LAN within a LAN configuration


#1

My primary LAN router is a 380. LAN is 198.42.231.0/24. The 380 LAN address is at 198.42.231.124.

I am installing a lot of video cameras which will create a lot of LAN bandwidth so I am putting them on a completely separate wired LAN to isolate the traffic. Users on the primary LAN need to access the cameras so I need a router to bridge the two. I already had a spare 210 from an upgrade so I will use that for the bridge.

The 210 for the cameras is configured with its WAN1 as 198.42.231.242, and gateway/dns 198.42.231.124. The 210’s firewall rules are “allow” any inbound and outbound. The 210’s WAN1 port is connected to the 380’s LAN. Devices on the 198.42.231.0 network have no trouble communicating with the 210.

The 210 is a dhcp server for its own LAN at 198.42.232.0/24. I have cameras plugged into the 210’s LAN, and they do acquire DHCP addresses. I can see them from the 210’s client list.

On the 380, I put a static route of 198.42.232.0/24 > 198.42.231.242. This is intended for the user PC’s to know how to find the cameras on the other LAN. I don’t think the 210 needs a static route because that is the address of its WAN1.

I am unable to communicate from the 231 LAN to devices on the 232 LAN. What am I doing wrong?


#2

I expect you have left WAN1 on the Balance 210 as NAT (which is the default). Change this WAN to use to IP Forward instead of NAT for its routing.


#3

Martin - I will try that. I did not change it from the default. For my understanding and others who may read this thread can you tell me what the difference is between those two options?


#4

Sure. As you know a router routes traffic between two or more networks. Typically - at least in our world at Peplink, you will be routing network between devices on a local private network the public internet.
Your internet access router or gateway (be that from your ISP or a Peplink device) uses NAT (network Address Translation) to map requests for internet access from your LAN devices to its (normally) single public IP address on its WAN.

So when you request an internet based resource (be it a webpage or video stream) the remote servers know how to route that back to your gateways public IP. Your gateway then translates the incoming traffic (since it remembers which LAN IP asked for what) to the internal private IP of the device that originally requested the resource. This process means that you can have have thousands of devices all with private IPs on your LAN that connect to the internet using a single public IP (which is good news since there are a limited number of public IPV4 addresses available in the world and we are running out of them). Importantly the firewall on a NAT router needs to be stateful - that is to say it will only allow inbound traffic from an IP on its WAN if a device on its LAN has already initialised a session with it.

When using IP Forwarding on the WAN of a Peplink device NAT is disabled. Instead the router will simply forward on the network traffic to either the target destination (if that device is on the same subnet as the peplink WAN) or the next router based on its routing table. For the receiving router to be able to return the traffic to our gateway it needs to have a route in its table for that network with the IP of a gateway device that can act as a path or route for it. These routes can be manually set with static route entries or learnt dynamically using a routing protocol like RIP.

So lets look at your case.


Assuming NAT is enabled on the WAN1 of the B210, a device on its LAN B will be able to ping a device on the LAN A of the B380.

Send Path: LAN B device (198.42.232.10) -> B210 LAN (198.42.232.1) -> NAT -> B210 WAN1 (198.42.231.242) -> LAN A device (198.42.231.9)
Receive Path: LAN A device (198.42.231.9) -> B210 WAN1 (198.42.231.242) -> NAT -> B210 LAN (198.42.232.1) -> LAN B device (198.42.232.10)

As far as the LAN A device is concerned, the source of the traffic is the B210.

However if a device on the LAN A of the B380 tries to send traffic (or initiate a connection) to a device on the B210 (LAN B) the following happens:
LAN A device (198.42.231.9) -> B380 as its default gateway (198.42.231.124) -> B380 uses static route to forward to B210 (198.42.231.242) -> B210 doesn’t have a live NAT session so drops traffic.

With IP forwarding set on the B210 WAN 1 the following happens:
LAN A device (198.42.231.9) -> B380 as its default gateway (198.42.231.124) -> B380 uses static route to forward to B210 (198.42.231.242) -> B210 Forwards traffic to LAN B device (198.42.232.10).


#5

Martin, your description and drawing are perfect, but unfortunately I am still not getting a reply. My settings are exactly as you drew, I’ve checked them multiple times. I even made sure the 380’s inbound firewall permitted the 210’s LAN subnet.

A light bulb just went off in my head. I have a 380 and am only using two WAN ports. The third WAN port can be configured as a LAN. Can that port be configured for the camera LAN’s IP range, and therefore permit communication between the two LANs without using the second router at all? If it makes any difference I am using software 6.1 on the 380. (the 210 has 5.4.9).


#6

Hi Don - really strange that isn’t working son’t see why it shouldn’t.

Yes you can do as you suggest. Create a 2nd LAN network on the B380 and assign it a VLAN ID and tick enable inter vlan routing. Then connect the 380 to a managed switch that only has the cameras connected, and set the switch port to be a trunk. You will then have a physically isolated camera network up to the connection to the B380, and the B380 LAN clients on the untagged LAN will be able to route to the clients and vice versa.

Also I would recommend an upgrade to 6.2.2 on both devices (which is free) and so you know, 6.3 is due before the end of the year and with that you can set port based VLANs on the peplink too.

Kindest,

M


#7

Back to the original plan with two routers…

On the B380 management, I did a traceroute on the LAN to 198.42.232.1 (which is a device on the camera LAN). The response is:
*
traceroute to 198.42.232.1 (198.42.232.1), 30 hops max, 60 byte packets
1 198.42.231.254 (198.42.231.254) 0.459 ms 0.349 ms 1.130 ms
2 * * *
3 * * **

Why is the B380 sending the request to 198.42.231.254? That address is another device on the B380’s LAN. It is not a router. I have attached the B380’s LAN setup so you can see the static route for the camera LAN is there.


#8

Hi Don,

Look like you are not using latest firmware version. Please upgrade to v6.2.2 then try again.


#9

I know that 6.x to 6.2.2 on our B380 is free. The B210 is 5.4.9 now, not on maintenance. Are you saying that 5.4.9 to 6.2.2 is free now?


#10

Hi Don. Yes I am, firmware upgrades are now free. If you are asked for an unlock key when you upgrade you can get one by registering your device on InControl 2 See the knowledgebase article here for more info http://www.peplink.com/knowledgebase/obtaining-your-free-firmware-license-key/


#11

Here’s the latest… Both devices are now running 6.2.2. I changed the sub-LAN to 10.20.30.0/24 because the previous numbers were so close it was confusing me! I also wondered if having the 1st and 2nd numbers the same might have confused the router. Unfortunately no good. so now we have:

Primary LAN B380 @ 198.42.231.124. LAN is 198.42.231.0/24
Static Route 10.20.30.0/24 > 198.42.231.242
Firewall inbound accept any from source 10.20.30.0/24 (the camera LAN)
Firewall inbound accept any from source 198.42.231.0/24 (the local LAN, already there for VPN access)

Camera-only LAN B210.
WAN1 = 198.42.231.242. IP forwarding = ON. Apply NAT on remote VPN = OFF. Gateway = 198.42.231.124 (the B380)
B210 LAN = 10.20.30.254
DHCP 10.20.30.1 to 100

A ping from within the B380 management to 10.20.30.1 fails
A ping from a PC on the B380’s LAN at 198.42.231.198 fails

As a test from my PC 15 198.42.231.198, I changed the PC’s gateway to 198.42.231.242 which is the B210. With that change the ping replies correctly. I believe that tells me there is no problem with the B210’s configuration. Something in the B380 is not forwarding to the B210? I cannot leave the PC in this configuration.

Stumped…


#12

A step closer!
Using the ping tool on the B380 web ui can you ping a camera behind the B210?


