'Correct' way to put one router behind another?

Discussion in 'Networking Issues' started by Holo20, Oct 15, 2006.

  1. Holo20

    Holo20 LI Guru Member


    I have an existing network on the 192.168.0.x subnet behind a PIX 501 firewall.

    There is a small group of engineers that will be at my facility for a few months, and I need them to be 'segmented' from the rest of the network so they can do their own DHCP, fileserver, etc., but still get internet access from me.

    I put them behind a WRT54gs, and left it in 'Gateway' mode, set the WAN interface with a 192.168.0.x static address and set the Default Gateway to my existing PIX, and put the inside interfaces on a 192.168.8.x network.

    They have internet access and everything appears to be fine; they are pulling 192.168.8.x IP addresses, but nothing seems to be working by 'name'. They are all in the same workgroup, but cannot access the workgroup by browsing for it in Network Places, nor can they navigate to specific machines by going to Start> Run> \\TestMachine. However, Start> Run> \\ works fine.

    Do I have the Linksys set up properly? I did consider switching it to "routing" mode, but am not certain what info belongs in what fields on that tab.

    Any insight you guys could provide would be appreciated.

  2. crawdaddy

    crawdaddy Network Guru Member

    IMO, it sounds like a problem other than the router. Was the network of engineers working prior to being put behind the router? if so, it may be, otherwise, I'd suspect that something's going on with their computers. netBIOS maybe...
  3. YeOldeStonecat

    YeOldeStonecat Network Guru Member

    Personally I'd have taken a port based VLAN approach, I'm not a fan of double NAT.

    However....double NAT is not the cause of your issue, 2K/XP use DNS for local name resolution, as well as internet browsing. Back in the NT4/Win9X days..DNS was for internet, and WINS was for network resolution. Since 2K took over through..it's all together in DNS. If they have their own server, is that server a domain controller? If so...they NEED to use it for thir DNS. If there's no DC..then treat it as a peer to peer network..enable netbios over TCP, maybe do hosts files for the clients.

    My hunch is that they are getting DNS from their router..which is getting it from your primary 192.168.0.xxx network. Is there a DC in that network? It will not know about the .8.x network..thus not able to deal with name resolution for it.
  4. Holo20

    Holo20 LI Guru Member

    YeOldeStonecat, yes! That is exactly what I suspected was going on... that DNS/name requests were forwarding outside their router and into my network. I have a network that supports about 50 users, with 3 Server 2003 boxes, and DNS running on two of them.

    These 5 engineers do have just a basic peer-to-peer workgroup set up, and things are 'working' now per se once I told their IT guy to map everything by IP address instead of name. I would like to get the DNS issue resloved if it wasn't too much work, just to be able to say it was conquered. If you have any ideas on how to do it, please let me know.

    I would have LOVED to go the Vlan route, as my entire network runs on 4 Catalyst 3560 switches. That is the first option I tried to pursue, but not having ever configured a new vlan before, and not having days and days to experiment/research it, I knew that just setting up the Linksys router would at least get them segmented and surfing, in under 20 minutes.

    If you have any tips or advice on configuring a Vlan for this scenario, I would definitely be interested...

    Thanks for your time,

  5. HennieM

    HennieM Network Guru Member

    Some things to look at:

    1) By having the EngNet NAT onto your localnet unnecessarily complicates matters. All you are achieving is that localnet computers can not get onto EngNet computers. Is this what you intended? If not, set your WRT to "router", which will keep EngNet on its own subnet (, but without NAT.

    2) Is your router's DHCP set to masquerade DNS for local addresses? I suspect not, which is why Win can not resolve the local computer names to addresses. The EngNet computers must therefore also have the WRT specified as their DNS server, while the DNS server on the WRT must look at the DNS server of your localnet.

    3) The EngNet computers must be setup for WORKGROUP, so they don't try to find a Domain Controller (DC).
  6. Holo20

    Holo20 LI Guru Member


    Thank you very much for your reply.

    As to your question #2, if by 'your router' you mean the Linksys WRT, then no, I do not have DHCP set to masquerade DNS for local addresses. When you say that the Engineering machines must have the WRT specified as their DNS server, do mean manually added in the TCP/IP properties of each machine? I am confused on this point, because if I set the WRT to point to my localnet DNS server ( then the WRT will in turn pass this on the 192.168.8.x clients via DHCP.

    I do understand what you are saying in principle/theory, but I'm confused by the two properties pages on the WRT, in this case Setup>Basic Setup and Setup>Advanced Routing.

    In your scenario, on the Basic Setup page my fields look like this:

    Static IP
    Interface IP Address:
    Subnet Mask:
    Static DNS 1:
    Static DNS 2:
    Static DNS 3:

    Then, the Advanced Routing page:

    Operating Mode: Router
    RIP: Disabled

    Select Set Number: 1
    Enter Route Name: (blank)
    Destination LAN IP:
    Subnet Mask:
    Default Gateway:
    Interface: (Dropdown menu) LAN & Wireless or WAN (Internet)

    Thank you for your patience. I really want to understand this and see this work.

  7. HennieM

    HennieM Network Guru Member

    Holo20, the idea is that your machines on the .8 subnet, should dynamically register a name/address pair on the DNS server. It has nothing to do with routing. At the risk of stating the obvious, it's something like this:

    Say you have a computer (one of the EngNet machines) with name MachA. MachA starts up and gets IP address from DHCP. The DNS server (whichever one is used by the EngNet machines) must now be told that
    MachA =
    so that, when some other machine (say MachB) says to the DNS server "I want to connect to MachA", the DNS says "MachB, you can find MachA at".

    There are several ways to achieve this, the easiest being if your DHCP server masquerades DNS for DHCP assigned addresses, i.e., in the above example, the DHCP server will actually supply the answer "MachB, you can find MachA at", instead of the DNS server - the DHCP server supplied the address to MachA, so it KNOWS what MachA's address is.

    It seems like you are using the stock Linksys firmware on your WRT. I don't know how the stock firmware handles DNS masquerading. Other 3rd party firmware, such as Thibor15c, allows you to explicitly set the masquerading.

    However, an option that you could try that will not involve any changes on your WRT or DNS servers, is to just turn on, on the machines in Engnet, the following (I give you howto for WinXP, as this is what I have available now, but I think it's similar for Win2000):

    Go to the Network connection's properties > Internet Protocol (TCP/IP) > Advanced > DNS. Check "Register this connection's addresses in DNS". You can also turn on "Use this connection's DNS suffix in DNS registration", but I think the latter may not be necessary. Do this for all the machines on EngNet.

    Provided that your DNS server can handle dynamic DNS updates (DDNS), your workgroup browsing by name should now work. If not, we'll have to explore further....
  8. YeOldeStonecat

    YeOldeStonecat Network Guru Member

    Do the engineers PCs still need to log into your domain?

    Why are they insisting on being so separate? Nothing NTFS permissions on a group level can't keep other people out of anyways.
  9. Holo20

    Holo20 LI Guru Member

    HennieM, thanks for the reply.

    I do have a decent understanding of how DNS works, but in the case of making it work or forward or whatever from behind this Linksys router, I just didn't have a clue of what needed to be pointed where, or what info needed to be put in what fields, etc. Thanks for fleshing it all out for me, it really helped.


    The engineers never needed domain access, just internet access, but wanted to be on their own address space so they could do what they wanted. Everything is as good as it's going to get for now; they can do their own DHCP, they have internet access, and they can still navigate to file shares on their server by using IP address. If I reeeeealy wanted to make host name resolution work, then I could probably go with what HennieM mentioned and modify my DNS servers on my local network to do DNS for the engineers. I might just do it anyways for grins.

    On an aside, I've found out that there is a top-notch guy at the local community college that teaches some Cisco courses; a buddy of mine said if I was serious about learning to do Vlan routing and such, to go take one of his classes, and I probably will. Vlans would have been the simplest solution to all this, I think.

  10. ifican

    ifican Network Guru Member

    Depending on how you currently have your network implemented, creating another vlan and routing for it could take as little as 2 minutes or be much more involved. Those 3560's have the ability to route within themselves (logically). If you need any help feel free to contact me offline.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice