Subnets communication help

Good day!
I have GL-MT2500 (Brume) and following setup:
Brume (192.168.8.1) is the main router, speaking directly to ISP, wireguard enabled in device poicy mode. I also have two other routers connected to it - Amplifi Alien (192.168.108.1), routed through VPN and Unifi USG-3P(192.168.1.1), routed bypassing VPN.
Now my problem: i want serveces from Alien router (192.168.108.1) to talk to services behind USG router (192.168.1.1). Now only 192.168.8.1 (Brume) is visible and accessible to anybody. I can’t solve this riddle, so seek for help, as i’m not very familiar with openwrt. I even exposed services from behind Alien router to 192.168.8.254 IP via port forwarding, and then tried to forward them to 192.168.8.1 (Brume), but for some reason that did not work, or i did not make it right, idk…

hi,
Does the topology shown below(picture 1) match your case? And PC behind USG can not access server behind Alien?

1.Make sure access from WAN is accepted on Alien, which can be confirmed by ping 192.168.8.142 from PC behind USG;
2.Expose Server behind Alien via port forwarding or DMZ on Alien.In my case, I setup a web server on 192.168.108.248 with port 8080, and enable DMZ on it as shown on picture 2.
3.Access Server behind Alien from PC behind USG via WAN IP of Alien, as shown on picture 3.



image

1 Like

Hi @mizeraj sounds like a headache of a network plan. What is the function of the VPN? Is it possible that the Alien router is actively blocking pings or using NAT?

Isn’t a bit to complex to have multiple routers? You could set them to switch mode or just disabke DHCP and plug the WAN port cable into the LAN port.

Thanks for your answers!

@fangzekun Everything looks like exactly how you described it - i did port forwardings on Alien and everyone from Alien’s subnet can access Alien’s WAN IP and forwarded port, but a) Brume can’t access that forwarded port on Alien’s WAN (Connection timeout by curl) and clients from USG’s subnet also can’t access it. Though Brume’s IP is available to everybody from both subnets.

@Riktastic Alien is using NAT, sure, i port forwarded my service to it’s WAN, but still unable to access it from within Brume or other subnet. VPN serves function of anonymization, sort of, i live in region US gov has sanctions on, so without VPN i have no access to most of valuable internet resources. And for that reason i need two routers and two subnets - one for my home devices, with VPN turned on, and other for my work, without VPN (my company prohibits VPN usage for accessing it’s resources).

hi,
It looks like “WAN INPUT” is still blocked on Alien.Is iptables available on Alien?You can try to run “iptables -I INPUT -p icmp -j ACCEPT” to accept icmp packets from WAN on Alien , and then try to ping Alien’s WAN IP from Brume or USG.If ping works, then it is a Alien firewall issue.Run “iptables -D INPUT -p icmp -j ACCEPT” to delete that rule.

@fangzekun Nope, all ports n Alien are open… There’s actually no way to open them there - this consumer-grade router can only do port forwardings. And as i already said - from Alien network forwarded port is available on Alien’s WAN. Something is blocking on Brume’s side…

Could you help to change the topology to figure out what the problem is?

  1. Connecting Alien and PC directly to USG’s LAN ports, and try to ping Alien’s WAN IP from PC or access service behind Alien using PC
  2. Connecting two PCs directly to Brume’s LAN ports, and try to ping PC1 from PC2.