Wow, I'm failing at the most basic network problem

[Rurik]

All those years in IT and they were right - as soon as you go into management you lose it all

Trying to re-setup my home network, a basic one.

Modem<--->D-Link MTA<---->Linksys WRT54G<----->Linksys livingroom

D-Link MTA has LAN set to: 192.168.15.1 (this, and all others use netmask 255.255.255.0)

WRT54G at my desk is running DD-WRT micro and has:
WAN (from D-Link MTA): DHCP
LAN: 192.168.25.1, DHCP pool of .100-149
eth1,2,3: PCs
eth0: To Linksys in living room
Wireless: many devices

Linksys in Livingroom (it's an obscure model, BEFW11S4, latest firmware)
WAN (from WRT54G): 192.168.25.10
LAN: 192.168.35.1, DHCP pool of .100-149
eth0,1,2,3: Xbox, PS2, HTPC, laptop

Each router, and clients under the router, cascade packets out perfectly fine. Each passes DNS responses to the router before it, and they can all get to the Internet.

The issue now is to get my PC (192.168.25.25) to talk to the HTPC (192.168.35.25). The HTPC can initiate a TCP handshake just fine with the PC, copy files, etc. However, the PC cannot see the HTPC.

With the livingroom router WAN set to 192.168.25.10, my PC can't even ping it, though it does show up in DD-WRT's status screen:

Active Clients
Host Name__IP Address_____MAC Address______Conn. Count__Ratio [512]
*__________192.168.25.10___00:0F:66:2F:78:0E______0_______0%
*__________192.168.25.25___00:17:31:22:53:86______40_______8%

I created a route on the WRT54G for the connection, but it doesn't help:
192.168.35.0, 255.255.255.0, with a gateway of 192.168.25.10

Routing table from the WRT54G is below. For routing, the DD-WRT is in Gateway mode (if I put it in Router mode, nothing gets out).

Destination LAN NET___Subnet Mask_____Gateway______Interface
192.168.35.0__________255.255.255.0____192.168.25.10__LAN & WLAN
192.168.15.0__________255.255.255.0____0.0.0.0________WAN
192.168.25.0__________255.255.255.0____0.0.0.0________LAN & WLAN
169.254.0.0___________255.255.0.0______0.0.0.0________LAN & WLAN
0.0.0.0_______________0.0.0.0__________192.168.15.1___WAN

I know it has to be something incredibly simple that I'm overlooking, I just can't see it. How do I get my client to route into the 192.168.35.0. I even set a manual route on the client (route add 192.168.35.0 mask 255.255.255.0 192.168.25.10). However, if no one can ping 192.168.25.10 (the gateway), then obviously it isn't working.

 

[supermen]

Sounds like the linksys in the living room has an active firewall that you will need to disable to see anything on the lan side of it.

 

[Rurik]

Just went through the livingroom one (It's a BEFW11S4). I know some firmware have SPI firewalls enabled, but nothing in it. It has a latest firmware installed. Under WAN, I disabled options to ignore anonymous Internet requests. With that disabled, I can now ping 192.168.25.10, it's gateway IP from my PC. I also disabled NAT on the BEFW11S4

I pop up wireshark, and I see the ICMP reqs and responses, but I only see the initial TCP syns from my PC.

EDIT: After a few minutes of waiting, I did another volley of tests. From my PC at 192.168.25.25, I can ping 192.168.25.10 AND I can ping 192.168.35.1, so I can hit both sides of the livingroom router. But, I still can't hit anything beyond it. I just did an nmap scan of the whole 192.168.35.0 and it only popped back .1.

 

[xphil3]

Your problem is NAT, or "Gateway mode" . Turn off Gateway mode on the living room router and DDWRT router. Make specific routes to your private networks and default routes for the internet pointing to your edge device.

just for a quick test, do some port forwarding on your living room router to forward 3389 to your htpc then connect to it from your main computer. If it works, you know NAT is your problem

EDIT: from your edit, that sounds very weird and pretty bad. You shouldn't be able to hit the inside interface of that router with NAT turned on like that.

 

[Rurik]

[NINJA EDIT]

Doh, OK, I did make a goof somewhere. I had left Windows Firewall on on the HTPC, a machine I just installed less than a month ago.... still testing things, will update in a few mins.

 

[xphil3]

You're right, it looks like NAT is causing the problems. I forwarded 3389 and can remote connect into it. Now, after that round of testing, here's what I've done now with the livingroom device:

Disabled NAT
Disabled port forwarding

Oddly enough, I can still remote into it with those set. To be fair, I never tried Remote access before this stage, though.

To disable NAT, did you put the router into "route mode" if you did then you already have some specific routes in your routing table to point from the DDWRT box to the livingroom router.

 

[Rurik]

I disabled NAT from the livingroom device, but left it on the DD-WRT. Since the DD-WRT is the egress point for both internal nets.

It looks like the problem is resolved. It was a combination of small, stupid mistakes I forgot to disable NAT on the BEFW11S4, and I forgot to disable the firewall on the HTPC. I had assumed it was already disabled, but forgot that I reinstalled Windows last month. It's the little things that bite you.

So, now I access it, ping it, etc.

Thanks for the help!

 

[xphil3]

I disabled NAT from the livingroom device, but left it on the DD-WRT. Since the DD-WRT is the egress point for both internal nets.

It looks like the problem is resolved. It was a combination of small, stupid mistakes I forgot to disable NAT on the BEFW11S4, and I forgot to disable the firewall on the HTPC. I had assumed it was already disabled, but forgot that I reinstalled Windows last month. It's the little things that bite you.

So, now I access it, ping it, etc. I just have one little problem to work though, in that every time I access \\192.168.35.25, it asks for a user. I map it using a local account (\192.168.35.25\user) and password, and it immediately jumps to Guest, which fails. I really hate Windows file sharing

Yep, technically all you needed was to disable NAT on the BEFW11S4. Personally I would do it on DDWRT as it really isn't doing anything anyways. Glad you got it working.

For your file sharing, disable simple file sharing and add the appropriate groups/useres to your share permissions. done.