How to properly route two subnets?

Discussion in 'Tomato Firmware' started by pamulli, Oct 19, 2012.

  1. pamulli

    pamulli LI Guru Member

    I am using a Buffalo WHR-HP-G54 with Toastman ND-1.28.7633.3-Toastman-VLAN-IPT-ND-VPN and I want to have two separate LAN segments. I'm not sure if these should be setup as individual LAN's or VLAN's...I'm not even sure if what I want to do is possible. Here is a breakdown of what I'm trying to accomplish and would appreciate some guidance:

    Two subnets LAN0 ( and LAN1 (
    LAN1 fully accessible from LAN0
    Incoming HTTP traffic Port 80 is forwarded to a specific IP address ( on LAN1 (this is the reason for two isolated segments)
    Only one specific IP address ( on LAN0 can be accessed from LAN1
    All DHCP clients connect to LAN0
    VPN setup to get access to LAN0

    I don't know if this matters, but I'd also like to not have to connect the two separate segments to two separate ports on the router since that would require me to run new cabling in my house. I'd like to handle how clients get assigned to LAN1 either with static IP's on the client or lease reservations.

    I understand how to setup port forwarding and to setup a VPN, but I don't know the right way to setup the routing between the two segments to make sure LAN0 can access LAN1 and that LAN1 can only access the single IP on LAN0. I'm also not sure if these should be setup as VLANs or Br0 and Br1 under the main LAN settings.

    What is the best and easiest way to accomplish this and if anyone knows of any guides that would help that would be greatly appreciated.

  2. pamulli

    pamulli LI Guru Member

    Well I may have already found my solution.

    Can I set the two segments up as LAN Br0 and LAN1 Br1 and then just use the LAN Access option as shown below? Would I have any firewall issues with HTTP traffic going across the two segments?

    LAN Access ------------------------------------------------------------------
    On----------Src-----------------Src Address------------ Dst---------------- Dst Address
    On-------LAN1 (br1) -------- -----------LAN (br0) -------

    Is anything else needed as far as routing tables to make this single route work?

    Then I assume I would just need to setup routing so that LAN (br0) has full access to LAN1 (br1)?

    Maybe something like this?

    Static Routing Table ----------------------------------------------------------------------
    Destination --------Gateway ------------Subnet Mask------Metric ----------Interface ------- ----------0 --------------LAN (br0)

    If someone can tell me if I'm on the right track and that is the proper way to set it up, I would greatly appreciate it.

  3. pamulli

    pamulli LI Guru Member

    Wow, not a single comment?
    I have it setup just as above, but for some reason I can still access LAN0 ( from LAN1 ( Other than that fairly important peice, everything else is working. Can anyone provide some insight on how to restrict LAN1 from accessing LAN0?
  4. Monk E. Boy

    Monk E. Boy Network Guru Member

    Static routing is not what you think it means. It's for configuring routes to networks the router has no clue about. For example, if your primary router, the one with a WAN, is and you have a second router on that contains the network, then you could setup a static route on the primary router for with the gateway address of However, if the secondary router had NAT translation enabled that would make all clients appear as, and the static route would be useless. It's only when the router has NAT translation disabled that 192.168.0.x clients could reach 192.168.1.x directly a static route would be needed.

    Now imagine that you have a 192.168.2.x subnet on a router that was behind 192.168.1.x, well then you'd need a static route on both existing routers so they could reach that subnet, each pointing along the next hop in the chain (primary router would be with gateway address of, while secondary router - - would have a static route for with gateway address of, say, RIP (Routing Information Protocol) advertises routes to other routers so that you don't have to setup static routes, they just automagically learn from each other what routes are where, but RIP is kind of clunky and problematic.

    If you want wireless clients to connect to one of these networks, you're going to need to set these up as a VLAN, and you should be able to setup a particular Ethernet port to as a member of both vlan0 and vlan1 with tagging enabled, then have that port connected via Ethernet to a port on the other router that's setup the same way, then break out vlan0 and vlan1 in each router however you want. I have absolutely no idea how to do this in Tomato though, I work with VLANs on business grade switches and routers, but the concepts are the same.

    I think what you want to do though is easily accomplished through a proxy server, which would be a hell of a lot easier to implement, and can be placed on the same network without all the VLAN work. Just block all direct port 80 & 443 traffic through the router except for the proxy server, then have clients get sent the proxy server's address (or automagically find it via network broadcasts, advertisements, etc.) with their DHCP lease. Setup a static lease for the proxy server's IP address and bind that MAC address to that IP address so that nobody can, without significant effort, disable the proxy server and send traffic out as it.​
  5. leandroong

    leandroong LI Guru Member

    Can anyone provide some insight on how to restrict LAN1 from accessing LAN0?
    Simple remove Static routing table above
  6. Monk E. Boy

    Monk E. Boy Network Guru Member

    If he does that then LAN1 won't be able to reach LAN0... or the internet. Or... do I have the LANs reversed?
  7. leandroong

    leandroong LI Guru Member

    I think, You need to setup vlan to assign 1 port for secondary subnet and to have internet access. Also, you can use assign secondary subnet to use wireless by using Virtual wireless GUI.
  8. pamulli

    pamulli LI Guru Member

    I've been trying to get Vlan's to work, but so far I can't. Part of the issue is that I have a single computer with 2 NIC's and one NIC is a VM with a web server that I want on LAN1 and the host OS that I want on LAN0 and because of where they are physically located I only have a single ethernet cable going to a dumb hub that then connects to the 2 different NIC's. That means they are both connected to the same port on my router and I need to be able to access both LAN's from that port. I do have a second router I could use and connect the VM NIC on LAN1 to that and keep the host connected to LAN0 on the dumb hub. Maybe that will work?

    Monke E. Boy, it does seem like a Proxy would be easier from what you describe, but I don't have a clue how to set one up. This is all at my home with very limited resources. If there is a guide with detailed instructions I'm more than willing to read it, but in my quick Googling I didn't find anything that seemed to make sense and was something I could easily implement without additional hardware.
  9. Monk E. Boy

    Monk E. Boy Network Guru Member

    A proxy server is software. You would install and run it on one system. I googled "proxy server windows" and the first hit was this:

    Even with your aforementioned elaborate VLAN setup, you would still need proxy software. That proxy software is what's going to run on .50 in your setup.

    The only reason I would implement VLANs the way you describe is for security, to put WLAN in one network and LAN in another network, and make WLAN clients VPN in to gain access to the LAN.

    Were you planning on enabling VLAN tagging on the router's LAN port and then enable VLAN tagging on the NICs attached to the hub? Because that's the only way it could possibly work.
  10. pamulli

    pamulli LI Guru Member

    This type of networking is all new to me so I'm not really sure what I need to do to make VLAN's work, but so far nothing I've tried has done anything. So far the best I've gotten is the two separate segments isolated and accessing the internet, but no traffic is going between them.

    I'll look at the proxy server you mentioned. Maybe that's enough security?
  11. pamulli

    pamulli LI Guru Member

    Well I gave up. I have two subnets, but they can both talk to each other so I'm relying on a software firewall on my file server to block incoming traffic from the other subnet.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice