Linksys WRT54G dd-wrt NOT able to route when in Router mode
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Linksys WRT54G dd-wrt NOT able to route when in Router mode
Hi fellow LQers,
Problem Summary:
- Linksys WRT54G dd-wrt NOT able to route when in Router mode
Env:
- Linksys WRT54G running dd-wrt v24 firmware
- LAN Subnet: 10.0.0.0/8
- WAN Subnet: 172.16.0.0/16
- Linux FC13 configured as a IPv4 router
- LAN 172.16.0.0/16
- WAN ISP/Public IP
Setup:
wired/wireless client -> Linksys WRT54G -> Linux FC13 router -> Internet
Problem Details:
When I have the dd-wrt configured as a 'Gateway' (ie: NAT), all-is-well. That is my client is able to "talk" to other computers on the LAN as well as the Internet. However, when I change the operating mode to 'Router', I run into the following problem:
- client is no longer able to communicate to the Internet
- client is no longer able to communicate to other computers on the LAN
- client is ONLY able to ping the LAN & WAN IPs of the Linksys DDWRT
- However, I am able to ping LAN computers & ping public/internet hosts if I SSH into the ddwrt itself.
Analysis:
- Linksys/dd-wrt box itself has LAN & internet connectivity
- Wired and Wireless clients connecting to the Linksys/dd-wrt do *not* have the LAN or the Internet connectivity
Troubleshooting done so far:
- When changing Operating mode (ie: Gateway<->Router), the routing
table on dd-wrt, as expected, do not change.
Here is the routing table just in case its of any interest:
192.168.66.2 255.255.255.255 0.0.0.0 tun0
192.168.66.0 255.255.255.0 192.168.66.2 tun0
172.16.0.0 255.255.0.0 0.0.0.0 WAN
169.254.0.0 255.255.0.0 0.0.0.0 LAN & WLAN
10.0.0.0 255.0.0.0 0.0.0.0 LAN & WLAN
0.0.0.0 0.0.0.0 172.16.150.254 WAN
------------------------
Since I need inbound connectivity to the hosts connected to the LAN interface of the Linksys/dd-wrt, I need to have the Linksys/dd-wrt
configured as a Router and not as a Gateway. Any help/suggestion would be greatly appreciated.
-itsecx
Last edited by itsecx@gmail.com; 09-19-2010 at 12:04 AM.
Reason: Typo in the problem definition statement
Hi, Welcome to LQ. First, I'd suggest not using your email address in your user name.
Second, did you disable DHCP on one of the devices? Have you tried AP mode on the DD-WRT router? Perhaps I'm misunderstanding something?
Good luck. ;-)
I don't understand why you can't have inbound access in gateway mode? I have a vpn via openVPN and I occasionally host a web server with apache from behind my dd-wrt router in gateway mode. According to the configuration page:
Quote:
Operating Mode:
If the router is hosting your Internet connection, select Gateway mode. If another router exists on your network, select Router mode.
So do you have another router? It would seem from that quote that routing is disabled when in router mode. Maybe I'm missing something in your setup?
Linksys WRT54G dd-wrt NOT able to route when in Router mode
Thanks for responding, @peacedog.
It doesn't look like I can now change/edit the username to something other than what is currently setup.
I'm guessing you're referring to the Linksys and the Linux box as the two devices. No, I have not disabled DHCP on either devices as I need DHCP services on both (ie: need dhcp for the local clients (lan) that connect to the linksys. The linux box also needs a dhcp server as it distributes IP to the clients on its subnet. Note, both devices are on a separate subnets and there's one/unique DHCP server for each subnet.
Finally, there's no "AP" mode. There's a Gateway mode, a Router (static) mode, and RIP (dynamic routing) mode.
Again, thanks for taking time for responding.
-itsecx
Quote:
Originally Posted by Peacedog
Hi, Welcome to LQ. First, I'd suggest not using your email address in your user name.
Second, did you disable DHCP on one of the devices? Have you tried AP mode on the DD-WRT router? Perhaps I'm misunderstanding something?
Linksys WRT54G dd-wrt NOT able to route when in Router mode
Thanks for responding, @damgar. Here's the response to your note:
Outbound requests are handled by NAT; however, inbound request origination could only be made to the WAN interface/IP; thus, there would be no way for the router to know which internal host is the target. Ofcourse, one could put a particular host in a DMZ or do port forwarding for certain services; however, that not the intent here.
Client 'C' wants to initiate a SSH session to Server 'S'
*What we want is that 'S' should know that the client connected from 192.168.1.100 and not the masqueraded IP of the router (192.168.1.1) that is doing the NAT.
Hope that makes things a bit clearer.
Regards,
-itsecx
Quote:
Originally Posted by damgar
I don't understand why you can't have inbound access in gateway mode? I have a vpn via openVPN and I occasionally host a web server with apache from behind my dd-wrt router in gateway mode. According to the configuration page:So do you have another router? It would seem from that quote that routing is disabled when in router mode. Maybe I'm missing something in your setup?
To make it work with NAT, you first set both to gateway mode, and do as before. Then, in the first router's routing table, add a static route:
Code:
Network: [your second router's subnet]
Netmask: [your second router's netmask]
Gateway: [your second router's WAN address]
Then, in the second router, you save a firewall script as follows:
Code:
iptables -I FORWARD -j ACCEPT
That's what you do. Then, it works with NAT. Why they recommend having the second router on router mode, instead of this, is beyond me... I couldn't make it work as they said it should either, but this is what I chose to do.
When you have the WRT54G configured in router mode, how do machines on your 172.16.0.0/16 network know how to route packets to your 10.0.0.0/8 network? If you don't have either (a) your Linux FC13 (horribly out of date, BTW) box or (b) all other machines that need to communicate with 10.0.0.0/8 configured to route all 10.0.0.0/8 packets via your WRT54G's WAN address, your Linux box is going to send those packets via its default route, which will be to your ISP, which will promptly drop them as unroutable.
When you have the WRT54G configured in router mode, how do machines on your 172.16.0.0/16 network know how to route packets to your 10.0.0.0/8 network? If you don't have either (a) your Linux FC13 (horribly out of date, BTW) box or (b) all other machines that need to communicate with 10.0.0.0/8 configured to route all 10.0.0.0/8 packets via your WRT54G's WAN address, your Linux box is going to send those packets via its default route, which will be to your ISP, which will promptly drop them as unroutable.
Sorry, I'm now the one asking this question, but I believe this information benefits everyone...
Does this mean that you cannot use the private IPs, behind a router mode router, but only NAT, and must use public ones instead? For example:
Code:
10.1.1.0 - Private, won't work
192.168.1.0 - Private won't work
---
1.1.1.0 - Normal, routeable, will work
Am I right in assuming that, based off of your information?
Does this mean that you cannot use the private IPs, behind a router mode router, but only NAT, and must use public ones instead?
While those addresses are unroutable on the public internet, you can certainly use them in your private network. You just have to make sure that the machines upstream of that private network know how to route packets to that network, i.e. by having the router's WAN address as a gateway for that address block.
Nothing except Router 2 has any knowledge of that 192.168.22.0/24 network. Machines on the 10.0.0.0/8 network will send those packets via their default route to gateway 10.0.0.1, and that router will send them on its default route, which will be to the upstream gateway on the public network**.
You can solve that just by telling Router 1 that packets for 192.168.22.0/24 should be routed via gateway 10.0.0.100. You can avoid having packets hairpin through Router 1 by setting up that gateway route in all machines on the 10.0.0.0/8 network, or at least on the ones likely to have a lot of traffic to route that way.
The need to set that up manually can be avoided by using ICMP Router Discovery, and is pretty much automatic in IPv6.
**Really, if Router 1 is well-behaved it will refuse to send those unroutable packets upstream and either drop them or send back an ICMP error response.
Last edited by rknichols; 04-21-2018 at 04:12 PM.
Reason: Add footnote
You can solve that just by telling Router 1 that packets for 192.168.22.0/24 should be routed via gateway 10.0.0.100. You can avoid having packets hairpin through Router 1 by setting up that gateway route in all machines on the 10.0.0.0/8 network, or at least on the ones likely to have a lot of traffic to route that way.
And what would a route add command look like in DD-WRT GUI, or Linux BASH command line? What about a Linksys router, with default firmware, if it's any different than those two? Use this scenario, since so far we may not know actual IP addresses.
Quote:
The need to set that up manually can be avoided by using ICMP Router Discovery, and is pretty much automatic in IPv6.
Do you have a link to more information?
Quote:
**Really, if Router 1 is well-behaved it will refuse to send those unroutable packets upstream and either drop them or send back an ICMP error response.
And what would a route add command look like in DD-WRT GUI, or Linux BASH command line? What about a Linksys router, with default firmware, if it's any different than those two?
Since the interface for 10.0.0.0/8 is already known, there's no need to specify it again. I tried it via telnet into a DD-WRT router. You can do the same thing in the Administration -> Commands command shell, or in Setup -> Advanced Routing, though I find that GUI more awkward than just typing in the command.
Quote:
Do you have a link to more information?
Nothing beyond the Wikipedia article I referenced or whatever Google might turn up. ICMP Router Discovery is a bit above my pay grade.
Quote:
...I guess DD-WRT isn't well behaved...
I haven't looked into what DD-WRT does there. My DD-WRT router does not face the public network.
Oh. OK. This is what I meant for connecting using NAT.
Quote:
Network: [your second router's subnet]
Netmask: [your second router's netmask]
Gateway: [your second router's WAN address]
However, in my experiments, doing this was simply not enough to make the second router work, if it's in router mode, on DD-WRT. Somehow, it must still think that there's a problem with routing the IPs. It DOES let you connect to the router's stuff from the first place. Everything there functions as normal.
But when you try to use the Internet, if the first router is connected to the Internet, it will not work. Maybe this has to do with the fact that it's within those special subnets, and must be in a routable one. But I didn't experiment there to be able to tell you.
In my case, for now, I'd settled for using NAT on my guestrouter, but punching the hole in the firewall, which for that, may not have been a bad idea. I was trying to make airprint work, and for that, I had to flatten it, and have my second router (clientrouter) behave like a special kind of access point. Then, airprint worked. Maybe router mode working according the the documentation, rather than in other ways, is broken? It works, but maybe the documentation is what is broken.
P.S. - Then, I'd saw this thread, which was too late to find some of my answers on for my problem, as I'd found a solution that worked for then. But I thought I might help others, and maybe find out more that might make me change my mind about what I'd done. While I had a different objective in mind, part of the solution might apply here for this objective. Whether or not it solves your problem or not, I don't know, but it might!
First, I'd suggest not using your email address in your user name.
I think, after you are done here, for security purposes, you should only use your e-mail for this, and open another for other things. Maybe begin to make this a public one or something. Maybe, just so that people can fix mistakes like this, LQ should try to allow to change the username somehow, without opening a new account? If changing constantly is a problem, just limit the amount of times they may change it within a time period.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.