11-08-2021 08:35 AM - edited 11-08-2021 10:44 AM
Hi, I have the following scenario:
Internet/ISP-----Modem/Router R1-----Router R2-----PC/Server
|
|
|
Mobiles, NAS, Printer, etc...
Local network of R1: 192.168.2.0/25.
Local network of R2: 192.168.1.0/28.
ISP is providing a public IP address x.x.x.x.
Now, here's what's happening:
And here's what I tried:
Is there anything missing?
Any suggestion is highly appreciated...
11-09-2021 07:25 AM
Hello
@Rolitto wrote:
devices on R1's LAN cannot access to or ping devices on R2's LAN
devices on R2's LAN can access other devices on R1's LAN.
So then for that happen there is no issue with routing it sounds like s security policy negating echo-reply returning from R2 to R1
R1 host initiate ping (echo request) R2 hosts (echo-reply) = fail
R2 host initiate ping (echo request) R1 hosts (echo-reply) = works
11-09-2021 07:49 AM
Exactly.
I previously exchanged R2 (the DD-WRT router) with a very basic router with the least security options checked so that I wouldn't doubt about that. I had the same issues.
11-09-2021 10:34 AM
Hello
So PC/server doesn’t have a software fw and you say other device attached to R2 are experiencing the same thing, so it cannot be down to an individual device from Rtr2 lan perspective. And you are saying it isnt the WRT negating icmp and you have no access-list or security policy’s on R1....time for a debugging session I think!
So does that Dlink or WRT rtr have the capab.ility to debug if not can you wireshark from the laptop?
11-09-2021 11:01 AM - edited 11-09-2021 11:19 AM
Yes, the PC/Server has the McAfee anti-virus installed on it, but when I completely disabled it (turned off firewall) and tested it, it didn't change much the outcome.
Besides that, the NAS was previously on the same network as the PC/Server and assigned with IP address 192.168.1.100, but wasn't replying to ping echo requests from any device on network 192.168.2.0/25. So you could tell it's not the firewall software on PC/Server that's causing all this.
In my opinion, there's a security policy hidden somewhere within other functionalities and that I'm not aware of, and/or a misconfiguration in the DMZ option.
The PC/Server has Wireshark installed on it and upon trying some debugging, I noticed that any ping echo request that I expected to get from, let's say, IP address 192.168.2.20 was simply not found in the Wireshark output. And I also tried from several devices on network 192.168.2.0/25, not just one to eliminate any doubt...
So I assumed that packets are reaching R2, but are not being forwarded by R2 to PC/Server or previously the NAS.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide