Routing through two DD-WRT's

Hi All,

I am stuck and have been trying for a while. Perhaps I am missing something simple.

I have 3 subnets (on 3 seperate sites 1km+ appart):

192.168.110.0/24
192.168.111.0/24
192.168.112.0/24

They are connected by 4 DD-WRT v23SP2 on Linksys WRT54GL boxes.

Two of the DD-WRT's are setup as routes and are located on the central site .111. The wireless interfaces on these two talk to the other two DD's that are accesspoints on the other two sites providing wireless access to .110 and .112.

I can happily route packets from hosts on .111 to .110 and .112, but I can't route packets from .110 to .112 and vice versa - which is what i really want to achieve.

I have spent quite some time trying to analyse what is happening (thinking the routing table may be incorrect). I have stripped all rules from IP tables (ip_forwarding is on). I have added accounting rules to the routers to see if packets are being forwarded.

The results:
if i try to ping a host on .110 from .112 the .111/.112 router's accounting rules (iptables) counters increment but the .111/.110 router's accounting rules do not... I can ping the same .110 address from the .111/.112 router though... so the route table on that router seems to be correctly pointing at the .110 subnet. It just seems that anything coming from the .112 doesn't come out the other side of the router, even though the counters are incrementing in its iptables.

Is this a bug? Does it have something to do with the fact that one of the interface is br0? I assume that br0 is a bridge interface to get all four ethernet ports working - maybe the bridging module code doesn't like this sort of stuff...

Any thoughts or help would be greatly appreciated.

Thanks,
James.

"aegres" <aegres.30ioml@no-mx.wirelessforums.org> wrote in message
news:aegres.30ioml@no-mx.wirelessforums.org...
>
> Hi All,
>
> I am stuck and have been trying for a while. Perhaps I am missing
> something simple.
>
> I have 3 subnets (on 3 seperate sites 1km+ appart):
>
> 192.168.110.0/24
> 192.168.111.0/24
> 192.168.112.0/24
>
> They are connected by 4 DD-WRT v23SP2 on Linksys WRT54GL boxes.
>
> Two of the DD-WRT's are setup as routes and are located on the central
> site .111. The wireless interfaces on these two talk to the other two
> DD's that are accesspoints on the other two sites providing wireless
> access to .110 and .112.
>
> I can happily route packets from hosts on .111 to .110 and .112, but I
> can't route packets from .110 to .112 and vice versa - which is what i
> really want to achieve.
>
> I have spent quite some time trying to analyse what is happening
> (thinking the routing table may be incorrect). I have stripped all
> rules from IP tables (ip_forwarding is on). I have added accounting
> rules to the routers to see if packets are being forwarded.
>
> The results:
> if i try to ping a host on .110 from .112 the .111/.112 router's
> accounting rules (iptables) counters increment but the .111/.110
> router's accounting rules do not... I can ping the same .110 address
> from the .111/.112 router though... so the route table on that router
> seems to be correctly pointing at the .110 subnet. It just seems that
> anything coming from the .112 doesn't come out the other side of the
> router, even though the counters are incrementing in its iptables.

sounds like the 2 routers do not have routes to the subnet on each other
across the .111 subnet.

if the boxes support a routing protocol, then turn it on.
otherwise configure a static route on each with next hop on the other
router, for the remote subnet.

Or - if they are set up for NAT rather than classic IP routing, then they
are working as configured, and not letting any connections in from the "WAN"
interface.
>
> Is this a bug? Does it have something to do with the fact that one of
> the interface is br0? I assume that br0 is a bridge interface to get
> all four ethernet ports working - maybe the bridging module code doesn't
> like this sort of stuff...
>
> Any thoughts or help would be greatly appreciated.
>
> Thanks,
> James.
>
>
> ------------------------------------------------------------------------
> View this thread: http://www.wirelessforums.org/alt-internet-wireless/routing-through-two-dd-wrts-32896.html
> http://www.wirelessforums.org
>
--
Regards

stephen_hope@xyzworld.com - replace xyz with ntl

aegres <aegres.30ioml@no-mx.wirelessforums.org> hath wroth:

>I am stuck and have been trying for a while. Perhaps I am missing
>something simple.

That which is most obviously correct, beyond any need of checking, it
usually the problem.

>I have 3 subnets (on 3 seperate sites 1km+ appart):
>
>192.168.110.0/24
>192.168.111.0/24
>192.168.112.0/24

Why so complexicated? What are you trying to accomplish with this? If
these are 3 seperate customers that require isolation, you can
accomplish the same thing by simply putting everyone on the same Class
C subnet, and enabling "AP isolation" on the routers. AP Isolation is
a lousy term for blocking any wireless to wireless traffic. It's
kinda tricky to find the setting. See:
<http://www.informatione.gmxhome.de/DDWRT/Standard/V23final/Wireless_Advanced.html>
It's in the middle of the page. Note that this is sometimes refered
to as "client isolation" in the DD-WRT forums, which a more accurate
term.

>They are connected by 4 DD-WRT v23SP2 on Linksys WRT54GL boxes.

Connected how? Wired or wireless?
Which one has the internet connection attached?

>Two of the DD-WRT's are setup as routes and are located on the central
>site .111. The wireless interfaces on these two talk to the other two
>DD's that are accesspoints on the other two sites providing wireless
>access to .110 and .112.
>
>I can happily route packets from hosts on .111 to .110 and .112, but I
>can't route packets from .110 to .112 and vice versa - which is what i
>really want to achieve.

Make my life easy and kindly supply the routeing table.
Login with telnet and run:
route -e -n
on two connected routers. Once it's untangled on two routers, we can
talk about adding the others.

>I have spent quite some time trying to analyse what is happening
>(thinking the routing table may be incorrect). I have stripped all
>rules from IP tables (ip_forwarding is on). I have added accounting
>rules to the routers to see if packets are being forwarded.

Yech. IP table are for firewall rules, not for routing.

If you must route between subnets, use a static route to the remote
gateway (IP address of remote router). Something like this:
From the 192.168.110.1 router:
route add -net 192.168.111.0 netmask 255.255.255.0 gw 192.168.111.1
and on the other end:
route add -net 192.168.110.0 netmask 255.255.255.0 gw 192.168.110.1
However, these probably will not work because I have no clue where you
connect this pretzel to the internet. You will need to assign a
default gateway (default route) that points to the router that has the
internet connection.
route add default gw 192.168.110.1
or something like that.

Light reading:
<http://linux.about.com/od/commands/l/blcmdl8_route.htm>

>The results:
>if i try to ping a host on .110 from .112 the .111/.112 router's
>accounting rules (iptables) counters increment but the .111/.110
>router's accounting rules do not... I can ping the same .110 address
>from the .111/.112 router though... so the route table on that router
>seems to be correctly pointing at the .110 subnet. It just seems that
>anything coming from the .112 doesn't come out the other side of the
>router, even though the counters are incrementing in its iptables.
>
>Is this a bug?

It's possible. However, I did have some problems with static routes
on DD-WRT v23 SP2. I went to v23 SP3 and they were fixed. I recently
moved most everything to v24 RC4 but have not retested (or had any
complaints).

>Does it have something to do with the fact that one of
>the interface is br0? I assume that br0 is a bridge interface to get
>all four ethernet ports working - maybe the bridging module code doesn't
>like this sort of stuff...

Bridging doesn't know anything about IP addresses or routing. I don't
wanna speculate, mostly because you've been tinkering with the
forwarding and IP tables.

>Any thoughts or help would be greatly appreciated.

Put IP_tables back to where they belong. Concentrate on the routing
tables. Keep track of where you point your default gateways.

--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558