2 subnets communication not working

Discussion in 'Tomato Firmware' started by kasper1985, Oct 10, 2018.

  1. kasper1985

    kasper1985 New Member Member

    Because i have several IoT devices in my house and i recently read several articles about the risk involved i wanted to harden the LAN and put IoT devices on their own vlan/subnets.

    I came pretty far but are getting stuck on one thing; the intercommunication between the subnets (for example some devices still need to be able to talk to each other but anything IoT should never be able to reach my server/NAS etc.)


    Router 1 Asus RT-AC56U running latest Tomato:
    WAN: Connected to ISP using PPPoE
    LAN: br0 - main IP
    br1: with DHCP enabled and VLAN 10 untagged on port 3

    Router 2 Netgear R7800, unfortunately there is no Tomtato for this so i have tried this setup with OpenWRT but got stuck with unresponsive webgui several times so i went back to stock firmware. Everything related to firewall on this router is swtiched off on the WAN settings page since it's not listening directly to the internet and has the device as a gateway.

    WAN: static set to connect to port 3 of the Asus router
    LAN: DHCP enabled main IP

    What does work:
    ping from client on router 1 to and even.
    ping from to 192.168.1.x

    What does not work:
    ping from any client on 192.168.1.x network to the network

    I have added routes in tomato through the GUI tried several of them but somehow i can still not ping anything from 192.168.1.x to 10.10.1.x

    I am sure i am doing something very wrong but even with going through several threads and trying different things i can't figure out what it is.

    Anyone able to help out?
  2. Sean B.

    Sean B. Network Guru Member

    Is there a reason you have the Netgear creating another layer of NAT and DHCP? You have your 2 subnets already via the Asus, for private and for IoT. Why add the 10.0 network a long with double NAT issue etc?
  3. kasper1985

    kasper1985 New Member Member

    No specific reason other then being able to use the WAN port of the netgear leaving free 4 LAN ports.

    Creating a seperate gateway also seemed more secure. The Netgear has an AP only mode but when enabled it greys out a lot of options. But you’re right that double NAT is annoying. I did set NAT to “open” on the netgear.

    At the moment in the gateway situation the Netgear serves both "normal" wifi devices phones/tablet etc. and IoT devices on the "guest" wifi. When i set the Netgear to AP mode the thick box "allow clients to connect to each other" in the guest wifi setup page is ticked and greyed out. So in that case i'd need another accesspoint for the "normal" wifi network.

    So far from clients on the network i can ping up to but for some reason the segment is completely unreachable.
    Just trying to troubleshoot this to see if something in the netgear is blocking this or if it’s a routing issue i can resolve.

    For now i’d prefer to establish the seperate gateway.
    Last edited: Oct 10, 2018
  4. Monk E. Boy

    Monk E. Boy Network Guru Member

    You aren't going to be able to ping from 192.168.x.x to 10.x until you disable NAT on the Netgear. NAT will not allow inbound communication because it translates all 10 traffic to a 192.168 address. In Tomato parlance this is changing the router from "gateway" to "router" mode, however I would be flabbergasted if Netgear allows this and, if it does, is actually stable. Even in Tomato I have to nuke the default iptables rules to stop them from blocking traffic since this is basically a use case that virtually nobody ever uses and when they do, most of the time they're just confused and doing the wrong thing (that being said it can work in Tomato, but it's not a normal use of a consumer router which is why additional work is needed).

    While I know you set the NAT to "Open" you don't need an open NAT, you need no NAT at all. Zero NAT. Disabled NAT. You need packets to come out of 10 with the source of 10 and packets to flow into 10 with a source of 192.168. That's not happening currently.

    I suggest contacting Netgear for help since this is a question about their software and not Tomato. Tomato's not the issue here, it's NAT being enabled on the Netgear.

    I will say this, if you are able to disable NAT on the Netgear then you'll need to create a set of rules in Tomato to SNAT/DNAT traffic from the 10 net. Currently its set to SNAT/DNAT the subnet assigned to the Tomato router, you'll need to create your own SNAT/DNAT rule(s) for 10 net traffic.

    Now if you wanted to just say screw the Netgear as a router, just use it as an access point on a VLAN that's defined in Tomato, that would probably work and be less of a headache to get going. Well, assuming the Netgear supports access point mode.
  5. kasper1985

    kasper1985 New Member Member

    Thank you for the reply Monk! I was afraid something like this was the case.

    If i replaced the R7800 with something second hand that runs tomato would it be (relatively) easy to get it done?

    I am not sure but ddwrt runs on the 7800 and i think that had a option to setup router instead of gateway. That might be something to look at.

    Thanks for your insight! The netgear support route i am not going to take. I have found several forum threads of people asking about disabling NAT and it’s simply not possible except for setting it up as AP
  6. Sean B.

    Sean B. Network Guru Member

    How about simply plugging the Asus into a LAN port on Netgear, turning off DHCP etc on the Netgear, and enjoy everything working?
  7. Yim Sonny

    Yim Sonny Serious Server Member

    Why does that need to work ?
    And, where is the NAS located in your network that you are protecting from IoT devices ?

    Is that what the netgear is doing ? Do the IoT devices connect to and get service from the netgear ?
  8. Monk E. Boy

    Monk E. Boy Network Guru Member

    In theory you could protect the LAN from the IoT devices by connecting the IoT devices to the ASUS network and then connect your LAN to the Netgear network, no need to defeat NAT at all, since that'd be the part that's protecting your LAN from IoT. The problem then becomes that port forwards, etc. won't work on the Netgear unless you designate the Netgear as a DMZ host in the ASUS... which I'm not sure how to do in Tomato to be honest. But you'd be opening up those ports to IoT traffic.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice