How to access clients that belong to different networks?



  • I have my main router which is pfsense with an ip address of 192.168.1.1. I have also another router with an ip address of 192.168.0.1 and its own dhcp server. The second router's WAN is connected to a LAN port of the main pfsense router. How can a client within 192.168.0.1 network access clients within the 192.168.1.1 network?

    I know I can setup the second router as an AP. I would like to know if I can get the two-router setup to work.
    Thanks


  • LAYER 8 Netgate

    You are only giving one network for each router (a router has at least two or there's no routing to do) and not indicating whether it is the WAN or LAN side of either router.



  • I have my main router which is pfsense with an ip address of 192.168.1.1. I have also another router with an ip address of 192.168.0.1 and its own dhcp server.

    In one network only one DHCP server should work, but if this both networks will be connected together
    it can came to really ugly isues that can´t be explained or solved, so it is better each of the networks
    are using their own DHCP server.

    The second router's WAN is connected to a LAN port of the main pfsense router.

    Then you were creating a dual homed or double NAT scenario and on each WAN port NAT is working.
    And so you will be able to contact the first network from behind the second network but not vice versa.

    How can a client within 192.168.0.1 network access clients within the 192.168.1.1 network?

    Internet –- modem --- WAN port 192.168.1.1 router1 LAN port1 --- WAN port 192.168.0.1 router2 ---- LAN
    So you be able to connect to the router one network from the route two network but not vice versa because
    of the NAT function on the WAN port of router two!

    I know I can setup the second router as an AP.

    You will be also able to switch from NAT to plain routing without pf or firewall rules.

    I would like to know if I can get the two-router setup to work.

    It will be better to use a switch to replace the second router and create VLANs instead of using a second
    router or the second router will be only using plain routing instead of NAT, this would also work. But again
    a smaller or greater switch with the attached 2nd router as a WLAN AP would be the best option.

    Otherwise as a workaround you might be opening some needed ports at the WAN port at the 2nd router.
    But then it will be better to use only in one network one DHCP server and as I see it right this could also
    be done better using a Layer3 switch instead of the 2nd router. Faster, better to configure and more common.


  • LAYER 8 Global Moderator

    Keep in mind if your going to use a downstream router that pfsense needs to be connected with a transit network to this downstream router.  Unless that 2nd router is going to nat so all traffic to clients on the network connected to pfsense looks like it came from IP of that 2nd nat router.

    I agree with BlueKobold, if want to have multiple networks is normally much better option to just let pfsense route between the 2 networks and not use downstream.  The only time you really want downstream routing to happen is when there is lots of traffic between networks at the downstream router.

    Sounds like your just using some soho wifi router as your 2nd router.  Why don't you just use it as an AP put that wireless and wired device on this 2nd network on connection to pfsense.  This way you can firewall between the 2 networks if you want, etc.



  • thanks for the response, and sorry for having not thanked you guys promptly. Been busy at work, not having much time to play.

    I understand the AP is easiest and simplest set up. The reason I am using this setup is because I like second router's simple parental control and DNS filtering presets. With AP setup, I have to use pfsense proxy. It is not inyuitive, and I am not sure it is reliable.

    By the way, the second router is a Netgear R7000 running Asus firmware, merlin variant. This is only for the kids. I have another Access point for the rest of the family.

    I will review all the responses and play a bit more.


Log in to reply