Access a device on LAN 1 from LAN 2 ??

[rnrmusic]

Hello,

I'm trying to setup my network to work so that I can access a device that's on LAN 2 from a device on LAN 1.

The set up is:
ISP
LAN 1 Arris (10.0.0.1 DHCP active)
Laptop A (on LAN 1 10.0.0.4 via Wifi)
Laptop B (on LAN 1 10.0.0.6 via Wifi)
LAN 2 Belkin (192.168.2.1 on LAN 1 10.0.0.28 via Ethernet)
Camera 1 (on LAN 2 192.168.0.3 via Wifi)
Camera 2 (on LAN 2 192.168.0.5 via Wifi)
Laptop C (on LAN 2 192.168.0.7 via Wifi)

I want to have Laptop A on LAN 1 able to access Camera 1 on LAN 2, and also to remotely access Camera 1 and Camera 2 via internet using ddns.

Currently any device on LAN 2 can access Camera 1 and Camera 2, however devices on LAN 1 can not access Camera 1 and Camera 2, and remote devices (tablet/cellphone) can not access anything on LAN 1 or LAN 2.

I know this questions has been asked and phrased in different ways but I couldn't find an iteration that covered my specifics. Can anyone please help me properly bridge remote devices into LAN 1 and LAN 2 and also devices on LAN 1 allowed to access devices on LAN 2?

Thank you

https://drive.google.com/open?id=0B9OynkGdGXgVWkptc1NfaTlIM2c

 

[bill001g]

It is the same reason you can not access things in your home network from the internet without port forwarding. If it was a single device it is easier, when you use cameras that likely use the same port numbers it is much harder.

You first goal is to see if you can create 2 port mapping rules that the end application will accept so you can use 2 different ports to represent the 2 cameras. After you get that working you would do the same thing on the main router but pointing to the secondary router.

Unless you have to have 2 networks I would run the second "router" as a AP so you only have one subnet. You still have the port forwarding issue on the main router for access from the internet .

 

[jsmithepa]

Home networks are designed to run on a single LAN. It's difficult to impossible to run multiple LANs effectively. You are looking to pay$$ for business/enterprise class network equipment.

 

[FiveDogs]

Hello; new guy here... I recently set up 2 home LANs in order to separate 8 cameras from the usual internet traffic. With my setup I can access all devices on one LAN from the other, wired and wireless, except the opposite LANs router, which I think can be fixed by reseting the devices. It's not that big a deal so I'm doing the wait-and-see thing...

I used 3 cheap TP-Link Archer C5 v2 routers in a Y configuration. Wifi is disabled on the gateway, dual-band on LAN1 and BGN only on LAN2. LAN 1 supports about a dozen address's and LAN 2 about 24; both LANs feed a 8TB NAS on LAN2 and a wired printer on LAN1. I've been told that my system is "too complicated" but it's secure, runs trouble-free, was cheap to set up and makes sense to me. ymmv


Internet Gateway router:
{provider IP} WAN dynamic
192.168.0.1 LAN static
feeds 2 static IP's, one for each LAN
192.168.0.10
192.168.0.20
firewall enabled
static routing : 192.168.1.0 to 192.168.0.10
static routing: 192.168.2.0 to 192.168.0.20
no wifi
DHCP disabled

LAN 1 router:
192.168.0.10 WAN static
192.168.1.1 LAN static
192.168.0.1 gateway
firewall disabled
static routing: 192.168.2.0 to 192.168.0.1
static routing: 192.168.1.0 to 0.0.0.0
static routing: 192.168.0.0 to 0.0.0.0
static routing: 0.0.0.0 to 192.168.0.1
dual band wifi enabled
DHCP enabled (30 addresses)

LAN 2 router:
192.168.0.20 WAN static
192.168.2.1 LAN static
192.168.0.1 gateway
firewall disabled
static routing: 192.168.2.0 to 0.0.0.0
static routing: 192.168.1.0 to 192.168.0.1
static routing: 192.168.0.0 to 0.0.0.0
static routing: 0.0.0.0 to 192.168.0.1
BGN wifi enabled
DHCP enabled (30 addresses)

 

[bill001g]

Hello; new guy here... I recently set up 2 home LANs in order to separate 8 cameras from the usual internet traffic. With my setup I can access all devices on one LAN from the other, wired and wireless, except the opposite LANs router, which I think can be fixed by reseting the devices. It's not that big a deal so I'm doing the wait-and-see thing...

I used 3 cheap TP-Link Archer C5 v2 routers in a Y configuration. Wifi is disabled on the gateway, dual-band on LAN1 and BGN only on LAN2. LAN 1 supports about a dozen address's and LAN 2 about 24; both LANs feed a 8TB NAS on LAN2 and a wired printer on LAN1. I've been told that my system is "too complicated" but it's secure, runs trouble-free, was cheap to set up and makes sense to me. ymmv


Internet Gateway router:
{provider IP} WAN dynamic
192.168.0.1 LAN static
feeds 2 static IP's, one for each LAN
192.168.0.10
192.168.0.20
firewall enabled
static routing : 192.168.1.0 to 192.168.0.10
static routing: 192.168.2.0 to 192.168.0.20
no wifi
DHCP disabled

LAN 1 router:
192.168.0.10 WAN static
192.168.1.1 LAN static
192.168.0.1 gateway
firewall disabled
static routing: 192.168.2.0 to 192.168.0.1
static routing: 192.168.1.0 to 0.0.0.0
static routing: 192.168.0.0 to 0.0.0.0
static routing: 0.0.0.0 to 192.168.0.1
dual band wifi enabled
DHCP enabled (30 addresses)

LAN 2 router:
192.168.0.20 WAN static
192.168.2.1 LAN static
192.168.0.1 gateway
firewall disabled
static routing: 192.168.2.0 to 0.0.0.0
static routing: 192.168.1.0 to 192.168.0.1
static routing: 192.168.0.0 to 0.0.0.0
static routing: 0.0.0.0 to 192.168.0.1
BGN wifi enabled
DHCP enabled (30 addresses)

This can't work unless you have changed the firmware to be able to disable NAT. ALL traffic leaving lan 1 router will be given ip address 192.168.0.10. The 192.168.1.x ip never leave the lan 1 router.

This is fundamental to how these routers work. They are only designed to be used as internet gateways. The private IP blocks are not to leave the lan network and be used on the internet. The NAT is used to accomplish this. Even if you had actually routable IP in use on the lan1 router it would still nat them.

The NAT is the problem and pretty much only commercial routers can disable that....now you could load other firmware but it is not allowed with factory firmware

 

[FiveDogs]

It works just fine...

There is no menu item on the C5 to disable NAT, only a "NAT Boost" feature which is disabled on all 3 units.

And the firmware is stock; no-one has bothered to modify any open-source firmware to work with TP-Links' implementation of the Broadcom chip set.

edit: Bill001g; it looks like turning off "NAT Boost" disables NAT completely, as turning it on blocks traffic between LANs. Is there a test that can be run to document what the NAT is doing (or not doing)?

 

[bill001g]

It simple put a device in the 0 network. Then ping this from the 192.168.1.x network. It will of course work but what is most important is what is the source ip address. Not sure if you can see it in the resource manager but you can see it with wireshark. If the source ip is routers wan ip then it is doing nat if you see the actual address then nat is not running.

This would be a new feature I have not seen a consumer router that you can turn that nat off.

 

[FiveDogs]

I have a laptop with Wireshark on it; I'll plug that into the 192.168.0.1 router and see what it says.

btw:
pinging 192.168.0.20 from 192.168.1.110 shows a reply from 192.168.0.20

pinging 192.168.2.198 from 192.168.1.110 shows a reply from 192.168.2.198

tracert 192.168.2.198 shows
192.168.1.1
192.168.0.1
192.168.2.198

 

[jsmithepa]

pinging is only half of the story, have you actually, say transferred files between the 2 subnets?

 

[FiveDogs]

Yes. The network backs up computers from both LANs to the NAS on LAN2 and can print from any computer to the printer on LAN1. The cameras are all on LAN2 and I can view/adjust settings from a netbook connected via wifi on LAN1. It's seamless... I can talk with every device on either LAN except for the opposites router, and that won't answer a ping.

 

[FiveDogs]

I hooked up a netbook running Wireshark under XP and did a test.

Enabled DHCP on 0.1 and had it assign 0.152 to the Wireshark netbook.

Opened up the Network and Sharing center on the 1.110 computer and mapped the network: LAN1 devices only showed up. Went to Computer and mapped the 2.112 computers C:\ to Z:\ on 1.110 and copied a 2.35MB .jpg from LAN1 to LAN2 and back again, no problem.

Wireshark, if I'm reading this correctly (a big if...), showed both transfers as:

Source 192.168.0.1
Destination 255.255.255.255
Protocol UDP
Length 215 (multiple transfers)
Source port: 58219
Destination port: 7437

There are also many ARP broadcasts from 192.168.0.1 looking for (what I believe to be) NAT addresses:

Who has 74.214.148.33? Tell 192.168.0.1

Similar requests looking for:
173.209.125.127
173.209.125.233
173.205.125.17
173.205.125.215
72.217.110.56
162.248.155.182
and many others.

So what do you think?

 

[bill001g]

Those are public intenet addresses so hard to say what those are.

If you run actual file transfers you can see the source ip and destination ip in the packets. There should be a lot of them when a transfer is running. Now there are reporting tools that will show you end points and such but you almost can't miss the packets there will be many hundreds of them when a file transfer is running.

Now it could be working based on proxy arp but again that is not a feature you see on consumer routers.

tplink may have added a bunch of stuff since I last owned one. The ability to even put in static routes is not a common feature.

 

[FiveDogs]

I have the impression we're investigating something new to the consumer market... If you don't mind, I'd like to dig a bit deeper and see what shows up.

What tool will dissect the packet and show what's happening? I suspect Wireshark can't or you would have asked for that info.

 

[FiveDogs]

I installed Microsoft Network Monitor 3.4 on 192.168.1.110 (P100-LAPTOP) and ran a series of requests between 1.110 and 2.206.

Is there anything this program can do to help?

8246 9:05:20 PM 4/6/2016 1374.8251145 P100-LAPTOP 192.168.2.206 TCP TCP:Flags=......S., SrcPort=27607, DstPort=HTTP(80), PayloadLen=0, Seq=1464175363, Ack=0, Win=8192 ( Negotiating scale factor 0x2 ) = 8192 {TCP:1542, IPv4:1365}

8247 9:05:20 PM 4/6/2016 1374.8260077 192.168.2.206 P100-LAPTOP TCP TCP:Flags=...A..S., SrcPort=HTTP(80), DstPort=27607, PayloadLen=0, Seq=3517554733, Ack=1464175364, Win=5840 ( Negotiated scale factor 0x1 ) = 11680 {TCP:1542, IPv4:1365}

 

[bill001g]

Wireshark sees everything ....now I assume you are running wireshark on the machine doing the transfer, it can not see data going between 2 other devices without special features in the router.

 

[FiveDogs]

Wireshark is on a netbook that I can plug into any of the 3 routers; it was plugged into the 192.168.0.1 gateway router while logging the file transfers between 192.168.1.110 and 192.168.2.112.

During the transfers Wireshark listed dozens of identical entries:

Source 192.168.0.1
Destination 255.255.255.255
Protocol UDP
Length 215
Source port: 58219
Destination port: 7437

I poked around through the saved file looking for additional packet IP data but could not find any; how do I dredge it up?

 

[FiveDogs]

To the original poster, rnrmusic, sorry about taking your thread down a parallel data path... I encountered the exact same problem you have and spent several weeks working through the various options, trying not to spend too much while doing so.

In your situation I believe you need a router to act as a bridge between LAN1 and LAN2. It will have to have the following characteristics:
- ability to shut off NAT (although I don't know if this matters anymore)
- ability to be placed in bridge mode

The bridge would have its statically assigned WAN port on one LAN and its statically assigned LAN port on the other.

On the LAN1 router make a static route so that all traffic addressed to LAN2 gets directed to the IP address of the bridge port facing the LAN1 router.

On the LAN2 router make a static route so that all traffic addressed to LAN1 gets directed to the IP address of the bridge port facing the LAN2 router.

I tried this method with 3 different residential routers from Engenius, Linksys and DLink but none of them could disable NAT and enter bridge mode at the same time. I was searching for a used high-end router when I found a real good deal on the C5's and took a chance they would work; they do but the software doesn't give you a lot of options to play with. Given that the C5 allows traffic between LANs, well, why/how does it do it and what else is it capable of...?

Perhaps a single, cheap C5 can act as your bridge...