× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
× Introducing the new Orbi 770 Series Mesh System. To learn more click here.
Orbi WiFi 7 RBE973
Reply

Static routing: problem reaching host on local network from router's WAN side

rkrzewski
Guide

Static routing: problem reaching host on local network from router's WAN side

I'm having trouble setting up routing in a small office network. I've prepared a diagram of the topology https://drive.google.com/file/d/0B0PjGlcEN6DDV3BpNHJWTEdaWmM/view

 

Few words of explaination:

Server A acts as main gateway, firewall and VPN access point for the office. 

Both server A and B are running Linux and im using iptables and iproute2 tools to manage their networking stack.

Virtual server C is running inside a KVM/Qemu virtual machine on Server B. 

Server B is connected to N750 router on a wired connection, Client 1 (my workstation) is connected using WiFi.

Static routes for 192.168.123.0/24 network are established on Server A and N750 router specifying 192.168.2.2 and 192.168.1.10 as next hop respectively.

The route on N750 is NOT marked as private and has metric of 2.

 

What works:

Virtual server C can reach the Internet (both outgoing and returning packets are routed properly).

Client 1, Sever A and B can reach one another and Internet hosts without issues.

Client 1 and Server B can reach Virtual server C without problems.

 

What doesn't work:

1) When trying to connect to Virtual Server C from Server A, traffic ends up on Server's B own interface instead!

2) Also I'm unable to connect from Virtual server C to Server A (this is not critical, but I'm mentioning it in case it provides some clue)

 

When investigating the problem I found out that this affects all IP traffic and I was using SSH as a probe. I have added logging clauses to nat/PREROUTING, nat/POSTROUTING and filter/INPUT iptables chains on Server A and Server B tracking SYN packets on TCP/22.

 

When trying to reach C from Client 1 with ssh I see:

PREROUTING IN=eth0 OUT= src=192.168.1.100 DST=192.168.123.200 on B

POSTROUTING IN= OUT=virbr0 src=192.168.1.100 DST=192.168.123.200 on B

And ssh opens a session on C, as expected.

 

When trying to reach C from A with ssh I see:

POSTROUTING IN= OUT=eth1 src=192.168.2.1 DST=192.168.123.200 on A

PREROUTING IN=eth0 OUT= src=192.168.2.1 DST=192.168.1.10 on B

INPUT IN=eth0 OUT= src=192.168.2.1 DST=192.168.1.10 on B

And ssh opens session on B, unexpectedly. 

 

When trying to reach A from B I see:

POSTROUTING IN= OUT=eth0 src=192.168.1.10 DST=192.168.2.1 on B

PREROUTING IN=eth1 OUT= src=192.168.2.2 DST=192.168.2.1 on A

INPUT IN=eth1 OUT= src=192.168.2.2 DST=192.168.2.1 on A

And ssh opens session on A, as expected

 

When trying to reach A from C I see:

POSTROUTING IN= OUT=eth0 PHYSIN=vnet0 src=192.168.123.200 DST=192.168.2.1 on B

and nothing on A (SYN packet does not seem to reach it at all)

 

 

It appears to me that when the static route is applied to the packets coming from WAN side, the destination IP is overwritten with hext hop IP.

I went through admin interface of N750 and the users manual but came back empty handed. I also read several routing related threads on this forum, but I wasn't able to find anything relevant.

 

While I'm able to work around this problem by designating B as the default DMZ server and setting up DNAT on specific ports at B, I would much rather resolve this routing problem to have a simple and sane setup.

 

Any help is appreciated!

Model: WNDR4300|N750 Wireless Dual Band Gigabit Router
Message 1 of 8

Accepted Solutions
TheEther
Guru

Re: Static routing: problem reaching host on local network from router's WAN side

Do you have port forwarding set up?  Otherwise, how can A get past the firewall on the WNDR4300?

 

I suspect there are two things working against you.

  1. WNDR4300 is performing NAT, so it's going to rewrite IP addresses.
  2. Stock firmware will only NAT IP addresses on its directly connect subnet.  In your case, it will not NAT 192.168.123.0/24 traffic.

You should install DD-WRT on your WNDR4300.  Then you can disable NAT and operate it as a pure router.

View solution in original post

Message 2 of 8

All Replies
TheEther
Guru

Re: Static routing: problem reaching host on local network from router's WAN side

Do you have port forwarding set up?  Otherwise, how can A get past the firewall on the WNDR4300?

 

I suspect there are two things working against you.

  1. WNDR4300 is performing NAT, so it's going to rewrite IP addresses.
  2. Stock firmware will only NAT IP addresses on its directly connect subnet.  In your case, it will not NAT 192.168.123.0/24 traffic.

