Routing between two subnets connected to a firewall router, with different equipment makes

I have seen - and tried - various solutions to this, but I can't seem to get this to work.

My setup is shown below.

A big part of the problem is that each router has user interfaces with different semantics, so it is difficult making changes across all three without getting confused.

On my setup, Router1 is a TP-Link R600, with net address x.x.0.0/24, gateway x.x.0.1. Router2 is a Night R7000, net address x.x.1.0/24, gateway x.x.1.1 with stock firmware. Router3 is an old netgear router with OpenWRT firmware, with ips x.x.2.0/24 and gateway x.x.2.0. So the basic need is to get a workstation on x.x.2.0 to access server x.x.1.0. Also, of course, the reverse is needed.

Pictorially (somewhat):

                      (TP Link)
              |        x.x.0.0/24       |
              |                         |                          
         x.x.0.101                  x.x.0.201
          Router2                    Router3
        (Nighthawk)                 (OpenWRT)
          x.x.1.1                    x.x.2.1
               |                         |   
               |                         |
          x.x.1.0/24                 x.x.2.0/24

At present, on Router1, I have two static routes (in TP-LINK menu) destination x.x.1.0/24 NEXT HOP x.x.0.101; the same for Router3: destination x.x.2.0/24 NEXT HOP x.x.0.201. Access control should allow ICMP (only testing with pings at this time) between Router1 LAN both Router2 and Router3 WAN.

Router 2, from Nighthawk menu, has one static route: destination x.x.2.0/24, gateway x.x.0.1. No firewall settings found.

Router 3, from OpenWRT menu I set a route with target x.x.1.0/24, gateway x.x.2.1. Traffic flow is set to allow ping from WAN to device (i assume x.x.2.1)

I have tried pinging between Router2 and 3, but I either get "Redirect Host" or "Destination Port Unreachable", or nothing.

Conceptually, I know what is needed. I just can't decipher 3 different gui languages for this one problem.

Any help greatly appreciated.



That is wrong, the route from router 3 to x.x.1.0/24 is the Nighthawk which holds x.x.0.101 on the .0.0 network which is already known to router 3, or indirectly Router 1 at x.x.0.1

But really there's no need to involve Router 1 in this at all if you have the static routes in place on Routers 2 and 3. Routers 2 and 3 can reach each other directly on the .0.0 network.

1 Like

I would think that. But that is not what I am seeing now. To ssh from .1.0 to .2.0, I need a static route in router2 for .2.0 via .2.1 and also in router 1 for .2.0 via 0.201. Unfortunately, the reverse doesn't seem to work.

I hooked up wireshark to router1 via port mirroring, watching packets in/out on 0.101 and 0.201. I see ssh packets go both directions from 0.101 to 2.y, with .1.x initiating ssh session to .2.y. But for .2.x to .1.y, I only see packets from .0.201 to .1.y, with no response from .1.y.

Really confusing. Pictorially (somewhat) from wireshark:

Initiating from host on .1.0 lan to host on .2.0 lan:
x.x1.a  --> x.x.0.101 -->  --> x.x.2.y

Initiating from host on .2.0 lan to host on .1.0 lan:
x.x.2.a --> x.x.0.201 --> ]  

Just in case,what should the routing and firewall settings on OpenWrt (router2) be for this?

Also, FWIW, I have been having problems setting up a vpn on the Nighthawk (router1) using netgear's firmware. Either my router is somehow broken or netgear's firmware is broken. I had been working with netgear support on this, but the second level expert seems to be reading from a book, not understanding that I know what a vpn is and what it is for, and not understanding that I do not use windoze (which they require). So I guess that they'll just ignore this one. Bottom line for all of this is that I plan to flash OpenWrt's firmaware into my Nighthawk after they can/can't come up with a solution. Got to wait since it is still under warranty.

thx for the help.


Can always flash it back to stock, if required, can't you?

Yes. But just flashing OpenWrt would void the warranty, and I'd rather not take the chance just yet, Besides, it will be nice to see what they say is wrong (if they ever reply).

sure, but how would they know ?