1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Two subnet routing problem

Discussion in 'Tomato Firmware' started by grozon, Sep 2, 2011.

  1. grozon

    grozon Networkin' Nut Member

    I've been searching this forum (and others) for a solution to this problem for days so I'm hoping someone can lend a hand.

    Here's my situation:

    I have two routers, one with Tomato and another with TomatoVPN. I have the Tomato router (R1) connected to the WAN directly. TomatoVPN (R2) is connected to the LAN on R1 via the WAN on R2. So a very rudimentary diagram:

    Modem ---> (WAN) R1 (LAN) <-----> (WAN) R2 (LAN) <-----> Clients

    I have configured a client VPN connection on R2 which allows any client connected to R2 to access the internet via the VPN. Clients connected to R1 can also access the internet fine, though they use the ISP connection and are not routed through the VPN. This is working as desired.

    The issue is that I want to allow access to an application running on a machine connected to R2 from the WAN. This has proved (so far) to be impossible. After creating a static route on R1 like this:

    Destination Gateway Subnet Interface LAN

    I can access the application in question from a client connected to R1. However, port forwarding from R1 to R2 does not appear to work. I can see from the logs that the request is accepted at R1 but no logging is generated at all on R2, it's as if the packet never reaches R2.

    Any help would be greatly appreciated. Thanks.
  2. SgtPepperKSU

    SgtPepperKSU Network Guru Member

    There are a few ways you can handle this:
    1. Get rid of your static route, and have port forwarding on both routers (R1 forwards to R2's WAN address, R2 forwards to desired device).
    2. Leave the static route, and add firewall rules to allow the traffic through.
    3. Leave the static route, and put R2 in Router mode instead of Gateway mode.
  3. grozon

    grozon Networkin' Nut Member

    Thanks for the suggestions SgtPepperKSU. Unfortunately, I think I've tried all three of them without success.

    I know for certain that I have tried #3 and it did nothing. I've tried #1 without removing the static route, I'm not sure if that would make a significant difference or not. In regards to #2, I have tried adjusting the firewall rules a few times with varying results. None of my changes fixed the problem, but several made it worse. Is there a specific rule I need to add?

    This really looks like it could be a client firewall issue (i.e. the PC is blocking it) but the fact that I don't see an ACCEPT/DENY entry in the log on R2 makes me think the request is not hitting R2's firewall (perhaps I am wrong in that assumption). I know for certain I can access the IP and port on R2 from another client on R1 which also leaves me less inclined to think it's a client firewall issue.

    I'm about at my wit's end though so perhaps my next step is to start from scratch. What I'm looking to accomplish seems fairly simple:

    1. R1 clients connect to the internet without the VPN
    2. R2 clients connect to the internet with the VPN
    3. R1 and R2 can be accessed from each other and can have ports forwarded from the WAN
    The other option I tried was to have R1 and R2 on the same subnet, but that caused issues. With two DHCP servers running the issues are obvious (inconsistent leasing) but otherwise it would seem I have to set the gateway manually on each device connected to R2 in order to use the VPN. That's a deal-breaker for me as I don't want to have to do manual configuration to access the VPN.

    Any other suggestions/tips are appreciated.
  4. Toxic

    Toxic Administrator Staff Member

    for port forwarding to work correctly you will need Static IPs on each Client. Do you have Static IPs or Static DHCP addresses assigned to each client?
  5. grozon

    grozon Networkin' Nut Member

    From R1 I have set static DHCP for R2's WAN IP (on the subnet) and on R2 I have set static DHCP for the client exposing the service I'm trying to reach (on the subnet). All other IPs are not static. Is this sufficient?
  6. Toxic

    Toxic Administrator Staff Member

    a few questions....

    can you ping the application client on r2 from r1 client? if no add the applications hostname/ip in lmhosts (if its a windows machine) do you need the r1 client to be really in R1? or could it reside in R2?

    do they all need to be in separate LANs? VLANs would be easier to maintain from one router.

    is r2 in firewall mode (with NAT) or in routing mode?
  7. grozon

    grozon Networkin' Nut Member

    Let me start by saying that I'm pretty novice with networking terminology so if I've misunderstood anything you've asked, please don't hesitate to ask for clarification.

    To make this simpler, let's start with some concrete values:

    R1 LAN IP:
    R2 LAN IP:
    R2 WAN IP:
    R1 Client PC:
    R2 Client PC:

    Let's use Remote Desktop as an example service. From R1 Client PC I can remote desktop to the R2 Client PC. From R2 Client PC I can ping R1 Client PC. When any connection is attempted from the WAN I can see an entry in the R1 logs showing a DENY from the source IP. When a connection is attempted to a forwarded port, I see an ACCEPT entry showing the source IP and the destination as R2 Client PC. Nothing appears in the logs on R2.

    On the Port Forwarding screen on R2 I have tried setting both Router and Gateway modes but neither seemed to change any behavior. Is there something specifically I can check for to see if the change is working?

    Do I need separate LANs? I want clients to be able to easily switch between VPN and non-VPN access without manual configuration. I also want any client to be able to speak to any other client on the internal LAN. Up to this point it seems the easiest way to accomplish that was with two routers. I've been happy with this configuration up to the point when I wanted to be able to access one of my machines on the second router from the outside world. Hence my current situation. If there is another way this can be achieved, I would be more than happy to give it a try.

Share This Page