Two tiered office router setup

I’ve recently acquired a few Balance One routers and I’m trying to use them to set up a two-tiered network at a small business. The attached diagram shows what I’m trying to achieve.

Router #1 will be connected to the outside world through a WAN port. This router will be configured for NAT. It will also be where the firewall and port forwarding are configured. The LAN side of Router #1 will be my intranet that feeds the WAN ports of Router #2 and Router #3 with a subnet.

Router #2 and #3 will be configured as IP Forwarding with the DHCP server enabled for their respective subnets. I don’t want NAT here because I want to be able to route traffic (Windows File Sharing, VNC, ssh, etc) between PCs on the and subnets. My understanding is that having NAT enabled on Routers #2 and #3 would prevent this.

I’ve been testing this setup for a couple of days but I’ve not been able to get it working exactly as I need. I’ve tried various settings using static routing and so far, I’ve been able to get the PCs connected to Router #2 and #3 to be able to access the Internet. The PCs can also access the configuration web page for Router #1. However, I have not been able to get the system working to the point that I can reliably get traffic between Router #2 and Router #3. For example, a PC behind Router #2 cannot access a Windows share on a PC behind Router #3.

My questions are:

-Does my setup as I’ve explained and diagramed make sense?
-If not, what might be a better configuration option?
-What other settings/configuration options might I have missed?

Here are the answers to your questions:

  • Yes, this setup makes sense.
  • If Router #1 has LAN static routes for and, no modification is needed.
  • Windows file sharing works at layer 2 and this gets stripped when routing to another network at layer 3. If you can ping the PC behind Router #3 you should be able to get to its shared drives by typing in: \192.168.30.X from the search window of your PC.


Thanks for your response.

I reset everything to factory defaults and then reconfigured it again. Almost everything is working correctly now.

One lingering problem: I cannot access the configuration web page for Router #2 from a PC behind Router #3 or vice versa. e.g. If I’m on the, I can’t browse to even though I can still ping from I can still browse to Router #1 from a PC on either subnet. Other services between PCs on the different subnets seem to be working fine.

As a test, I tried enabling WAN access to the configuration web page on Router #2 but I can’t access it from the WAN address either (the WAN address is ping-able).

Any thoughts?


Suspect that the Webadmin WAN access traffics is block by the Router 1 firewall.

Can you please enable packet capture for both Router 2 & Router 3 (Peplink devices) to further confirm this ? Possible, please check also router1 firewall logs for any blocked traffics.

For more information regarding to the packet capture, you can refer to the URL below:

You can download the packet capture results and review it using Wireshark (Packet monitoring software) .

Thank You

I’ve attached some packet captures I made of an attempt to access the Router #2 configuration page from behind Router #3. For this attempt, my PC was behind Router #3 at address and I was trying to access the web page for Router #2 by the address

I did not see any evidence in Router #1 event logs of blocked traffic.

You mentioned enabling WAN Web Admin Access on Router #2 and this step needs to be taken. In this case you would browse to the WAN IP address of Router #2 (192.168.250.X) and not its LAN IP.

Ron, I tried accessing by the WAN address and it worked fine this time. Not sure why it wasn’t working before.

I think I’m all straightened out now. Thanks for your help!