Connecting SubNets

Discussion in 'Networking Issues' started by zardiw, May 9, 2007.

  1. zardiw

    zardiw LI Guru Member

    Well I spent about 2 days researching this and have not really resolved it.

    Edit: Well finally got it to work, so if you don't want to read about the trials and tribulations, skip to the end for the solution............z

    I have one LAN (192.168.0.x) that's hooked to the internet via DI-624 and want to hook a second subnet (192.168.1.x) to it.

    What I have done now is change all the subnet masks to, and now I can ping everything.

    The idea was to keep the 2 LAN's separate, and use routing to join them.

    I fear what I have done is just created one big LAN that has both the subnets incorporated in it.

    Is that about right?

    Here's a diagram. The idea was to keep the subnet in building 2 separate from the subnet in building 1 that has the internet connection.

    I DID have them all connected as one big happy net, but wanted to make the building 2 part of it more secure.

    No joy in getting that done until I changed the subnet mask for everything.....

    I THINK the problem is that the DI-624 would have to have some advanced routing capability to do this, in order to route the network traffic between the 2 subnets, but am not sure. If that is the case, it would have to be replaced with a 54GL or that right?

    Appreciate any help here..........Thanks, z

  2. azeari

    azeari LI Guru Member

    firstly, what exactly do you mean by more secure?

    there really isn't much difference between 1 big network incorporating 2 subnets, or 2 subnets routed together into 1 big network. In fact, i think you might be better off disabling DHCP for the 2 routers in building 2 to keep them in the same subnet to begin with.
  3. ifican

    ifican Network Guru Member

    I think the biggest question is why you need more security on the one subnet? If that is infact something that needs to be done then sure we can help design something that will work for you, but as stated, unless other measures are taken, there really is no difference between the two.
  4. Guyfromhe

    Guyfromhe Network Guru Member

    I don't know the reasoning behind this but your "router" needs to have an IP in both subnets and your other end needs to have a static route to the other subnet with the gateway being the "router" on the current subnet.

    I hope that makes sense, if not i'll try to re-phrase.
  5. zardiw

    zardiw LI Guru Member

    Thanks for the replys.

    The building 2 subnet will be controlling some equipment, and I was thinking of segregating it from building 1 where the internet connection is. This article is what got me started in it:


    But maybe it's a waste of time, since building 2 has a wireless access point as well......just was thinking to keep it separate from the internet connected one, but I still need internet access in building 2.

    The 2 54GL's are presently set at WDS and just function as a bridge at present.

    I DID set some advanced routing rules at to the 54GS router/AP, but that didn't really work, or I didn't do it right. This is what I had there:


    The 54GS router in Building 2 should be a wireless AP, and hand out DHCP Ip's (192.168.1.x's) to both the wireless and LAN clients.

    But if the 2 54GL's in WDS mode are basically the same as an ethernet cable going from the DI624 to the 54GS, then I'm thinking the DI624 is the one that needs the advanced routing rules......but then again, I really have just enough knowledge to be dangerous, I again for any input/suggestions on this.................z
  6. zardiw

    zardiw LI Guru Member

    Ok, so the router in the first subnet needs a static route to the router in the second subnet. And that static route should have the gateway set to the gateway that the router connected to the internet has?

    Like this (on the 192.168.0 subnet Edit: The GL):


    Is that right?

    Or should the Gateway on that static route be (which is the ip of the second subnet router).

    OH, and should the 2nd subnet router Edit - i.e. the 54GS, have a static route back to the first subnet router (, like this?


    This is really confusing......lolol..................z
  7. zardiw

    zardiw LI Guru Member

    Well, when I had the 54GS router set at, everything was rosy. It had DHCP disabled, and the DI624 was happily handing out DHCP IP's and everything was working..........but you know how it is.....just never satisfied I guess........lolol..

    Setting the masks to, results in the same thing as having everything in the 192.168.0 subnet with a mask of, is that right?
  8. Guyfromhe

    Guyfromhe Network Guru Member

    if you widen the subnet mask your moving everything back into the same subnet...
    The only good reason for setting up different subnets is to seperate them at layer 2 (in which case your wider subnet mask still wouldn't allow them to communicate)
    If this resolved the issue the two connections are bridged and your efforts are futile...
    The only good reason for making 2 networks and routing between them would be to add firewall rules, however if theres another connection on the same network that doesn't have those rules it's pretty much pointless....

    Going into something like this is very confusing and requires quite a bit of network knowledge... Even I will need to think of how to properly explain exactly how to do this...

    If your sure this is what you want to do i'll try to write a detailed reply when I get home from work.
  9. Guyfromhe

    Guyfromhe Network Guru Member

    Also this won't have any effect on protection from the internet it will only have effect of protecting building 1 from building 2 and building 2 from building one if you want to go through all the effort needed. Also it will make your network a horrendous pain to troubleshoot if you don't know what your doing...
  10. ifican

    ifican Network Guru Member

    Ok if all you want to do is shield building two from building one but still allow building two to access building one and the internet, plug the wrt54gs wan port into the lan port of the 54gl and keep the firewall enabled. That by itself will shield building two access unless a machine in building two specifically requests something from a machine in building one. You will need to be sure that the wrt54gs lan is set to someting other then the ip range of its wan port (the wrt54gl it is connected too).
  11. zardiw

    zardiw LI Guru Member

    Thanks for your answer Guy!....The wider mask does let everything talk to everything, so yes, that is apparently the same as having everything on 191.168.0.x .

    I'd at least like to try this to both be able to do it and to learn more about how this all works. I have a pretty good idea, but am not an expert.

    If you do decide to provide detailed router settings, and we get it to work, I will post detailed instructions, complete with screenshots of the settings on all the routers, and maybe it can become a tutorial for the site, so it can both let someone else do it, and teach people how it works.

    I'm thinking that perhaps because of the WDS setting, the end router ( is no longer 'routing'....but again I don't know.

    The WDS part of it will also be detailed, so people can take what they need and leave the rest........reminds me of a
  12. zardiw

    zardiw LI Guru Member

    Thanks Ifican!..Ok, that sounds reasonable. That's like a mirror of the DI624 hooked to the first 54GL, and makes the 2nd 54GL like an internet access point.

    Now the question becomes what should all the settings be?

    Here's my guesses (54GS settings):




    [Edit]....hmmm.......I wonder if that should be set to Gateway, instead of Router............z
  13. Guyfromhe

    Guyfromhe Network Guru Member

    got busy last night will try to look at this closer tonight.
  14. zardiw

    zardiw LI Guru Member

    Ok, no problem.......any other Networking Guru's want to join this party, cause it might take a few of us to figure this out...........Maybe we can even get Jon from Tomato to pitch in with how Tomato handles routing in WDS mode.........z
  15. LordFlux

    LordFlux Network Guru Member

    Do you have funds available to purchase a couple more routers?


    I have a configuration setup like this at an office location in town using NetGear ProSafe Router/Firewalls. This will allow each building it's on DHCP server and if you use a ProSafe, offers decent (consumer variety) Firewall protection.
  16. zardiw

    zardiw LI Guru Member

    Well, I could buy 2 more routers, but it seems that would make it even more complicated than it already is.

    I don't see why this can't work with the existing setup

    But I think I know what the problem is....maybe someone could verify this.

    Given that the 2 54GL's are acting as a wirless ethernet cable as it were, the DI624 that is connected to the cable modem/internet, would have to have a direct routing rule in place to talk to the 192.168.1.x network. Of course it has no such capability.

    Is there anyone that can confirm this?

    What I have been trying is for the 2nd 54GL ( to talk to the 54GS router ( using direct routes. But that is not working apparently.

  17. LordFlux

    LordFlux Network Guru Member

    Like Guyfromhe said, the only advantage of doing something like this is to setup firewall rules. Using something like a ProSafe would allow you to do this.

