using routers as switches and isolating traffic

[tomusr]

Hello,
I have a somewhat convoluted network at home:

DSL Modem:
---Router 1 (DHCP server)
--- --- PC1
--- --- Router 2 (No DHCP)
--- --- --- PC2
--- --- --- Media PC
--- --- --- NAS

So Router 1 has two devices connected to it: PC1 and Router 2.

Router 2 is where most of the hard working devices sit. The PC2, Media PC, and NAS are all connected to Router 2 via fast ethernet connection. But the connection between Router 2 and Router 1 is actually done via a not so fast powerline adaptera. It's fast enough for internet, but definitely not as fast as ethernet. Both routers are running Tomato, and Router 2 has its DHCP turned off, so I think that means its acting as a switch? Correct me if I'm wrong, because I would like to know.

My question is this: the high-bandwidth traffic that happens on my network is mostly between the NAS and the Media PC. I'm streaming videos between the NAS and Media PC. Does any of that traffic make its way to router 1 at all via the power line link? When the Media PC asks the NAS to start streaming a file, does Router 2 handle that traffic alone, without having to send the packets up to Router 1 via the slow powerline link?

 

[Tom Tancredi]

It would have done exactly that IF it was a seperate network, the problem is you are depending the network on Router 1, because only Router 1 is running the DHCP server. So all the devices on Router 2 have to run over the powerline to get to Router 1 for DHCP resolution on ANY devices all the time. If you turned ONLY off DHCP on Router 2, it could have a DNS table already set for filtering if you used assigned IPs for the PC2/Media/NAS to prevent that normally, but still this isn't the best solution (router to router).

Realistically if you want to segment traffic that is what VLANs are for, to take a established network and segment it to optimize the communications to stay within a segment, but that still usually also required different IP sets to minimize such communications over slow (powerline) connection points in the network. If you have VLAN in the Router 1, that would be the best solution overall to manage it, and make Router 2 a Wireless Bridge instead (dumb the brain of the router to just pass traffic wirelessly).

 

[bill001g]

It really depends how you cable them. Just disabling the DHCP server on router 2 does not make it a switch. If you were to cable to the WAN port on router 2 it will run by default as a router...now on tomato you can set it to AP or bridge mode and then the WAN port becomes a LAN port in effect.

In any case since it appears you are getting IP address via DHCP for all your devices on router2 it means you must have cable it correctly. When it is cabled this way you second router is indeed running as a switch.

To you main question yes the traffic that flows between the machine physically connected to router 2 will stay local to router 2. Because the machine on this router/switch are all in the same subnet they will know they can communicate directly with each other via mac addresses. A switch is a very simplistic device. It takes the packet keeps track of which port the source mac came in on and looks up the port the destination mac is assigned to and toss the packet out that port.

All traffic between these machine will only flow though these 2 ports. None of this traffic will be sent to the router.

Now I am assuming you are not using some internet based application to run this. Simple file sharing or direct ip addressees in applications.

 

[tomusr]

...now on tomato you can set it to AP or bridge mode and then the WAN port becomes a LAN port in effect.

When it is cabled this way you second router is indeed running as a switch.

Now I am assuming you are not using some internet based application to run this. Simple file sharing or direct ip addressees in applications.

Yes, the media PC is just using samba to access the NAS device. So, Router2, even though it isn't doing DHCP, keeps a "NAT table" of the devices that are physically connected to it. And Router2 doesn't really differentiate between the gateway (Router1) and the other three devices it's physically connected to...that is, from Router2's point of view, Router1 is just another device with an IP address in the same subnet as the media PC and NAS...and it uses the NAT to keep track of which port to send packets to?

It would have done exactly that IF it was a seperate network, the problem is you are depending the network on Router 1, because only Router 1 is running the DHCP server. So all the devices on Router 2 have to run over the powerline to get to Router 1 for DHCP resolution on ANY devices all the time.

I kind of wondered about that. Each devices needs to go back to Router1 for IP address initially when it boots up, but that's only a small amount of traffic I don't care about. The major streaming traffic from device to device is where I like the traffic to be most efficient. Would Router 2 keep some kind of table on which port has which IP address connected to it, and not the video stream back to router1?

 

[Tom Tancredi]

NAT takes the external connection as one IP (192.1.1.10 - Router2 IP ) and then splits that to any device on Router2 as 192.1.2.x IPs (for example) in conjunction with assigning the IPs to those Router2 devices (aka DHCP). With DHCP OFF on Router2, none of this takes place (Network Address Translation) and just uses the IPs as passed to it for the devices that are connected to Router2 when they requested from Router1 their assigned IP. It records these in its DNS table to note where 192.1.1.5 is (PC1) as compared to 192.1.1.137 (NAS) when a packet of data comes addressed for a device.

The problem is there is a constant go back to Router 1 as the main 'router table' as it is the one assigning DHCP. So to validate the IP and scan for 'where is x.x.x.x' all devices have to send queries to Router 1, even if it was to Router 2 DNS table to then validate back to Router 1 the request in reality, all devices are still causing this to happen.

Hence why I would suggest either making two networks seperately, but you cross connect from Router 2 to Router 1, OR you just all off Router 1 (Router 2 as a wireless bridge for example) and use VLAN for the couple of specific devices.

I assume the whole point to the inquiry / exercise is that your see 'drag' somehow on the network? Where are you seeing the problem? What 'is' the problem your seeing? If your talking about how some 'internet' seems to be slowed down or such, it could be as well otherwise a issue NOT involving any of this .

 

[bill001g]

It all the devices are in the same subnet router 2 is running as a switch. NAT is only used to translate between different networks since the traffic is not crossing between networks there are no nat entries in router 2. Only router 1 has nat entries and only for traffic going from your inside network to the internet. Pretty much the router only see a bunch of mac addresses coming in one port and going out the other. Since neither of the mac addresses belong to the router itself it pretty much ignores it. Very technically the end devices could use a protocol that does not even use IP addresses at all and it would pass though fine.

When you look at consumer routers you can almost say there is a 5 port switch and a router with 1 wan and 1 lan in the same box. The traffic flow is identical as if you had 2 completely separate units. The traffic will never pass from the switch to the router unless the end device tells the switch to send it to the routers mac.....or broadcast to all ports.

 

[bill001g]

After reading toms answer maybe you should clarify something for us.

What IP addresses are you using on a device on router 1 and a device on router 2. Are these on the same or different subnets.

 

[tomusr]

After reading toms answer maybe you should clarify something for us.

What IP addresses are you using on a device on router 1 and a device on router 2. Are these on the same or different subnets.

Oh yes, they're all in the same subnet. Router 1 is IP address 192.168.1.1, and assigns DHCP in the range of 192.168.1.10-.199. Router2 has static IP address 192.168.1.201, subnet masks are all 255.255.255.0.

I'm not so much having issues as just wanting to optimize traffic and also to understand networking a bit. So, I'm not troubleshooting a problem specifically.

Thank you all for your explanations. I didn't know that the device acting as the DHCP server also must be the device that receives all the traffic. I thought Router2 knows something about which devices have which IP address.

 

[bill001g]

No the device running DHCP does not receive the traffic. The key reason that is not true is you can use DHCP helpers and have the servers running is a completely different country.

So lets assume your devices have IP addresses so there is no active DHCP traffic. Now lets also assume that you do not have your own DNS server so somehow your machines know the IP addresse of each other.

So now you have a machine1 say 192.168.1.50 hooked to port 1 on router 2. And you have machine2 192.168.1.60 on port 2 on router 2. Now lets also say machine1 has mac 1111 and machine 2 has mac 2222

Now what actually happens when you say open a file on 192.168.1.60 from 192.1.168.1.50

Machine 1 send src mac 1111 dst mac fffff (ie broadcast) ARP who was 192.168.1.60.
Now the switch on router 2 see the mac src address and assigns it to physical port 1. It then send this message to all ports.
Machine 2 see this packet and sees that it is his IP address
Machine 2 send src mac 2222 dst mac 1111 ARPR 192.168.1.60 is me.
Switch in router 2 see this packet put the mac address 2222 on port 2 and then looks up mac 1111 and sees it is on port 1 and send the packet.
So machine 1 gets this packet and puts the ARP entry in his memory that say 192.168.1.60 is 2222.

So now he is ready to connect.

He now issues a TCP syn packet for ip 192.168.1.60.
It will be SRC mac 1111 DST mac 2222 Src ip 192.168.1.50 dst ip 192.168.1.60 syn dst prot say 80 SRC port 6001
The switch in router 2 already now knows that 2222 is on port 2 so it sends the packet directly to the port.
Now machine 2 actually does the ARP process but I will skip that
Machine 2 send a TCP SYN ACK packet to 192.168.1.50
It will be SRC mac 2222 dst mac 1111 Src ip 192.168.1.60 dst ip 192.168.1.50 synack dst port 6001 src port 80
The switch will see destination port 1111 and send it to port 1

......and so on

The packets only go to the switch they never go to either router.