You should install DD-WRT on your WNDR4300.  Then you can disable NAT and operate it as a pure router.

Message 2 of 8
rkrzewski
Guide

Re: Static routing: problem reaching host on local network from router's WAN side

You are right. I do have port forwarding set up for TCP/22 -> 192.168.1.10:22. This is the reason of destination IP rewriting I didn't understand.

 

I don't need or NAT or firewalling bewneen LAN and WAN interafaces of WNDR4300 because it's located inside a trusted network (except WiFi access, of course). If I understand correctly stock firmware won't allow me to do that. Welp, time to read up on DD-WRT then 🙂

 

Thanks a lot for your help!

Message 3 of 8
TheEther
Guru

Re: Static routing: problem reaching host on local network from router's WAN side

If you don't need your WNDR4300 to operate as a router, then convert it to an AP.  This will eliminate the 192.168.1.0/24 subnet.  Update A's static route for 192.168.123.0/24 to point directly at B.

 

The easy way to enable AP mode is to use ADVANCED > Advanced Setup > Wireless AP.  Tip: Ignore the instructions and avoid the WAN port.  The WAN<->LAN path is very slow.

Message 4 of 8
rkrzewski
Guide

Re: Static routing: problem reaching host on local network from router's WAN side

I certainly don't need WNDR4300 to operate as firewall / NAT, but I think I'd still need to use it as a router to direct the traffic from machines connected to the wireless network to C via B.

 

Would "Static routes" setings be applicable in Wireless AP mode? Otherwise the packets would leave the AP on the default route to A and then would be routed back towards B, which is suboptimal. 

 

Second question: would WNDR4300 in Wireless AP mode be able to act as DHCP server for a segment of 192.168.2.0/24 or not? I'm running dnsmasq on A, so I could work around that if necessary.

Message 5 of 8
TheEther
Guru

Re: Static routing: problem reaching host on local network from router's WAN side


@rkrzewski wrote:

I certainly don't need WNDR4300 to operate as firewall / NAT, but I think I'd still need to use it as a router to direct the traffic from machines connected to the wireless network to C via B.

 

As an AP, the WNDR4300 operates as a switch.  So, server B's eth0 interface would be on the 192.168.2.0/24 subnet.  Suppose you change the address for B:eth0 to 192.168.2.10.  Then update the static route on A to 192.168.123.0/24 -> 192.168.2.10.  


Would "Static routes" setings be applicable in Wireless AP mode? 

Static routes are not applicable on the AP itself, but you still need one on A, as I described above.

Otherwise the packets would leave the AP on the default route to A and then would be routed back towards B, which is suboptimal. 

Yes, this is true, but A will send an ICMP redirect back to the wireless client with information that C is reachable through B.  Wireless clients will subsequently send traffic for C directly to B.



Second question: would WNDR4300 in Wireless AP mode be able to act as DHCP server for a segment of 192.168.2.0/24 or not? I'm running dnsmasq on A, so I could work around that if necessary.

DHCP server is not supported in AP mode with Netgear firmware.  It is supported with DD-WRT.  If you want to avoid the ICMP redirect process, then you can use a DHCP server.

Message 6 of 8
rkrzewski
Guide

Re: Static routing: problem reaching host on local network from router's WAN side

I've switched WNDR4300 do Wireless AP mode and it worked great! 🙂 I have full now connectivity between all hosts.

DHCP is not a problem. As I wrote before I'm running Linux on the servers and setting up DHCP using dnsmasq was very simple. 

I didn't know about ICMP redirect, or maybe I did know about it once when I took TCP/IP networking class at Uni some 15 years ago 🙂

 

I also tested your suggestion to plug the Ethernet cable between A and WNDR4300 to LAN rather than WAN port but I've observerd a little oddity: When A is plugged into LAN port, and WAN is left unconnected, I cannot access the administrative interface of WNDR4300 or even ping it's IP address, but otherwise the network works fine. When A is plugged into WAN port, I can access the admin interface normally. I've checked DHCP server's logs that the router requests the same IP address in both cases, presenting the same MAC address. This is a minor nuissance though, because I hope not to spend too much time accessing the administrative interace 🙂

Thanks a lot for your assistance!

Message 7 of 8
rkrzewski
Guide

Re: Static routing: problem reaching host on local network from router's WAN side

One final clarification: WNDR4300 in Wireless AP mode does not acquire IP address over DHCP, when the cable to DHCP server / upstream router is plugged into LAN port.

However when IP address of the AP is manually configured before switching the cable from WAN to LAN port, administrative interface can be accessed without problems, also after power cycling the device.

 

Message 8 of 8
Top Contributors
Discussion stats
  • 7 replies
  • 6582 views
  • 2 kudos
  • 2 in conversation
Announcements

Orbi 770 Series