Can not access LAN sub network

Discussion in 'Tomato Firmware' started by ggbal, Mar 10, 2011.

  1. ggbal

    ggbal Addicted to LI Member

    I have a Y configuration with three routers.

    DSL Modem
    board router A ( guest router B(192.168.100/24)
    private router C (

    Router A runs Toastman 7454 VPN mod.
    Router B runs DD-WRT.
    Route C runs Toastman 7454 Ext mod.

    Both connections are WAN-LAN. Outbound works perfect from either C subnet and B subnet. The routing table is following:

    Kernel IP routing table 
    Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface UH        0 0          0 ppp0   UG        0 0          0 br0   U         0 0          0 br0   UG        0 0          0 br0       U         0 0          0 lo         UG        0 0          0 ppp0
    Where is the WAN ip. 192.1168.10.2 is the WAN side of IP of router B, and is for router C.

    Accept ICMP/ping are enabled on both router B and C.

    Now, I can access machine in C subnet ( from machines within B subnet ( But for some reasons that I can't do the reverse, ie. from to

    I can also log in to tomato in router A and ping/trace to (router C's WAN IP), it succeed. But if I ping/trace to router C's LAN side IP (, it fails.

    So essentially I can do A->B, C->B. But I can't do B->C, or A->C. The firewall in router C should not be an issue since I simply just test the ping to the router itself.

    I am not sure where I did wrong. Need your help. Thanks.
  2. TT76

    TT76 Networkin' Nut Member

    Try to change route mode to router (gateway is default) in routing page. Check the Respond To Inbound Ping box in firewall page if you want icmp to be echo at wan port.
  3. ggbal

    ggbal Addicted to LI Member

    I thought about that. But if I use the "Router" mode, the firewall/port forwarding will be in the play. I do want to the private subnet to be protected.

    Anyway, I found out what is going on. It turns out the iptables rules are different between DD-WRT and Tomato.

    In Tomato, there is a rule in the PREROUTING chain to drop everything sending to the local address. The chain looks like this.

    Chain PREROUTING (policy ACCEPT) 
    target     prot opt source               destination          
    WANPREROUTING  all  --  anywhere             wan-ip               
    DROP       all  --  anywhere    
    If I remove the 2nd rule or replace it with ACCEPT, the whole things work as I wanted.

    However, I found out another interesting behavior. If I add or change it back to DROP and make sure it is linenumber 2 as shown above, it acted strangely. It denies any connecting to any subnet machine. It acted as if the DROP rule was at linenumber 1 even though iptables reported the same result as shown above. The only way to fix that is to change the mode to Router and back to Gateway.

    Is this a bug?
  4. TT76

    TT76 Networkin' Nut Member

    I think that those iptables rules which you want are for gateway instead of router, but your routers are acting as router in your case. So I think you better set them to router. If you have any demand for security, you could accordingly add some rules manually.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice