1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Advanced routing on WRT54GS

Discussion in 'Networking Issues' started by induktor, Dec 18, 2006.

  1. induktor

    induktor LI Guru Member

    Hello to all,

    I am attempting to set up a WRT54GS as a router on an existing LAN. I have a Cisco router for WAN connectivity going to a Firewall running NAT. The LAN side of the Firewall's IP is 192.168.10.25, my gateway. I have the WRT54GS set up with a static IP of 192.168.10.34 on it's WAN side and the default 192.168.1.1 for the LAN/WLAN side of the device. I have tried a number of configs to get this thing to route packets both ways so that I may access devices on the 192.168.1.0 network from the 192.168.10.0 and vise versa. I also have installed DD-WRT v23 SP2 std in order to extend my options. Any advice?

    Thank you,
     
  2. crossmr

    crossmr LI Guru Member

    Did you change it from "Gateway" to "Router"? In gateway mode the unit is performing NAT on anything going out across the wan link.
     
  3. induktor

    induktor LI Guru Member

    Yes, I did indeed. I have tried the unit in router mode and set up routing to and from the LAN/WLAN. Thanks for the reply. :)
     
  4. ifican

    ifican Network Guru Member

    You either need to turn on rip on both devices or tell the uplink (the firewall from what i get @ 10.25) that the 192.168.1.1 network via a static route lives behind 192.168.10.34 so it knows where to send that traffic.
     
  5. induktor

    induktor LI Guru Member


    Well... My firewall does have RIP(2) capability as does the WRT54G (with DD-WRT firmware). Wouldn't that only address WAN traffic? As it stands, simply routing traffic between the 192.168.10.0 (existing LAN) and 192.168.1.0 (WLAN) subnets have failed. One should be able to configure the WRT54G device to handle that before the gateway to the outside world comes into play. I'm going to play around with the command line on a vanilla config and see if I can yield any results. Hopefully I'm just missing something fundamental here (as I reread the Routing section of my o'reilly TCP/IP book). Thanks again for the ideas everyone.
     
  6. ifican

    ifican Network Guru Member

    Well there are a couple things that come into play here. If you are running rip the firewall will share all info the the wrt and the wrt will share its known routes with the firewall. If the firewall is not generating a default router ie 0.0.0.0 then you will have to configure that in the wrt. Now the reason the traffic cannot get back to the wrt is the firewall itself does not know what to do with anything that shows a source address of 192.168.1.x. The currently sees that traffic and then drops it because it does not know where to send it. In all actuallity it sends it out its default route which is back toward the internet. If you had rip running on both devices it would at least know that the way to get to the 192.168.1.1 network is through 192.168.10.34 the routing table itself will look something like:

    192.168.1.0/24 via 192.168.10.34.

    If you have any questions about routing please ask as i am sure others are curious as well.
     
  7. induktor

    induktor LI Guru Member

    It works as advertised

    Based on your suggestion, for test purposes, I added a static route on the firewall (a Fortigate unit) to 192.168.1.0 w/ 24 bit mask via 192.168.10.34 on the internal vlan and viola! I can now ping 192.168.1.0 hosts to my hearts content! I'm still trying to fully grok how this all works :). I did receive notification of an ICMP redirect from gw 192.168.10.25 to *10.34 as expected (based on what I've read). I have serveral more of these WRT54G units to install so RIP would be the way to go for scalability and efficiency. Just for the sake of argument though, I should be able to route traffic between the 192.168.10.0 and 192.168.1.0 networks with just the WRT54G correct? This has been a great learning experience. Thank you for sharing your knowledge.
     
  8. HennieM

    HennieM Network Guru Member

    A point to remember perhaps, as ifican mentioned, routing is a 2-way street:

    Traffic on "this network" must know how to get to "the other network", AND traffic on "the other network" must know how to get to "this network", no matter if one or both of the 2 nets are a WAN/internet or just another local net. I.e., defining the "to" route does not mean the "fro" route is automatically defined.
     
  9. ksymis1

    ksymis1 LI Guru Member

    Simillar problem

    At start I apologize for my weak English.
    I've got similar problem as the author of this thread. There is topology of my network:
    [​IMG]

    And there is my routing table on my (physically) router with ip 192.168.26.72-192.168.8.1 (but I am also able to manage 2 others routers via WWW).

    [​IMG]

    These are my problems:
    1) I want to share files&folders with other computers (ex. Laptop 5 with other laptops and PCs) just like in standard network (i used to when we didn't have wrt's for our laptops)
    2) Can anyone explain me my routing table? What does mean "*", "default" and difference (for routing because main difference i understand) between rules for WAN or LAN. Now i think "*" means 'this router' or 'stay on this router'' but i want to be sure
    3) I've triend some different configs on my routers and it didn't worked. I triend RIP, spanning tree (whats that?). Can someone tell me step by step what i should have in routing table on each router?
     
  10. HennieM

    HennieM Network Guru Member

    Your routing seems fine. Yes, the * means stay on this router, but through interface X :-

    Traffic for subnet 192.168.26.0/24 must go out the WAN interface, and traffic for subnet 192.168.8.0/24 must go out interface br0 (the 4 LAN ports and the wireless).

    When sharing files, and I assume this is Windows type file sharing, you have (among many other) 2 issues to deal with:

    1) The Netbios protocol is not very router friendly, so you might have to access a share on another computer as \\IP.address.of.othercomputer\ShareOnOtherComputer

    2) You are running your WRT as a gateway, which means you are doing Network Address Translation (NAT) in your WRT. This means that computers/devices on the 192.168.26.0 subnet (and any other subnet) see all traffic from Laptop5 AND PC2 as being from one device: 192.168.26.72, i.e. the WAN interface of your WRT.

    You can change your WRT to Router mode. This will disable the NAT and allow anyone on any of the other subnets to access Laptop5 and PC2 in the manner indicated in (1), like
    \\192.168.8.72\ShareName.
    Note that it may also allow anyone on the internet to access your machines if the WRT internet gateway, 192.168.26.99, does not have proper firewalling.

    Spanning Tree Protocol is to sort out network loops, where you have, or can have, 2 or more logical paths to the same IP address - you don't need it in your setup. (Google it if you need to know more).
     
  11. ksymis1

    ksymis1 LI Guru Member

    Thanks. I wasn't sure if it is about 'outgoing' on that interface or 'incoming' traffic.

    Ad 1) Okay i know how to access share on other computer. My problem is that they don't see each other

    Ad 2) I'm little embarassed but... in "Router" mode my internet is down. I can connect wirelessly from my laptop (Laptop 5 - flat 2)to router but i don't have internet.

    Does it mean that there will be 3 subnets working together without problem? Or maybe in router mode i will be able to give 192.168.26.X IPs to machines laptop5 etc. I tried (in gateway) to give ip for my laptop but as you suppouse it didn't work.

    mmm i don't really understand it. you mean that my LAPTOP5 will be accessible directly from 192.168.26.99? I guess that only by forwarded ports? Now I forward ports twice. Once on 192.168.26.99 and on 192.168.26.72 and i can work remotle ex. vnc. But these are couple ports. My point is to access 192.168.1.3 the same as 192.168.26.99 or 192.168.26.33.
    Thanks.

    i've read some on google and i still have some question about 'metric' whats is metric? As i understand now it should be as small as possible (0?) and can't be higher than 15.

    [​IMG]


    Is my routing table good now? It is only on 192.168.26.72. If you tell me it is good i thing i nearly understood the point and i'll try to configure it on other WRT's. I've tried also to put "*" but i couldn't. In that place I put 192.168.26.72 as i though it means 'stay on this router'?
    Should I have RIP turned on?

    Thanks in advance
     
  12. HennieM

    HennieM Network Guru Member

    Oops, my mistake - I forgot to mention that routing is a 2-way street... your router knows how to send stuff from PC3 to the internet, but the internet router don't know how to send stuff back to PC3.

    The internet router, 192.168.26.99 must have its routes configured, or RIP turned on for its LAN side. The other 2 routers must also have its routes configured, or RIP turned on for their WAN side.

    Easiest is probably to first remove any static routes, and then configure:
    1) 192.168.26.99 as Gateway, RIP on LAN
    2) 192.168.26.26 as Router, RIP on WAN
    3) 192.168.26.72 as Router, RIP on WAN

    Leave it for a while, and then try from say Laptop5, in a DOS prompt:
    ping 192.168.1.2
    (be sure PC3 is on)
    If that works, try the same ping from say PC1.

    If all works, it means the routes have been learned by the RIP daemons on the routers, so try connecting to the internet. Once all that works, you can check the routing tables on all 3 routers, and configure all 3 routers manually with the learned routes, and turn RIP off on all 3 routers. Now all 3 subnets should work together and you should be able to browse shares, etc.

    If you don't want to do the manual route configuring, you can just leave the RIP daemons running as is. The downside of leaving RIP running is that the RIP daemons send out packets from time to time, which takes a little bit of bandwidth and could be advertizing your routes to prospective hackers (is your wireless stuff encrypted?), and that the routers may need a few minutes (probably only seconds) to learn the routes when they start up.

    RIP is short for Routing Information Protocol, so a RIP daemon is a piece of software that learns about routes.

    Metric is a measure of the "cost" of a route. The lower the metric the higher the priority of that route. I your scenario, the metric won't matter much. On the internet or a large segmented network however, there are several routes between 2 points, and metric would determine the priorities of different routes.

    You know, the easiest solution, assuming you don't want to do any traffic manipulation, would be to put all your routers and PCs on ONE subnet, and the internet router serving DHCP. The current routers .26 and .72 would then connect to the internet router through a LAN port.
     
  13. ksymis1

    ksymis1 LI Guru Member


    Okay you're master :) It seems to work but i've some problems...

    1) From my laptop (192.168.8.72) i can ping everything in LAN. Also 192.168.26.26 BUT I CAN'T ACCESS webconfig now... It is weird because i can access webconfig on gateway (192.168.26.99).

    2) I can't ping some (and some i can!) pages on internet. Ex. 'interia.pl' answers for ping normally but i can't ping it from my laptop. I also can't ping it from webconfig on 192.168.26.72 and 192.168.26.99. I would understand that ping is not working or something but it works...on sam pages :| (ex. onet.pl)

    3) I can ping 192.168.1.2 (and 3) but can't access them by sharing. (I've checked windows firewall and other stuff...i think its connected with the thing i can't access webconfig on 192.168.26.26)

    4) The last curious. I found (I think it hasn't been there before) some things in log files on 192.168.26.26 (and my 72):


    192.168.26.99 - named 'Bocianowo'
    Code:
    Oct 28 19:36:07 Bocianowo authpriv.info dropbear[2084]: Child connection from 192.168.8.72:46303
    Oct 28 19:36:07 Bocianowo authpriv.info dropbear[2084]: exit before auth: Exited normally
    Oct 28 19:36:37 Bocianowo authpriv.info dropbear[2094]: Child connection from 192.168.8.72:46397
    Oct 28 19:36:37 Bocianowo authpriv.info dropbear[2094]: exit before auth: Exited normally
    Oct 28 19:37:07 Bocianowo authpriv.info dropbear[2096]: Child connection from 192.168.8.72:46467
    Oct 28 19:37:07 Bocianowo authpriv.info dropbear[2096]: exit before auth: Exited normally
    Oct 28 19:37:37 Bocianowo authpriv.info dropbear[2098]: Child connection from 192.168.8.72:46539
    Oct 28 19:37:37 Bocianowo authpriv.info dropbear[2098]: exit before auth: Exited normally
    Oct 28 19:38:07 Bocianowo authpriv.info dropbear[2100]: Child connection from 192.168.8.72:46609
    Oct 28 19:38:07 Bocianowo authpriv.info dropbear[2100]: exit before auth: Exited normally
    Oct 28 19:38:37 Bocianowo authpriv.info dropbear[2102]: Child connection from 192.168.8.72:46820
    Oct 28 19:38:37 Bocianowo authpriv.info dropbear[2102]: exit before auth: Exited normally
    Oct 28 19:39:07 Bocianowo authpriv.info dropbear[2104]: Child connection from 192.168.8.72:46888
    Oct 28 19:39:07 Bocianowo authpriv.info dropbear[2104]: exit before auth: Exited normally
    Oct 28 19:39:37 Bocianowo authpriv.info dropbear[2106]: Child connection from 192.168.8.72:46960
    Oct 28 19:39:37 Bocianowo authpriv.info dropbear[2106]: exit before auth: Exited normally
    Oct 28 19:40:07 Bocianowo authpriv.info dropbear[2108]: Child connection from 192.168.8.72:47050
    Oct 28 19:40:07 Bocianowo authpriv.info dropbear[2108]: exit before auth: Exited normally

    and 192.168.26.72 - named Bocianowo 2
    Code:
    Oct 28 11:46:56 bocianowo2 authpriv.info dropbear[789]: Child connection from 192.168.8.72:48025
    Oct 28 11:46:56 bocianowo2 authpriv.info dropbear[789]: exit before auth: Exited normally
    Oct 28 11:47:01 bocianowo2 cron.notice crond[201]: USER root pid 791 cmd ddns-update 0 #ddns0# 
    Oct 28 11:47:20 bocianowo2 authpriv.info dropbear[835]: Child connection from 192.168.8.72:48082
    Oct 28 11:47:20 bocianowo2 authpriv.info dropbear[835]: exit before auth: Exited normally
    Oct 28 11:47:26 bocianowo2 authpriv.info dropbear[836]: Child connection from 192.168.8.72:48095
    Oct 28 11:47:26 bocianowo2 authpriv.info dropbear[836]: exit before auth: Exited normally
    Oct 28 11:47:50 bocianowo2 authpriv.info dropbear[841]: Child connection from 192.168.8.72:48150
    Oct 28 11:47:50 bocianowo2 authpriv.info dropbear[841]: exit before auth: Exited normally
    Oct 28 11:47:56 bocianowo2 authpriv.info dropbear[842]: Child connection from 192.168.8.72:48165
    Oct 28 11:47:56 bocianowo2 authpriv.info dropbear[842]: exit before auth: Exited normally
    Oct 28 11:48:20 bocianowo2 authpriv.info dropbear[847]: Child connection from 192.168.8.72:48220
    Oct 28 11:48:20 bocianowo2 authpriv.info dropbear[847]: exit before auth: Exited normally
    Oct 28 11:48:26 bocianowo2 authpriv.info dropbear[848]: Child connection from 192.168.8.72:48235
    Oct 28 11:48:26 bocianowo2 authpriv.info dropbear[848]: exit before auth: Exited normally
    Oct 28 11:48:50 bocianowo2 authpriv.info dropbear[853]: Child connection from 192.168.8.72:48292
    Oct 28 11:48:50 bocianowo2 authpriv.info dropbear[853]: exit before auth: Exited normally
    Oct 28 11:48:56 bocianowo2 authpriv.info dropbear[854]: Child connection from 192.168.8.72:48307
    Oct 28 11:48:56 bocianowo2 authpriv.info dropbear[854]: exit before auth: Exited normally
    I use:
    192.168.26.99 - TOMATO Current Version: 1.10.1189
    192.168.26.72 - TOMATO Current Version: 1.10.1188
    192.168.26.26 - TOMATO (i guess version about 1.6)

    ==========
    edit: I've ticked 'Spanning Tree PRotocol' and now it seems to work (except still this 192.168.26.26). I discovered that i couldn't ping adresses 87.*.*.*
    I've checked routing tables and RIP learned:
    on 192.168.26.72:
    87.0.0.0. via 192.168.26.99 <--- its ok
    but
    on 192.168.26.99:
    87.0.0.0 via 192.168.26.72 ... i think its not good

    Why it happened?
     
  14. ksymis1

    ksymis1 LI Guru Member

    I am confused. It works...nearly. I can't also access 192.168.26.99 from internet (by wan ip ofcourse) without changing any configs. It stoped working after these changes (rips, stp etc.).
    I can't acces 192.168.26.26 from laptop 5.
    I can access 192.168.26.99 from laptop 5.
    Laptop 6 can't access 192.168.26.72.
    And as i said. I can't access gateway from internet. I know that there are ports opened (for ssh, telnet, http, https) but nmap even with -P0 shows 'host is problably down' or 'no open ports'. But i can ping it from internet.
     
  15. HennieM

    HennieM Network Guru Member

    I just read in the Tomato FAQ that the firewall is always on, so that may be part of your problem.

    Try this:

    Make sure your 2 non-internet routers, .26.26 and .26.72, are both set to router mode.

    Just for clarity:
    When you do, for example, http://192.168.8.1/ , you are actually doing http://192.168.8.1:80/

    Now, when you access 26.26 from Laptop5, you are going into 26.26 via its WAN port. For web access you may need to access it as http://192.168.26.26:8080/ or even https://192.168.26.26:RemotePort/ i.e. port 8080 or some other port, not the default port 80. Similarly for ssh access (which generated those dropbear logs you quoted). Check "Remote Access" and "Remote Port" under Administration > Admin Access on that router (26.26) by accessing it (via http) from PC3 or Laptop6 (or any machine on its LAN side). Check the same on 26.72 by accessing it from Laptop5 or PC2. The same applies for 26.99, but be sure you want to allow web access to it from the internet.

    Also, if you want to allow ping to any router from its WAN side, in its configuration under Advanced > Firewall check "Respond To ICMP Ping".

    The fact that you had to enable STP indicates that you may somehow have redundant links somewhere. This is not a worry for now.
     
  16. ksymis1

    ksymis1 LI Guru Member

    Thanks at first for your patience :)

    I know the basics (and maybe more) about networks and IT. I know how to access webpage by specific port (different than standard) and protocol (difference between ports. I've done some investigation. I've checked 'respond to icmp ping' and it responds on both sides. But from the WAN it seems to have all ports closed and everything is able to see all opened ports from lan side. I've looked into log's and these 'dropbear' (i don't know why it was in logs beacause i didn't try to connect by ssh) logs stopped after switching STP on. I saw some firewall logs about dropping some broadcast on lan side and i guess that if the firewall is blocking/droping my access from outside it should be in logs. but there isn't. It seems firewall works ok and doesn't block anything...

    I don't know it is useful but:
    I have checked:

    respond to icmp ping
    enable nat loopback


    and unchecked

    allow multicast

    This is what I get when i ping my gateway (192.168.26.99) external IP adress. I am sure ports are opened and there is no logs about dropping enything.

    Code:
    [kaziu@localhost ~]$ nmap -P0 xxx.xxx.xxx.xxx
    
    Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-10-30 14:52 CET
    Interesting ports on xxx.chello.pl (xxx.xxx.xxx.xxx):
    Not shown: 1667 filtered ports
    PORT     STATE  SERVICE
    1720/tcp open   H.323/Q.931
    6000/tcp closed X11
    6001/tcp closed X11:1
    6002/tcp closed X11:2
    6003/tcp closed X11:3
    6004/tcp closed X11:4
    6005/tcp closed X11:5
    6006/tcp closed X11:6
    6007/tcp closed X11:7
    6008/tcp closed X11:8
    6009/tcp closed X11:9
    6017/tcp closed xmail-ctrl
    6050/tcp closed arcserve
    
    Nmap finished: 1 IP address (1 host up) scanned in 52.442 seconds
    
    Hmmm maybe i should turn RIP on WAN on gateway?
     
  17. HennieM

    HennieM Network Guru Member

    I dunno what's up with your gateway, but I see this:

    I assume the "...when i ping my gateway (192.168.26.99) external IP adress..." means you tried to do that from some other machine on the internet - NOT from one of the PCs/devices on any of your 192.186.. nets?

    nmap is not a pinger, but a port scanner.
    nmap does find your gateway, so your routing is fine. Routing only deals with "how to get to host x.x.x.x", not with which ports are open or which services is hosted by that host. To see if you can reach a host, use the ping command.

    The "which ports are open" are entirely dependant upon the service/software/firmware running on that host, so look elsewhere in your Tomato (not routing).
     

Share This Page