G3100 / 2nd LAN Router / Connectivity Issues
cscscs
Enthusiast - Level 2

Was able to better isolate an issue I've been having for weeks, and now reproducible.

Scenario:

Fios service with G3100 router, LAN is 192.168.1.0/24, G3100 IP is 192.168.1.1. I also have a 2nd LAN in my home (192.168.2.0/24), which is accessible via a Ubiquiti EdgeRouter X (IP 192.168.1.2), which is plugged into the G3100, and configured only as a router (no firewall, etc). A route statement for 192.168.2.0/24 was added to the G3100, with a gateway of 192.168.1.2.

Under that scenario, from LAN 1, I am unable to maintain connectivity to resources on the 2nd LAN (traffic types are SSH, Remote Desktop, HTTPS). I can initially connect, but over a period of a couple of minutes, those connections are dropped (some apps reconnect on their own, some, like ssh, do not). Constant pings never appear to fail.

After much troubleshooting and initially thinking the issue was the EdgeRouter, this appears to be some sort of routing issue on the G3100. If I add a local route statement on my LAN 1 resources (bypassing the G3100 and sending traffic directly to the EdgeRouter), then connectivity is never dropped. Otherwise, i am able to quickly and reliably reproduce the issue. This happens for both wired and wireless connections from LAN 1.

Logs on the G3100 show no obvious issues. Has anyone seen anything similar or have thoughts on what the issue might be?

0 Likes
10 Replies
dslr595148
Community Leader
Community Leader

Ok, sorry for the delay.

Points you to my thread at DSLR (dslreports.com) -> Forums -> Broadband and Networking -> Networking -> No NAT with two routers....

and got feedback, back.

1


To be honest,

a) sounds like the OP in that post fixed it, they were just asking why they needed to add the static route. And I already answered that.

b) without knowing the specific reason / rationale for why said OP did their network that way, why is there a need for them to change / "fix" anything?
Yes, a flat network with a single subnet is simplest from a KISS perspective, but OP did not volunteer the reason that lead them to this, nor did anyone
ask why they set it up this way.

Without knowing that, why make a mountain out of a molehill?

2



So, for the true OP of that thread are you suggesting that they switch

From

FIOS ONT -> G3100 -> EdgeRouter X

To

FIOS ONT -> EdgeRouter X -> G3100

and that will solve their issue


quotes/quoted you

???

And since they have FIOS, that will not cause issues if they have FIOS TV?

As in: I say to them if they do not have FIOS TV too, switch the layout around.



Because a connection is initially established, the static route to 192.168.2.x is already in place. I would say the remaining issue is a stateful firewall problem due to asymetric routing.

Initially a connection is established on a device on LAN 1 via the G3100 and then routed to the edgerouter and finally to its destination host on LAN 2. The return path ia different: the reply leaves host on LAN 2, is routed through edgerouter and directly to the host on LAN 1 because the edgerouter has an interface on LAN 1. The G3100 does not see the return traffic and as a result the firewall will drop the connection after the TCP 'new connection' state expires because no return traffic allows the G3100 to turn it into an established connection. ICMP and UDP are not stateful traffic types and will always pass the firewall if allowed.

There are two options to fix this, the ideal one is to have a network layout that does not result in asymetric routing (such as a dedicated transit subnet between the edgerouter and the G3100) or to modify the firewall of the G3100 to allow connections with invalid TCP flags. Not sure if either one is feasible.

I think there may be a way to cheat by setting the subnet mask of the edgerouter interface to a /30 on LAN 1 such that it will always send replies via the G3100 to reach the rest of the LAN 1.

^^

TechInMD
Enthusiast - Level 1

Hello @dslr595148 and @cscscs 

I apologize for being a plunger here (bringing up old $41T 😜 ). I will start by stating that I have recently attained my CCNA, so I have a home lab that I use for study. I will constantly make configuration changes, topology restructuring, dynamic routing implementation, etc. I state this because of the response about why the OP would want this type of configuration.

My network configuration is similar. The only difference is my second network IP address scheme is using the 172.30/16 network, but I am breaking this down using ROAS sub-interfaces to reduce broadcast domain sizes. This has worked up until recently (I suspect that the latest FW update has made a change to the IPTables rules)

I fully understand that dot1q encapsulation (port tagging) becomes an issue when dealing with the G3100. The router will drop packets that have port-tag headers as malformed, because VLAN capabilities in the G3100 are administratively disabled. SO all traffic on the second network passes from an L3 switch (Catalyst 3750G) through trunk line to the router (Catalyst 2911) across the NATIVE vlan to ensure the traffic is passed un-tagged. I do this even with knowing that the tags are removed on the router side of the trunk, before being passed through the LAN1 facing interface. The issue I am seeing now is the traffic is just simply not passing through the G3100.


  -  I just want to confirm the concept here. Setting the LAN1 facing interface on the 2911 to a static IP 192.168.1.2 with a mask of /30 (255.255.255.252) along with matching static route, will force all broadcasts to the only other host within that BD (192.168.1.1) effectively directing all traffic to the G3100, in order to be routed accordingly?

As of late, I have been needing to create port forwarding rules from any outside port to any desired host within LAN2 to get connectivity into that host. So I can ping, SSH, etc, into the device, but it still does not have connectivity. Devices within LAN2 can ping each endpoint within, it can also ping to  LAN1 (192.168.1.1), and the Public IPv4 address bound to the WAN interface. That is where the connectivity stops. I cannot ping the next hop (Public IPv4 default gateway times out), and I cannot ping any device on the 192.168.1.3-254 network range. All static routes are in-place and configured accordingly. I have also tried obtaining the LAN1 facing interface IP address via DHCP, as it properly configures the GOLR (Gateway of last resort) eliminating the need for a static default route. This is no longer the case.

I am grateful that I found this post! Asymmetric routing had never crossed my mind (hence why I am constantly learning and honing my skillset) I am going to make this configuration change and test the outcome. Thank you for any response, and any additional information you can provide!

@TechInMD   want's to thank ALL MEMBERS from ALL COMMUNITIES that take the time to help people that have issues that are naturally considered outside of the ISP's scope of support. You are the true unsung heros!

0 Likes
dslr595148
Community Leader
Community Leader

#1 To me it seems that you network is setup wrong.

#2 For that other router, you must:

a) Have it disconnected at this step.

b) Set it's LAN IP Address with the same Subnet as the primary but outside of the DHCP Range of the Primary router's DHCP Range.

For example with the primary IP Address 192.168.2.1 with the subnet mask of 255.255.255.0, the first DHCP Address that it handles out is 192.168.2.100 and the last DHCP Address that it handles out is 192.168.2.254 - then the other router's LAN IP Address could be 192.168.2.6

c) Disable the DHCP Server in the second RJ-45 WAN port NAT router.

#3 Once you make those changes, now you can connect both of those routers together but this time LAN to LAN.

cscscs
Enthusiast - Level 2

Thanks for the reply. All that is done. I didn't want to have too much detail in the original post at the risk of confusing the issue, but my other router has static IP assignments 192.168.1.2 on "LAN 1" side (which is outside the DHCP scope offered by the G3100), and 192.168.2.1 on the "LAN 2" side. The resources on the 2nd LAN (192.168.2.0/24) all have static IPs, and DHCP is not being offered at all by the other router. 

dslr595148
Community Leader
Community Leader

Ok, I will try this again but a little bit different.

I point to and quote part of my own thread How to get into a modem/router that is in bridge mode 


Users who connect the RJ-45 WAN port of their own (separate) NAT router who put their modem into bridge mode (not configured to handle a WAN IP), typically can not by default get access anymore to their modem's UI.

snip

I know every single method to get into a device while it is in bridge mode.

snip

** Option 5 - Another Possible fix with access to both and online. **

#1 Both of the routers can not be in the same subnet and you must have a second RJ-45 WAN port NAT router.

#2 For that other router, you must:

a) Have it disconnected at this step.

b) Set it's LAN IP Address with the same Subnet as the primary but outside of the DHCP Range of the Primary router's DHCP Range.

For example with the primary IP Address 192.168.2.1 with the subnet mask of 255.255.255.0, the first DHCP Address that it handles out is 192.168.2.100 and the last DHCP Address that it handles out is 192.168.2.254 - then the other router's LAN IP Address could be 192.168.2.6

c) Disable the DHCP Server in the second RJ-45 WAN port NAT router.

#3 Once you make those changes, now you can connect both of those routers together but this time LAN to LAN.

#4 Now in the third router, setup it WAN IP to be Static in the same subnet as the  as the the device that is in bridge mode .

IP Address: 192.168.1.2
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.1.1
DNS #1: 192.168.1.1

#5 Now you can connect the WAN port of the third router to the LAN port of the as the the device that is in bridge mode .

#6 Now in the second RJ-45 WAN port NAT router, you use a static route in this format..

Subnet IP: (the subnet of your modem)
Mask: (the Subnet Mask of the primary and secondary router on the LAN)
Gateway: (the IP address of the secondary router on the LAN)

Like so..

Subnet IP: 192.168.1.0
Mask: 255.255.255.0
Gateway: 192.168.2.6

#7 Again, You can now talk to 192.168.1.1


 Does that talk about what you are trying to do?

cscscs
Enthusiast - Level 2

No, I'm aware of bridge mode and that is not what I'm attempting to do. At the simplest form, the G3100 is online, doing what it is supposed to do and otherwise working fine. I am adding an additional internal router, which sits in front of an additional /24 private IP space. The routing functionality is working correctly, and for all purposes everything is working fine in terms of routing, accessibility, etc, except for the fact that connections are being dropped (seems like persistent connections for the most part, or at least that's where I notice it the most). I work in IT and am very comfortable in the correctness of the setup I have. 

The primary issue continues to be that connections (ssh, RDP, etc) into the 2nd LAN are dropped under the default routing behavior (where the G3100 redirects traffic for the 2nd LAN to the 2nd internal router). The only way I can stop the disconnects is to put a persistent route statement on my LAN 1 workstations which directs 192.168.2.0/24 directly to the 2nd router, bypassing the G3100 as the default next hop gateway. Does that make sense?

dslr595148
Community Leader
Community Leader

Ok, I think I get it. Just to be sure that I am on the same page, I will tell the network layout and config what it was the last time that I was on DSL.


#1 Actiontec GT784WNV besides connected to the power supply, also connected to phone wire and only primary NAT router.

#2 Put the Actiontec GT784WNV into bridge mode per directions and left the LAN IP alone of it alone.

#3 Made sure that my primary NAT router was in a different subnet from the Actiontec GT784WNV. ex Actiontec GT784WNV at 192.168.1.1 and primary NAT router at 192.168.2.1

#4 Converted another router to act as a Hub/Switch/Wap within the same LAN subnet of the primary router outside of the DHCP Range and DHCP in it disabled. example primary NAT router DHCP set to 192.168.2.00-192.168.2.200 and the converted router LAN 192.168.2.6 w/ DHCP disabled

#5 Set WAN IP of converted router to be in the same subnet as the Actiontec GT784WNV and connected it's WAN port to the Actiontec.

#6 Set up the route trick in primary NAT router and connected the WAN port of the converted router to one of the other LAN ports of the Actiontec GT784WNV.

#7 Then I was able to access the Actiontec GT784WNV with the help thanks to both the primary and converted routers.

#8 As noted in How to get into a modem/router that is in bridge mode

** Option #9 (with access to both and online) **

Also I heard/read (REF = Another thread at DSLR Re: Access to modem combo while in bridge mode ) that instead of two NAT routers, a Dual WAN port router will work.

Q: Is that true you ask what I was told?

A: Unless I convert a computer into acting as a a NAT router, I can not tell you because all of my RJ-45 WAN port NAT routers only have one WAN port.


Since I told you the network layout and config that I had the last time that I was on DSL, it would help to confirm the network layout because as of now I can only guess what the network layout that you have.

ONT -> EdgeRouter > G3100 -> your computers.

Different wording just so that info above is clear.


The WAN port of the EdgeRouter (but not doing NAT and unless I am mistaken this is in something called bridge mode) is connected to the LAN port of the ONT

The WAN port of the G3100 is connected to the LAN port of the EdgeRouter.

Then your computers are behind the G3100,


??

And I do not know a whole lot about your EdgeRouter. To be more exact: Does it have only one WAN port or is it a Dual WAN port NAT router?

cscscs
Enthusiast - Level 2

Not quite my layout. Here's a diagram which I should have included earlier to make it more obvious. Hopefully that clears up my layout. The ONT device is between the G3100 and the "Internet", it's all installed by Verizon as their standard and I haven't changed any of that. Simply added an additional router on my side of the LAN, to facilitate routing to another internal LAN, and that's where I'm having the issues described in the initial post. To add more detail about the Ubiquiti EdgeRouter - it's only acting as a router, no firewall, no NAT, no QoS, no DHCP, no DNS, or anything else besides basic routing. image

dslr595148
Community Leader
Community Leader

I am not sure but I believe I know the right answer, thanks your diagram and some of the config that you posted.

You must add at least NAT. Without at least NAT, I fail to understand how that works.

Without DHCP then all of the computers behind the router would need to setup a Static IP to access the network and in turn the net.

For the DNS: Well that will depend on what that will do as each router is different.

By default my router (Linksys E4200 running third party firmware tomato) acts a DNS relay. Please note: Since I am not sure if I used the right term or not, that is why I am providing that example of what I meant by that.

DNS relay enabled

IP Address: 192.168.1.100

Subnet Mask: 255.255.255.0

Default Gateway: 192.168.1.1

DNS: 192.168.1.1

DNS Relay disabled

IP Address: 192.168.1.100

Subnet Mask: 255.255.255.0

Default Gateway: 192.168.1.1

DNS: 4.2.2.2

DNS: 4.2.2.3

cscscs
Enthusiast - Level 2

None of that is the issue. NAT is not required, as this is just basic routing. All resources on the 2nd LAN do have static IP assignments, so DHCP is not required. Also has nothing to do with DNS as I'm not having any name resolution issues, and have ruled that out by accessing resources by IP. NAT is enabled on the G3100 router to get to the Internet, but that isn't the problem at all, as my issue has to do with specific access from LAN 1 to LAN 2. Routing (without NAT) is working fine, and my issue is just with specific persistent connections (ex: SSH, RDP) from LAN 1 to LAN 2. As described earlier, I have validated that this is an issue when traffic goes through the G3100, because if I add a route statement on LAN 1 workstations to bypass the G3100 for LAN 2 connectivity, and route directly through the 2nd router, I do not experience the issue.

0 Likes