    In my opinion, you should let the wireless bridge stay a bridge and the cable/dsl router stay a gateway. Bring in another router (or two) and setup the routing table(s) on it (or them). Hell, with the ProSafe, you could setup VPN tunnels if you needed to.

    I'm not saying you're thinking incorrectly -- I'm sure there is a way to setup the routing tables the way you want them using the hardware you have. I'm just thinking of how I would set it up if I was in your position.
  18. zardiw

    zardiw LI Guru Member

    Then there is this. Even with all the net masks set back to 255.255.255, when I'm directly (ethernet) hooked to the 54GS ( at building 2, and the settings are as shown below, the IP address picked up is 192.168.0.x and not 192.168.1.x. Of course I connect to the internet:




  19. zardiw

    zardiw LI Guru Member

    Ok, in this scenario, would the 54GS be handing out IP's, i.e. be a DHCP server, or would all the IP's still be on the 168.0.x, and the DI624 would be the only DHCP server?..........

    My main concern is if somebody lets a virus or something in on building 1, that building 2 is protected from such..........

    Getting to the point where I just have it one 168.0.x network.......z
  20. zardiw

    zardiw LI Guru Member

    I could do it if I replaced the DI624 with something that could do advanced routing and then use static routes, right?...............z
  21. ifican

    ifican Network Guru Member

    I havent reread all the thread so i may be a little behind, but to answer your question. If you make the GS a "gateway" and make sure the firewall is enable and the lan ip's on either side are different. You will in essense shield the network that is behind the GS from any other network (building).
  22. Guyfromhe

    Guyfromhe Network Guru Member

    Looking at your diagram, I need to know what ports everything is connected to and what other ips all the routers have (some should have an ip on the lan and wan ports if you used them)
  23. Guyfromhe

    Guyfromhe Network Guru Member

    I also don't think your dlink has a whole lot to do with this problem...
  24. zardiw

    zardiw LI Guru Member

    Ok. Not sure what you mean by separate IP's on the LAN/WAN, and what ports they hook to.

    The sequence at present is:

    Cable Modem hooked to WAN port of:

    DI624 Router (

    54GL ( running Tomato) hooked to LAN port on the DI624

    WDS link To:

    54GL ( running Tomato)

    54GS ( running DDWrtv23sp2Micro) whose WAN port is hooked to LAN port of 54GL ( above.

    Currently my laptop is hooked by Cat5 to a LAN port on the 54GS..............

    Mask is 255.255.254 on everything.

    Also I've got a desktop that will connect wirelessly to the 54GS successfully w/internet.

    The DI624 is currently handing out DHCP IP's of the 168.0.x variety........even though I've got the 54GS set as a DHCP server...........z

    This laptop is running Win98, the desktop is running WinME

    I also have a W2K machine hooked to the DI624 via Cat5..

    If I could get the 54GS to hand out IP's, and still connect to the internet, I think the goal will have been reached..........z

    If you can come up with the settings, I can then get screenshots of everything.......

    Thank you..........z
  25. zardiw

    zardiw LI Guru Member

    Although I can ping all the routers, and connect to all of their admin panels, I cannot ping the W2K machine that's hooked to the DI624.....which is weird I think......EDIT...Not weird anymore, since I have a software firewall on the W2K machine that's rejecting pings...........z
  26. zardiw

    zardiw LI Guru Member

    That's what I've been trying.....but I guess I have some settings wrong.......z
  27. zardiw

    zardiw LI Guru Member

    If I could figure out the settings just for this, I think it would work:


  28. ifican

    ifican Network Guru Member

    Whats happening, what are you seeing or not seeing?
  29. Guyfromhe

    Guyfromhe Network Guru Member

    if all devices in bldg 2 connect through the mini linksys they should get a DHCP ip from that device and be on a different subnet... it would deal with routing stuff from the lan to the wan.
  30. azeari

    azeari LI Guru Member

    alright, heres one issue.

    According to e first post, i infer that you want to be able to ping/access all devices on the 192.168.0.x subnet from the 192.168.1.x subnet. In this situation, the shield will be non-existent since you'll have to route the 2 subnets together. What this means is, if a wireless invader somehow invades subnet 192.168.0.x, he'll be able to access subnet 192.168.1.x, and vice versa for a wireless invader on subnet 192.168.1.x

    However, if you only wish to access certain services on the front subnet, it is possible to configure port-forwarding and access them through the front router. Then again, this just increases the complexity of the solution

    The best way will be to setup proper wireless encryption protocols and not have the front network compromised in the first place..
  31. zardiw

    zardiw LI Guru Member

    The 54GS isn't handing out IP's for some reason, unless I unplug the WAN cable from the second GL, and it's all by it's lonesome.

    I'm going to do all the settings as best as I can, and post screenshots of them, and maybe somebody can tell me what I'm doing wrong.

    I don't understand why this isn't working. A router is supposed to route between different LAN's, right? I mean that's its job.

    Maybe what is happening is that it's not separating DNS from DHCP like it should, and it's making assumptions from the settings and somehow mixing them together..............z
  32. ifican

    ifican Network Guru Member

    Correct a router will route between the 2 subnets that it knows about (connected interfaces). The issue arises when you are trying to route to another subnet the router does not know about, this is where 1 of 2 things has to happen. You either have to have a static or dynamic route for the networks in question or you have to have a "default route".

    As you have stated and what is most probably the case is DNS is not getting resolved by the GS or GS clients. That you can fix by inputting the DNS servers that you get from your isp (on the GS). Now if you turn the GS into a gateway, plug its wan port into a swithport of the GL and statically assign an ip in the 192.168.0.x network with the correct default gateway for that subnet it should work. Because the GS will be on the same subnet as the rest of the 192.168.0.x network which is also your gateway to the world you will not have to add any special routes for traffic destined back to building two.
  33. zardiw

    zardiw LI Guru Member

    Right. If I make the GS say, then everything works.....I don't even have to put the DNS servers from my ISP in, just (the DI 624 that's hooked to the cable modem)

    However I wanted to make the LAN in building 2 to be 192.168.1.x......z
  34. zardiw

    zardiw LI Guru Member

    I'm not that concerned with wireless invaders......I can only do so much with that regard, and WPA/AES is about the best that I can do, plus to not broadcast the SSID.

    In addition the WDS link between the 2 GL's has MAC filtering in addition to WPA/AES, and no SSID broadcast, so that's about as secure as I can think of to make it.

    My main concern is getting an invader/virus from the internet in building 1. So the idea is to shield building 2 from that.

    That's why I'm trying to connect a 192.168.1 LAN in building 2 to a 192.168.0 LAN in building 1. But maybe that won't even gain me anything...I don't know.

    I don't necessarily need to ping one building from another and there doesn't need to be any other link between the 2 buildings.......the main thing is to have internet access in building 2, and I've succeeded there with the WDS link using the 2 GL's.

  35. zardiw

    zardiw LI Guru Member

    Ok, this does NOT work. These are the setting of the 54GS('s hooked through it's WAN port to a LAN port on the 54GL (

    Also I did a reset back to factory before I did these settings:







    Also I was screwing around with different settings and the result was this....SYN_SENT...does that mean they're trying to sync up and not being able to?

  36. zardiw

    zardiw LI Guru Member

    Btw, I'm going to hook the GS directly to the DI624 and see if I can make it work that way.............if it does, then I know my WDS link between the 2 GL's needs adjustment..........I feel like Edison......he failed hundreds of times before he :wall: :wall: :wall: :wall: ...z
  37. ifican

    ifican Network Guru Member

    The wan ip on the GS is incorrect, if your default gateway is and you make the wan ip packets are not going to be sent anywhere. I would guess that you default gateway is so make the wan ip something different.
  38. windage

    windage Network Guru Member

    Just wandering if maybe part of the solution would be to use VLAN's? 1 Vlan for the first building and 1 for the second and link the 2 Vlans to the single WAN connection. Might be impossible with the dlink router, not sure. So maybe setup vlans in the gs and use the gs for the gateway. Hope this helps in some way.
  39. zardiw

    zardiw LI Guru Member

    Holy's right!.....For some reason I thought I should put the IP address of the router (DI624) that's hooked to the internet there....instead of the IP of the router that's connecting (54GS)........dumb dumb!!....z
  40. ifican

    ifican Network Guru Member

    Well if all the devices are on the same subnet, you have the GS connected to a lan port on the GL and everything including the di-624 is 192.168.0.x then yes putting the ip of the 624 as the default gateway would be correct. However you need to make the wan ip of the GS something other then any other device on that same subnet, i believe you have .2 and .3 already taken so anything say .5-.254 would be good.
  41. zardiw

    zardiw LI Guru Member

    You guys aren't going to believe what makes it work.


    That's right. No setting changes.

    Hit reset on the back of the router.

    Works just like I wanted.

    The 54GS automatically gets an IP address ( from the DI624 (

    The 54GS also hands out IP's of the 192.168.1.x variety.

    Has internet.

    Btw, like someone suggested earlier the WAN port of the 54GS is hooked to a LAN port of the DI624.

    Much todo about NOTHING.........

    Finally understand about the WAN/LAN IP addresses of a router.

    An analogy: Say you're a router. If you think of the WAN side as say the government, they know you by your official name: John P. Publik. But on your LAN side, that's like your friends network, and they know you by Johnny. So you have 2 names, and depending on what network you're talking to, that's the name you have.

    So in this case, from the 54GS's perspective, the DI624 is the WAN side, and since that router's LAN IP is, anything connected to IT's LAN side (the 4 ports), HAS to start with 192.168.0. And any address it assigns through DHCP also will start with 192.168.0.

    On the 54GS, it's WAN port is hooked to the DI624's LAN port, so the 54GS's WAN side ('internet' connection) HAS to start with 192.168.0., or the DI624 won't see it, and since I hit reset, it's 'internet' connection method defaulted to DHCP, SO, the DI624 gave the 54GS an address of

    But the 54GS's LAN side IP address in this case can be anything. In this case it's, and it is now happily handing out IP's of it's own that start with 192.168.1......

    Gonna play around with it some more to see if I can set the Internet part of the 54GS to Static IP and GIVE it a WAN side IP, and see if the DI624 will accept it. I'm not sure it will, cause I tried that before.

    Maybe Routers act like mucky mucks, and won't talk to each other unless they can decide for themselves what they will call each other..i.e. DHCP has to be

    Now let's see if it works on the other side of the bridge..............z
  42. ifican

    ifican Network Guru Member

    Nice analogies, I definitely needed the chuckle. I think part of our confusion was on your diagram you dont show the gs capable of connecting to the dlink. But none of that really matters just glad it works. And you can assign static ip's to routers just like you do computers and all will work as long as its set correctly.
  43. zardiw

    zardiw LI Guru Member

    Good news. This all works on the other side of the WDS bridge as well. I hooked one of the LAN ports of the 54GL ( WDS endpoint to the WAN port of the 54GS and it's the same as hooking it directly to the DI624, so I have a transparent bridge apparently.

    However, I have ROUTER I try to give the 54GS a Static IP, instead of letting the DI624 and the 54GS work it out amongst themselves via DHCP, they get in a huff and won't talk to each

    Also, I am able to ping everything on both LAN's.......hmmm....I can also log into all the router's admin pages from the other side of the bridge.....double hmmmm. I'm currently in building 2, hooked via ethernet to the 54GS....

    Edit: Ok, there is no access to building 2 from building 1.........a good thing............

  44. zardiw

    zardiw LI Guru Member

    Final Screenshots of what works. And I thank everyone that helped!!!:






    Stare at the black cross and be


  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice