 4029Reputation: 4029Reputation: 4029Reputation: 4029Reputation: 4029Reputation: 4029Reputation: 4029Reputation: 4029Reputation: 4029Reputation: 4029Reputation: 4029
I was sitting here trying to visualize what you're setting up and my fingers were itching to draw a picture. When figuring out a networking setup, I find it absolutely essential to grab a legal-pad and a number-two pencil and draw what I'm trying to set up.

Setting up a subnet is a tricky exercise of figuring out how the various routing-tables go. But you can be sitting at any one of those routers and feel like you're caught up in an endless hell of "I change this, to fix that, and now such-and-so is broken."

When you finally do get it all worked out, make a nice-looking diagram and file several copies away. Make a small version of it, including the routing instructions for each router, and print it on removable label-stock, preferably an off-color. Attach the label to each device, and lightly tape the edges. Also, put a revision-number and date on each label. Even for your own, home network, this information can save hours. And, of course, many precious hair-follicles.
 
Old 10-20-2006, 03:04 PM   #7
alienux
Member
 
Registered: Sep 2006
Location: Dayton, Ohio
Distribution: Slackware 12, Fedora Core, PCLinuxOS
Posts: 194

Rep: Reputation: 30
Quote:
Originally Posted by sundialsvcs
I was sitting here trying to visualize what you're setting up and my fingers were itching to draw a picture. When figuring out a networking setup, I find it absolutely essential to grab a legal-pad and a number-two pencil and draw what I'm trying to set up.
That's exactly what I wanted to do when I first read Scott's post. I actually opened Visio on my XP box and started to create a basic drawing, then got distracted by one of my kids and forgot about it before posting my reply
 
Old 10-20-2006, 03:19 PM   #8
ScottReed
Member
 
Registered: Dec 2005
Location: Montana
Distribution: Debian "squeeze"
Posts: 157

Original Poster
Rep: Reputation: 30
I'm still having trouble with this setup

I sat down last night for two hours and drew up the network on paper. I honestly thought I had it baked, but obviouslly not.

All I want to do is allow 192.168.2.0 access to 192.168.0.0 and vice-versa. The internet connection exists on the D-Link in 192.168.0.0 and the SMC Hotspot box resides in 192.168.2.0

I think I need a real router...

Scott
 
Old 10-20-2006, 03:40 PM   #9
alienux
Member
 
Registered: Sep 2006
Location: Dayton, Ohio
Distribution: Slackware 12, Fedora Core, PCLinuxOS
Posts: 194

Rep: Reputation: 30
Quote:
Originally Posted by ScottReed
I'm still having trouble with this setup

I sat down last night for two hours and drew up the network on paper. I honestly thought I had it baked, but obviouslly not.

All I want to do is allow 192.168.2.0 access to 192.168.0.0 and vice-versa. The internet connection exists on the D-Link in 192.168.0.0 and the SMC Hotspot box resides in 192.168.2.0

I think I need a real router...

Scott
Is there any reason you can't switch the positions of the D-Link and the Linsys devices? That may work since the Linksys does do static routing, and the D-Link would just need the Linksys as its default gateway in that scenario, but I don't know what kind of security your D-link provides for access to only the printers you mentioned and to the Internet.
 
Old 10-20-2006, 03:44 PM   #10
ScottReed
Member
 
Registered: Dec 2005
Location: Montana
Distribution: Debian "squeeze"
Posts: 157

Original Poster
Rep: Reputation: 30
I could try this
 
Old 10-20-2006, 04:44 PM   #11
ScottReed
Member
 
Registered: Dec 2005
Location: Montana
Distribution: Debian "squeeze"
Posts: 157

Original Poster
Rep: Reputation: 30
Smile

I got something working now. At least I think i'm on the right track. I actually pulled the Linksys out of the loop and connected the D-Link to the SMC's WAN port.

I'll document and post back tomorrow with my results so far.

Scott
 
Old 10-21-2006, 09:30 AM   #12
ScottReed
Member
 
Registered: Dec 2005
Location: Montana
Distribution: Debian "squeeze"
Posts: 157

Original Poster
Rep: Reputation: 30
Wink

Alright, so here is what is working...

D-Link - 192.168.0.1
WAN PORT = Internet via PPPoE
LAN = 192.168.0.0

SMC HotSpot - 192.168.2.1
WAN PORT = 192.168.0.4 with gw set to 192.168.0.1
LAN = 192.168.2.0

The D-Link basically cables into the SMC's WAN port.

OK, so with this setup I am able to sit in 192.168.2.0 and access any 192.168.0.0 resource and any 192.168.2.0 resource. I am also able to access the internet. Which is a huge step here.

HOWEVER, when I sit in the 192.168.0.0 subnet I can only ping as far as 192.168.0.4. I CANNOT ping any hosts inside of 192.168.2.0!

But, we know the route is working because hosts in the 2.0 subnet can access the internet which means traffic must be flowing in both directions.

I checked the settings on the SMC and block-ping-to-wan-port is turned OFF. There are no strange firewall settings that could be blocking the icmp traffic from 0.0, so i'm stumped. I guess it's not a big deal though.

So now what i'm thinking is that I will set firewall rules on the d-link and cut off 192.168.0.4 from accessing a specific range of IP's (192.168.0.10 - 192.168.0.20). That would be my PRIVATE network.

Any thoughts?

Scott
 
Old 10-21-2006, 09:53 AM   #13
alienux
Member
 
Registered: Sep 2006
Location: Dayton, Ohio
Distribution: Slackware 12, Fedora Core, PCLinuxOS
Posts: 194

Rep: Reputation: 30
How many machines do you have on the 192.168.0.0?

The D-link still does not have a static route to the 192.168.2.0 network, so if anything originating on the 192.168.0.0 network tries to go to that subnet, the D-Link will actually route the packets to it's default gateway (the internet) and they will not reach their destination.

Since we've discovered that the D-Link can't do this, you could test by adding the static route to 192.168.2.0 locally on one of the machines in the 192.168.0.0 network. If you don't have a whole lot of computers on that network, it may be easiest to just add this static route on each one.
 
Old 10-21-2006, 10:02 AM   #14
ScottReed
Member
 
Registered: Dec 2005
Location: Montana
Distribution: Debian "squeeze"
Posts: 157

Original Poster
Rep: Reputation: 30
Quote:
How many machines do you have on the 192.168.0.0?
I have:
192.168.0.2 - C86 Printer
192.168.0.3 - HP LaserJet
192.168.0.10 - 192.168.0.20 - Private WLAN. Mostly windows machines, one linux.
So, total of 3 windows, 1 linux, 2 printers

Quote:
The D-link still does not have a static route to the 192.168.2.0 network
Yes, you are right, and I've tried to create a static route on my linux workstation to the 2.0 network.

Code:
route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.0.4
Code:
bash-3.00# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.2.0     192.168.0.4     255.255.255.0   UG    0      0        0 ath0
192.168.0.0     *               255.255.255.0   U     0      0        0 ath0
loopback        *               255.0.0.0       U     0      0        0 lo
default         192.168.0.1     0.0.0.0         UG    1      0        0 ath0
When I add that route and then I attempt to ping a host in the 2.0 I don't get any response.

Thanks,
Scott

Last edited by ScottReed; 10-21-2006 at 10:06 AM.
 
Old 10-21-2006, 10:47 AM   #15
alienux
Member
 
Registered: Sep 2006
Location: Dayton, Ohio
Distribution: Slackware 12, Fedora Core, PCLinuxOS
Posts: 194

Rep: Reputation: 30
If I've kept up with the changes correctly, it looks like everything should add up. One thing is that I don't know anything specific about the SMC device. Does it allow all traffic in through the WAN side, or does it have some kind of basic firewall that needs to have ports opened? If so, does it allow you to forward requests to their destination, or only to a specific IP address based on incoming port numbers?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Routing problem with subnets G-Fox Linux - Networking 3 01-24-2006 06:20 AM
Routing between internal subnets teamchachi Linux - Networking 2 05-11-2005 08:21 AM
Firewall, Routing and Subnets - is this possible? donoss Linux - Networking 2 10-28-2004 01:34 PM
Routing between different subnets ... suvajit Linux - Networking 1 05-15-2003 08:07 AM
simple routing between subnets without NAT iggymac Linux - Newbie 2 03-24-2003 05:38 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:33 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration