No access to internet after changing from Gateway to Router

Message

iefoaix · Post by **iefoaix** » Sun Jul 27, 2014 6:39 pm

No access to internet after changing from Gateway to Router mode

Here is my setup:

                WAN 
                 | 
        -------------------------------
        | 74.96.170.x (WAN IP)         | 
        | Router1(Verizon FiOS Router) | 
        | Model: MI424WR-GEN2 (Rev F)  | 
        | Firmware: 20.21.0.2          |
        | Def router: 74.96.170.1      |
        | 192.168.1.1 (Local IP)       | 
        -------------------------------
                 ||                  ---------------------------
                 ||                  |  192.168.1.22 (WAN IP)   | 
                  ===================|  Router2(Linksys)        | 
                                     |  Model: WRT54GL v1.1     |
                                     |  Firmware: v4.30.16      |
                                     |  Def Router: 192.168.1.1 |
                                     |  192.168.2.1 (Local IP)  |
                                     ---------------------------
                                               ||
                                               ||
                                     ---------------------------- 
                                     | Computer 192.168.2.160   | 
                                     | Def Router: 192.168.2.1  | 
                                     | NO iptables, basic setup |
                                     ----------------------------

On computer, I have:

Code: Select all

# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.2.1     0.0.0.0         UG    2      0        0 enp2s0
loopback        localhost       255.0.0.0       UG    0      0        0 lo
192.168.2.0     *               255.255.255.0   U     0      0        0 enp2s0

On Router2, I have:

Code: Select all

Routing Table Entry List

Destination LAN IP | Subnet Mask   | Gateway   | Hop Count | Interface
192.168.2.0          255.255.255.0   0.0.0.0     1           LAN & Wireless
192.168.1.0          255.255.255.0   0.0.0.0     1           WAN (Internet)
0.0.0.0              0.0.0.0         192.168.1.1 1           WAN (Internet)

Router2's Operating Mode is Gateway. On Router1, I have:

Code: Select all

[Router1] Routing Table
Name                  Destination Gateway      Netmask       Metric   Status
Network (Home/Office) 192.168.2.0 192.168.1.22 255.255.255.0 0        Applied 
Network (Home/Office) 192.168.1.0 192.168.1.1  255.255.255.0 0        Applied 
Routing Protocol: Internet Group Management Protocol (IGMP)
Default Gateway: 74.96.170.1

On computer, I can run tcptraceroute to yahoo.com OK:

Code: Select all

# tcptraceroute yahoo.com
Selected device enp2s0, address 192.168.2.160, port 46596 for outgoing packets
Tracing the path to yahoo.com (206.190.36.45) on TCP port 80 (http), 30 hops max
 1  192.168.2.1  0.610 ms  0.729 ms  0.735 ms
 2  192.168.1.1  1.843 ms  1.378 ms  1.363 ms
 3  l100.washdc-vfttp-107.verizon-gni.net (96.241.146.1)  13.620 ms * *
... /* It reached the destination. */

I want to change Router2's Operating Mode from "Gateway" to "Router" because I
want to turn off NAT on Router2 so that I can access all computers attached to
Router2 by their individual IP instead of using port forwarding at Router2.

The problem is after the mode change from "Gateway" to "Router", and regardless
whether I disable RIP or enable RIP, and on what interfaces it is enabled, computer
192.168.2.160 does not have internet connection.

Observations:

[0]INTRAnet works as I can reach computer 192.168.2.160 from computer behind Router1 192.168.1.x and vice versa.

[1] ping and traceroute *work* on Router2 itself using the built-in dianostic tool.

[2] nslookup on computer 192.168.2.160 always works on new lookup. It uses
192.168.2.1 as the resolver.

[3] tcptraceroute stops after step 2:

Code: Select all

# tcptraceroute yahoo.com
Selected device enp2s0, address 192.168.2.160, port 45999 for outgoing packets
Tracing the path to yahoo.com (98.139.183.24) on TCP port 80 (http), 30 hops max
 1  192.168.2.1  2.553 ms  0.534 ms  0.638 ms
 2  192.168.1.1  1.342 ms  0.964 ms  0.867 ms
 3  * * *

[4] tcpdump shows that computer 192.168.2.160 tries to reach out and nothing is returned:

Code: Select all

13:34:03.172828 IP 192.168.2.160.45999 > 98.139.183.24.http: Flags [S], seq 1122548929, win 0, length 0
13:34:06.175786 IP 192.168.2.160.45999 > 98.139.183.24.http: Flags [S], seq 1122548929, win 0, length 0
13:34:09.178804 IP 192.168.2.160.45999 > 98.139.183.24.http: Flags [S], seq 1122548929, win 0, length 0

This is not expected because NAT to internet should still be done by Router1, no? Computer
behind Router1 with IP 192.168.1.x has internet connection.

[5] It looks like I cannot change the Routing Table Entry on Router2. I do not think I need to change anything, just an observation.

Ant P. · Post by **Ant P.** » Mon Jul 28, 2014 9:22 pm

192.168.1.1 needs a route to 192.168.2.0/24 via 192.168.1.22 in order for traffic to work both ways.

iefoaix · Post by **iefoaix** » Tue Jul 29, 2014 12:12 pm

Ant P. said: "192.168.1.1 needs a route to 192.168.2.0/24 via 192.168.1.22 in order for traffic to work both ways."

This is very true. In original post I have:

"Network (Home/Office) 192.168.2.0 192.168.1.22 255.255.255.0 0 Applied"

without this, the intranet between 192.168.1.x and 192.168.2.x won't work. The problem is that intranet works, but the 192.168.2.x cannot reach internet.

Ant P. · Post by **Ant P.** » Wed Jul 30, 2014 10:53 pm

Sorry you're right, I misread. The routes all look correct.

What does router2 show for these?

Code: Select all

sysctl net.ipv4.{ip_forward,conf.{default,all}.forwarding}

Do you have any routing software like quagga or is this all manual?

iefoaix · Post by **iefoaix** » Thu Jul 31, 2014 1:30 am

Ant P. wrote:Sorry you're right, I misread. The routes all look correct.

What does router2 show for these?
Code: Select all
sysctl net.ipv4.{ip_forward,conf.{default,all}.forwarding}
Do you have any routing software like quagga or is this all manual?

Hello Ant -

Router2 is Linksys router running the default Linksys software that I access via the web interface. I do not think I can run the command you provided. The following is run on the computer 192.168.2.160 behind the Router2:

Code: Select all

# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0

# sysctl net.ipv4.conf.default.forwarding
net.ipv4.conf.default.forwarding = 0

# sysctl net.ipv4.conf.all.forwarding
net.ipv4.conf.all.forwarding = 0

I can run traceroute from Router2 diagnostic interface, and that is working. The computer behind Router2 (192.168.2.160) can ssh to computer behind Router1 (192.168.1.x), but not to the internet. Traceroute shows it goes through 192.168.2.1 and then 192.168.1.1 and it stops there:

Code: Select all

# tcptraceroute yahoo.com
Selected device enp2s0, address 192.168.2.160, port 48298 for outgoing packets
Tracing the path to yahoo.com (98.138.253.109) on TCP port 80 (http), 30 hops max
 1  192.168.2.1  2.922 ms  0.602 ms  0.589 ms
 2  192.168.1.1  1.350 ms  0.901 ms  0.881 ms
 3  * * *

tcpdump shows it sends out packets to the internet, but not receiving packets from the internet. It makes me think that somehow, somewhere it prevents the packets routing back to 192.168.2.160, the computer behind Router2.

I have marked Router2 (192.168.1.22) as DMZ host on Router1, but that does not help.

Jaglover · Post by **Jaglover** » Thu Jul 31, 2014 1:36 am

You need to put the Router2 into bridge mode. Or put Router1 into bridge mode and do NAT in your WRT.

iefoaix · Post by **iefoaix** » Thu Jul 31, 2014 3:28 am

Jaglover wrote:You need to put the Router2 into bridge mode. Or put Router1 into bridge mode and do NAT in your WRT.

Yes, that works, but why do I have to use one of the routers in bridge mode? Why cannot I have this?

Code: Select all

(internet IP) Router 1 (192.168.1.1) <-> (192.168.1.22) Router 2 (192.168.2.1) <-> (192.168.2.160) Computer2
                       |
            (192.168.1.160) Computer1

The two computers can talk to each other, the problem is Computer2 cannot talk to internet while Computer1 can.

iefoaix · Post by **iefoaix** » Sat Aug 02, 2014 3:12 pm

Ant P. wrote:Sorry you're right, I misread. The routes all look correct.

What does router2 show for these?
Code: Select all
sysctl net.ipv4.{ip_forward,conf.{default,all}.forwarding}
Do you have any routing software like quagga or is this all manual?

Ant: I have another Linksys router WRT54G v3.1 that I run OpenWRT (White Russia), and it has exact the same issue: if I run with NAT enable (by default), access to internet works; if I have NAT disabled (iptables -t nat -F), then access to internet does not work.

I do have these settings:

Code: Select all

+ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
+ sysctl net.ipv4.conf.default.forwarding
net.ipv4.conf.default.forwarding = 1
+ sysctl net.ipv4.conf.all.forwarding
net.ipv4.conf.all.forwarding = 1