#13

Martin: A ping tool on the B380 fails.


#14

Hi Don,

Ensure PC (198.42.231.198) gateway as 198.42.231.124. Then ping to 10.20.30.254. What is the result? If failed, please provide trace route result from 198.42.231.198 to 10.20.30.254.

Thank you.


#15

Here you go. Still having this problem:

**Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 198.42.231.198
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 198.42.231.124

Tracing route to 10.20.30.254 over a maximum of 30 hops

1 2 ms <1 ms <1 ms 198.42.231.254
2 1 ms 2 ms <1 ms elmira [198.42.231.124]
3 1 ms 1 ms 2 ms 198.42.231.254
4 1 ms 1 ms 2 ms elmira [198.42.231.124]
5 1 ms <1 ms 1 ms 198.42.231.254
6 2 ms 2 ms 1 ms elmira [198.42.231.124]
7 3 ms 2 ms 3 ms 198.42.231.254
8 3 ms 3 ms 4 ms elmira [198.42.231.124]
9 3 ms 5 ms 4 ms 198.42.231.254
10 4 ms 5 ms 6 ms elmira [198.42.231.124]
11 4 ms 4 ms 5 ms 198.42.231.254
12 5 ms 6 ms 5 ms elmira [198.42.231.124]
13 5 ms 4 ms 6 ms 198.42.231.254
14 5 ms 5 ms 6 ms elmira [198.42.231.124]
15 5 ms 5 ms 5 ms 198.42.231.254
16 6 ms 5 ms 5 ms elmira [198.42.231.124]
17 6 ms 7 ms 6 ms 198.42.231.254
18 7 ms 9 ms 8 ms elmira [198.42.231.124]
19 11 ms 7 ms 7 ms 198.42.231.254
20 9 ms 8 ms 9 ms elmira [198.42.231.124]
21 7 ms 10 ms 9 ms 198.42.231.254
22 9 ms 8 ms 10 ms elmira [198.42.231.124]
23 11 ms 8 ms 8 ms 198.42.231.254
24 10 ms 11 ms 10 ms elmira [198.42.231.124]
25 10 ms 11 ms 11 ms 198.42.231.254
26 11 ms 10 ms 10 ms elmira [198.42.231.124]
27 12 ms 10 ms 9 ms 198.42.231.254
28 12 ms 12 ms 13 ms elmira [198.42.231.124]
29 11 ms 13 ms 13 ms 198.42.231.254
30 13 ms 11 ms 12 ms elmira [198.42.231.124]

Trace complete.**

Why does the 380 keep sending the request to 254? The static route is:
Destination Network 10.20.30.0
Subnet Mask 255.255.255.0
Gateway 198.42.231.242


#16

You asked me to do an ARP test from 198. Results are:

198.42.231.124 = 00-11-6E-01-7F-E0
198.42.231.254 = D0-67-E5-E6-55-5E

These results agree with the DHCP reservations and Client List on the B380. I don’t see anything wrong with those.

I did this test from three different Windows PCs on the LAN. Same result for all.


#17

Hi Don,

After checked on your Balance 380 and Balance 210, I suspect there is network loop. Please do me favor below:-

  1. Connect Balance 380 directly to Balance 210 to bypass existing network.
    Balance 380(LAN) -----Connect cable directly (bypass all switches)-----> (WAN1)Balance 210

  2. Ping 10.20.30.254 from Balance 380
    Please go System > Ping. Ping from Balance 380’s LAN interface to 10.20.30.254.

Do let me know the result. Thanks.


#18

TK - Thank you… it works when connected directly. Knowing that helped me to identify the problem. I had forgotten that we have an Untangle anti-spam / firewall between the B380 and the LAN. I have to program the filter to permit access to the 10.20.30.0/24 LAN. Duh…!


#19

Hi Don,

Glad to hear that your problem solved. Thanks for the update!