[Double-NAT 2 Houses, 2 Routers 2 Subnets] Can access shared resources from B to A but not from A to B

Installing and Using OpenWrt Network and Wireless Configuration
1

I guess this is a piece of cake for you, but I am not able to find the problem (I have very little knowledge about networking)

I have 2 houses, A and B, connected by 2 Ubiquiti NSM5 radios in AP-WDS and Station-WDS mode, each one with a Linksys WRT1900AC router in separated network ranges.

I know double-NAT is something to be avoided, but I need to have different ranges as in each house I have a whole lot of clients (pcs, htpcs, nas, notebooks, smartphones, plugs, lights, tvs, plcs...) and I need them to be separated. The only machine I need to be accessed from the exterior is the NAS connected to Router A, so no problem for port forwarding/UPnP it as it is outside the Double-NAT.

My configuration is set as follows:

ONT --> Router A [192.168.13.1] --> Radio A [192.168.13.2] (............) Radio B [192.168.13.4 / 192.168.6.2] --> Router B [192.168.6.1 / 192.168.13.3]

ONT is connected from LAN1 port to Router A WAN port
Router A is connected from LAN1 port to Radio A LAN1 port
(Clients in House A are connected to Router A LAN ports 2 to 4)
Radio B is connected from LAN1 port to Router B WAN port
(Clients in House B are connected to Router B LAN ports 1 to 4)

So, Router A LAN1 port is "connected" (via the Radios) to Router B WAN port.

I have no problem accessing from House B to House A shared resources [192.168.6.X --> 192.168.13.X], but I cannot access from House A to House B [192.168.13.X -/-> 192.168.6.X]. I suspect it has something to do with firewall rules on Router B (the one where the Double-NAT is) but I cannot figure it out.

I thought allowing input/output traffic from WAN to LAN in Router B would fix it.

a

I also created manually the following rule to allow forward from any host in WAN to any host in LAN in Router B.

b

My /etc/config/network output

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd6a:13e6:5d77::/48'

config interface 'lan'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.6.1'
        option _orig_ifname 'eth0 wlan1'
        option _orig_bridge 'true'
        option ifname 'eth0'
        option gateway '192.168.13.1'
        option dns '8.8.8.8 8.8.4.4'

config interface 'wan'
        option ifname 'eth1'
        option _orig_ifname 'eth1'
        option _orig_bridge 'false'
        option proto 'static'
        option ipaddr '192.168.13.3'
        option netmask '255.255.255.0'
        option gateway '192.168.13.1'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 5'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6'

My /etc/config/firewall output

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'ACCEPT'
        option network 'wan wan6'
        option forward 'REJECT'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fe80::/10'
        option src_port '547'
        option dest_ip 'fe80::/10'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config forwarding
        option dest 'lan'
        option src 'wan'

config forwarding
        option dest 'wan'
        option src 'lan'

Thanks in advance.

2

@jfromeo - the problem you are having is really due to the way NAT works and the fact that the B house is behind a NAT layer relative to house A. There are ways of addressing this while still maintaining a double-NAT configuration, but it would be a lot more work (I think you'd be looking at creating a 1:1 S-NAT configuration).

I would recommend using VLANs if you need to have separate ranges while maintaining connectivity between the two subnets. The main router (Router A) could be configured for 2 VLANs -- one each for houses A (i.e VLAN10) and B (i.e. VLAN20). You can setup firewall rules that restrict/limit the routing between the two subnets if you want, or keep them completely open to each other if inter-VLAN security is not an issue for your configuration/environment.

With the 2 VLANs, everything in house A would be on VLAN10 except for the Radio A which would be on VLAN20. Radio B would then also be on VLAN20, and would act as a simple bridge (wireless > wired) and then everything inside house B would be part of VLAN20. Router B would purely be a dumb AP (if needed).

Any inter-VLAN traffic would be routed through Router A and, aside from any firewall restrictions, both networks would have easy access to each other. Both would also have normal internet connectivity through Router A.

1 Like
3

Thank so much for the detailed explanation.

I guess virtual LANs is the way to go. I will try to create them and I will note down in this post the process, so if I get stuck, I will ask for help.

I will create 2 VLANs:

  • VLAN13 for House A (the street number is 13th)
  • VLAN6 for House B (street number 6th).

PD: I had to create in the past VLAN20 to tag WAN as it is the VLAN tag that my ISP requires to work.

Steps:

1- Go to Network -- Switch
Add VLAN13 and VLAN6 as it follows:
a

And I have my first doubts.

A.- Is that configuration correct? My Radio A is plugged into LAN1, and so, all House B network, which are tagged in VLAN6. The rest of LAN ports are part of House A network, which are tagged in VLAN13

B.- Can I delete the VLAN1, as it is all untagged? (I guess it is a dummy VLAN)

C.- I guess the 2 CPU tags are because the router CPU is a dual-core one. So, is it recommended to assign Core1 to VLAN20 (WAN) and Core2 to VLAN6 (LAN1) and VLAN13 (LAN2-4) in my example? Or should I leave both tagged and let the router decide to assign the load by itself?

Thanks again.

4

@jfromeo - Looks like a good start.

If you're not using VLAN1for anything, yes, you can delete it. However, you will want to verify that the other VLANs are working properly. In particular, you can end up locking yourself out of the router if VLAN6 and VLAN13 aren't setup properly. Make sure that one (or both) of them is assigned to the firewall zone for your LAN and that the DHCP servers are working, internet connectivity is good, and DNS is functioning as expected. Then, on one of the LAN ports: turn off VLAN1, change VLAN6 or VLAN13 to untagged. Then make sure your computer/device gets an IP address, is able to connect to the internet normally, and can access the router through that physical port. Remember that in this test you want to connect to the router via the IP address specified for VLAN6 and/or VLAN13, not the one for VLAN1. As long as that all works, you should be okay.

Other thoughts -- I can't answer the question about the dual-core CPU, but if the screenshot above is a working configuration, no harm keeping the CPUs allocated as is. In my experience, I have always had every VLAN tagged at the CPU -- I see that VLAN1 is untagged everywhere that it is active, including the CPU. I'm not sure if that implies that you will need to untag VLAN13 at the CPU when you delete VLAN1... you'll find out, possibly the hard way (locked out), if that is necessary. In addition once VLAN1 is deleted (or just off on all ports), you will probably want VLAN13 untagged for any ports connecting to devices within house A. If they are tagged, your devices won't work unless they also tag traffic on VLAN13 That is to say that the 'default' VLAN associated with a port is the one that is untagged. If there are no untagged VLANs on a port, there is no defined 'default' and so the port may seem dead/inactive unless you are using VLAN aware devices configured with the matching VLAN tagging on that physical port.

BTW: It is a good idea to backup the configuration at each stage here in case you need to reset the router back to defaults -- although you'll be starting fresh, you don't have to reconfigure from scratch -- just reload the last known good config and go from there.

On port LAN1 where your radio connects -- VLAN6 might be best untagged there. But UBNT radios can work with tagged interfaces, you could have a port untagged 13 + tagged 6 if you want, just be sure to configure the radio accordingly. If you do VLAN13 untagged and VLAN6 tagged, the radio (at a system level) will get an IP (and thus be managed) in the VLAN13 subnet, but can have the actual radio setup with VLAN6 (configure the UBNT radios using their software).

1 Like
5

Thanks again mate for all your time and information given.

I will do the backup prior to modifying and let you know. I will give a read to the VLAN tutorials as I see I am too ignorant to understand it correctly :smiley: