but it only works for different subnets? I use same subnet here
What you are asking for is impossible.
may I ask what change is required on main gateway to make this possible? thanks
If you can control the gateway, you could just use your Archers as dumb APs as already mentioned and still put your devices into the 192.168.2.x subnet.
If the main gateway is OpenWrt-based, you would create a separate network with the two ports covering your devices in it, add a separate DHCP server and a separate firewall zone. Then your devices cannot access the remaining 10.0.0.x subnet and clients from the 10.0.0.x subnet cannot reach yours - unless the Firewall is configured to do so, of course. This is basically what I do to separate my IoT network from my private network.
A stretched layer 2 is not always desirable but in case you really have or want to, use a GRE tunnel and bridge it to br-lan or use VXLAN.
Yes there are several ways to tunnel or VPN at layer 2 (also called "Ethernet bridge"), but as a site to site solution it has downsides. It's better to use different subnets and symmetrically route either with a direct connection (which requires at least being able to install routes in the main router) or a layer 3 VPN.
Different subnets and routing between them makes the most sense to me.
@andy2015 Is there a reason everything needs to be on the same subnet?
@mk24 Can it be done without having access to the Mainrouter (10.0.0.1)?
You could just use 192.168.3.0/24 on Router2 and route traffic between Router1 and Router2
Router1 gets a route that says send 192.168.3.0/24 traffic to 10.0.0.3
Router2 gets a route that says send 192.168.2.0/24 traffic to 10.0.0.2
Add FW rules to allow traffic and exempt from NAT
There are two possible ways I can see this working if you can change settings on the main gateway (and assuming that these features are exposed to the user -- OpenWrt does surface this, but consumer grade routers with vendor firmware do not always have this option:
- you could install static routes on the main gateway that would allow the traffic to pass between the two routers you're working on. You would still need all three routers to have different subnets for this to work.
- or you could setup VLANs on the main gateway to tie the two routers together with a VLAN that is distinct from the existing network that runs over the existing cabling. This would effectively allow you to turn one of them into a dumb AP with the other acting as the main router (along with DHCP and DNS) for the 192.168.2.0/24 subnet. And the traffic would traverse through, but not interact with the existing 10.0.0.0/24 router and its network, making it, for practical purposes, just a bump in the wire for the 192.168.2.0/24 subnet traffic.
upstream applications assume they are in the same subnet so I cannot change that
thanks for the update
for VLAN option, I assume the two sub routers are in the same subnet 192.168.2.0/24?
does it require main gateway to be OpenWrt flashed on?
any guide on how to setup the VLAN on the main gateway?
Yes. One would be setup as a dumb AP/switch, the other would be the actual functional router.
No, but... the main router must expose VLAN configuration options for it's built-in switch to the user. Or... you could always install a managed switch at that location.
If you're using OpenWrt on the main gateway, we can help here. Otherwise, you should look at the documentation of that device and/or Internet forums that focus on the firmware that is installed on it.
@psherman will this work?
I don’t think so because you must disable masquerading for it to work. So it is possible that it would work for the inter-network routing, but it would absolutely break internet connectivity. Since the main router would not understand where to send traffic.
Looks like you got a solution. Can end the discussion if you like.
Just curious if you can elaborate more on the same subnet requirement. What are the applications and protocols? You said upstream applications. Does that mean from a network perspective? Assuming you are nat'ing on the two routers, upstream apps would not even see the subnet IP. It is your question, so you get to define the requirements.
Usually the same subnet requirement would come from some layer two communications or discovery protocol.
Regarding the masquerade exception. That is uncharted water, not something I've tried. If configuring in pure nft for router1, maybe something like:
nft add rule nat postrouting oifname wan ip daddr != 192.168.3.0/24 masquerade;
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.