 

[Tom Tancredi]

I see where Bill is going, but again that is back to 'assigned IP per device' which the OP isn't doing and not doing a 'business level' network topology your using as your basis Bill.

He has a simple network, and using the simplest method which is two routers, one with DHCP assigning turned off (Router2) ALL OTHER ROUTER FUNCTIONS INTACT *this is important* and using a Powerline to connect Router2>Router1
PC1 is hardline into Router1, all other devices into Router2.
All devices except Router2 use DHCP for ease of management and no getting into TCP ACK or SYN consideration.
That is it, simple clean.

Taking a giant leap back from Bill's indepth answer; I was saying, Router1 is sitting there, person turns ON the Media PC, Media PC has to travel through Router 2, Powerline to Router1 and ask for a DHCP address. Media PC stays on and let's say PC2 wants to access NAS, PC2 asks 'where is mynetwork.NAS'? It then needs a translation of that to IP so it goes to Router2 and it's DNS table it checks and synchronizes at set intervals with Router1 can either say 'it is 192.168.1.15' or it can say 'I dunno' then pass the request back along the Powerline to the Router1, which then can tell PC2 the IP.

BUT, that is if ROUTER2 is actively providing the DNS Table, if it is not, based on the 'settings' DNS would be back to Router1, so any request for 192.168.1.15 it has to send the request to the 'DNS SERVER' which is per DHCP set to 'send requests to 192.168.1.1' (aka Router1) to know where 'anything is' on the network.

All this is basic traffic though and isn't gobbling up bandwidth (optimizing traffic) as your concerned, your more concern seems to me (if I understand) Media PC wants to Play Crimson Tide from the NAS, does the traffic (the movie) constantly make the request for the next packet of information by going Media PC>Router2> PowerLine > Router1>Powerline>Router2>NAS ? Unless the Router2 was turned into a Wireless bridge (deactivating all functions) , the answer would be no, as the Router2 should make its own DNS table based on what Router1 has said already, and when a packet needs to be routed, it keeps it on Router2 only to 'route' through the ports.

As I indicated though to optimize this among the Routers, the BEST solution is implementing a VLAN, so the routers each will isolate the packets even more to keep then inside the VLAN only (this case port 2 for NAS to Port 4 Media PC) and optimize the traffic back and forth between those two ports then full blown scan of the Router to look for the port each time a packet makes a request, or across the entire network looking for the device at all.

 

[bill001g]

I really don't follow you tom.

He very clearly answered he was using a single subnet. This means router 2 IS running in bridge mode. The DHCP request cannot reach router 1 unless it is.

Now I do agree some small amount of traffic on system startup will have to travel over the powerline device which I guess is a waste but it is tiny. You can just set the lease time to 6 months and it will only verify the DHCP lease every 3 months.

So now on to DNS. Why would you think you can even use DNS to resolve private IP addresses. Where EXACTLY do you plan to define the string "mynetwork.NAS" maps to ip 192.168.1.15. A router can not act as a DNS it only proxy to a real DNS. ISP and other public DNS servers will not allow you to store private IP in their dns server. You almost always have to have your own DNS server to do this or much more common people just use the IP address. The DNS traffic would never go to router 2 in any case the DHCP server would either give the private internal DNS server or router 1 ip address.

Now lets ignore that and assume you magically can get this resolved.

So the PC send a NSLOOKUP to the DNS server to find this private ip. And yes that traffic will go to the main router and out to the server where ever that is.

So now the PC has the DHCP and the IP address. Now since the DNS information is cached for the period of time the DNS server says the PC will no longer ask about this name or ask the DHCP server.

At this point it appears you agree with me that all traffic will flow directly between the 2 devices and no more traffic will flow over the powerline until the timers expire for the DNS and the DHCP.

Is the point of your post he should use a different design to reduce this tiny amount of DHCP and DNS traffic ?

 

[Tom Tancredi]

Bill: STOP for a second. Your 'glassview' is from a large scale network topology and is not inclusive of current state of consumer grade equipment, your looking at this at the larger scale design with specific interest and targets to meet, completely opposite to the consumer model.

The consumer model is to wrap everything possible the consumer might run into, into the smallest cheapest easiest for a 'idiot that can at least just read the screen' model possible. One of the simplest methods is to turn a Consumer Router (for your purposes a NAT Router) like the OP has into a DNS Proxy for connecting 'clients' (PC1, NAS, etc.). As noted by GRC (https://www.grc.com/dns/configuring.htm) " In the case of having received the router's own private LAN IP for DNS resolution, machines on the LAN behind the router will send their DNS queries to the router, believing it to be a DNS resolver when, in fact, the router operates as a “proxy” for the actual public DNS resolvers. The router forwards any received DNS queries to the actual DNS resolvers on the public Internet and returns their results to the machine that originally issued the DNS query".

So when (in the OP model) PC2 is looking for where is 192.168.1.15, Windows in PC2 says, okay my DNS is 192.168.1.1 (router1) because DHCP told it so, unless the OP (as I said numerous times and see below) has Router2 DNS active where it would answer instead (DHCP DNS table shows 192.168.1.201 192.168.1.1). PC2 then > Router2> powerline>Router1 "Hey where is 192.168.1.15?" and then Router1..... back to PC2 responds; thus the traffic the OP is asking about. Any 'looking' for anything would bounce the 'entire' length of the network each time any device has a similiar question, or better yes needs to translate (NAT) what is "mynetwork.NAS" (which actually is how Windows 'sees' the device at layer 7 when OP clicks on FILE>OPEN>CrimsonTide.MPEG; that is where I 'get it from' on network 'mynetwork' look for devicename 'NAS').

Now to completely blow your "A router can not act as a DNS it only proxy to a real DNS" discussion, you seemed to have missed out all about OpenWRT, Tomato, and the rest, They are touted by many Router manufacturers as either already installed or 100% compatible firmware replaceable with the community based router firmware that is much better then the normal 'manufacturer's implementation. Inclusive are many features, most specifically sought out was a reliable VPN solution as well as more security, but as well DNS SERVER ON THE ROUTER http://wiki.openwrt.org/doc/uci/dhcp . These firmware replacements are very common, most notablely the original and very popular WRT Router by Linksys.

That said let's dial it back a bit on the discussion. My point to my response was to answer his initial VAGUE GENERALIZED questions, which he was not specific on what the OP was looking to 'achieve'. I asked and in the last response I gave I reanswered to clarify that if OP concern was really not this 'little traffic' but instead

"Media PC wants to Play Crimson Tide from the NAS, does the traffic (the movie) constantly make the request for the next packet of information by going Media PC>Router2> PowerLine > Router1>Powerline>Router2>NAS ? Unless the Router2 was turned into a Wireless bridge (deactivating all functions) , the answer would be no, as the Router2 should make its own DNS table based on what Router1 has said already, and when a packet needs to be routed, it keeps it on Router2 only to 'route' through the ports. "

As for anything else the OP would like answered about it I am not seeing anything just your 'big picture' view of his small issue.

 

[bill001g]

Since when am I proposing any commercial topology. It is you talking about vlans and such.

I am looking since the very beginning at a very simple consumer type install. Router 1----> router 2 being used as a AP. This is most common multiple router install you will find.

I stated exactly the same I know very well the router is going to proxy the DNS. You neglect 1 critical fact. RFC1918 says.
http://tools.ietf.org/html/rfc1918
"Indirect references to such addresses should be contained within the
enterprise. Prominent examples of such references are DNS Resource
Records and other information referring to internal private
addresses. In particular, Internet service providers should take
measures to prevent such leakage."

This means NO public DNS server will allow you to put private IP addresses into their DNS. So there is no place to proxy it to that will work. To get private addresses to resolve you must have your own private DNS server.
It appears you are confusing ARP with DNS. You say PC2 is looking for 192.168.1.15 and want to know where 192.168.1.201 is. This is in the EXACT same subnet. It does not ask the router or the DNS it just directly broadcasts out a ARP and 192.168.1.201 directly responds.

I spend a lot of time writing out how layer 2 communication is done in my other post you need to go back and read it.

The vast majority of people can not setup their own DNS server much less set it up on dd-wrt so they just use the IP addresses directly.

So the vast majority of home users just use the IP directly to connect. When you do this there is no DNS traffic anyway. All there is are ARP and actually user traffic flowing between the ports of device they are connected to.