I'm trying to set up a subnet and I'm stumped. Everything seems to work as expected except that clients on 10.10.3.x can't get to the internet. They can browse all other resources on any internal subnet. There are no firewall or NAT configurations on Router 3 yet. Everything on Router 3 is on the same VLAN.
All devices on 10.10.2.x have internet access.
I don't understand why Router 3 is sending traffic to Router 1 and apparently being routed internally but not externally.
My ultimate goal is to create subnets so I can better manage traffic locally and to the internet with firewalls.
lan gateway should be set to 10.10.3.1. That router knows where 2.1 is to forward packets on that are not for your 3.1 subnet.
The problem is your subnet doesn't know how to reach 2.1 gateway since it is outside it's address space.
I would guess you have some routing tables cashed giving you false results, or your vlan is doing something unexpected.
But 10.10.2.1 should have a static route to the 3.1 subnet. Then it will forward packets from that lans IP's to the 3.1 gateway, and forward your subnet to the 2.x network.
Thank you all for taking time to read and offer assistance. Turns out the issue was the subnet mask on Router 1 LAN. Changing the mask from 255.255.255.0 to 255.255.254.0 allowed Router 1 to route traffic back to 10.10.3.x. Not sure if this is the correct approach but it seemed to resolve my current issue.
You just changed your two class C lans into one subset of a class B lan. They are now on the same lan.
What this will do is stop you from having two isolated networks. Changing all your 3.1 addresses to 2.x would have worked the same.
If you would like proof, change the 3.1 to a 10.10.6.x and it will be locked out again.
Glad it is working, but it is not doing what you think it is.
Lan routing works My LAN, then everything else goes out gateway.
Remember private IP lans are by design non-routable. Your 3.1 gateway should be masq'ing and forwarding packets to the 2.1 lan.
People shouldn't post at 5am before coffee.
I've been spoiled with real IP domains for to many years. Last time I sub-netted private domains was back in the 90's.
After that it has been to make isolated networks to not have traffic going out from isolate machines.
Changing the subnet mask is not how to do it. You've just made the network larger so 10.10.2.X and 10.10.3.X are now in the same network. They're not separate at all.
There are two ways to do it.
Router 3 can forward to router 1 and not NAT, as long as router 1 knows that the way back to a 10.10.3.0 IP is via router 3's IP on the .2 network. This involves adding a static route to router 1.
The advantage of this method is that there is less load on Router 3's CPU since it doesn't have to keep track of a NAT table. The disadvantage is that machines on the .2 network can also reach the .3 network (their default route is router 1, which will use its route to 10.10.3.0) unless some firewalling is done.
The other way is to have Router 3 NAT any Internet requests from its network to its 10.10.2.3 IP and onward to Router 1. The advantage here is that no additional configuration of Router 1 is needed.
What is the down side to using the NAT configuration? My goal is to create a subnet with firewalls so I can isolate some IoT devices. Will the NAT conflict with this or cause issues?
