ER605 firewall config

ER605 firewall config

ER605 firewall config
ER605 firewall config
2024-09-06 06:48:51 - last edited 2024-09-09 02:03:09
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: ER605(UN)_v2_2.2.6 Build 20240718 official release

Hi folks,

I'm trying to configure the ER605 to operate behind an existing router such that pc's in 2 subnets can communicate..similar to the scenario below.

The pc's in the ER605 subnet (Router 2 - 192.168.100.1) can communicate to each other and the internet, but not with pc's in the other subnet (Router 1 -192.168.50.1).

I do understand that the ER605's NAT function is the issue, and since it can't be switched off, is there any other solution to enable this scenario?

Any help is much appreciated.

 

 

  0      
  0      
#1
Options
2 Accepted Solutions
Re:ER605 firewall config-Solution
2024-09-06 11:08:06 - last edited 2024-09-09 02:03:21

  @handycapp 

 

The use case is for 2 pc's from 1 subnet to connect to 1 pc on the other subnet via Windows 11P shared folders accessing files in both directions.

Any pc from the 50.x subnet still can't ping any ip's from the 100.x subnet..

 

Ahh! that's not going to work. PC's in the 100.x subnet should be able to access the 50.x subnet but not vice versa.

 

Recommended Solution
  1  
  1  
#4
Options
Re:ER605 firewall config-Solution
2024-09-09 02:03:04 - last edited 2024-09-09 02:03:09

Hi @handycapp 

Thanks for posting in our business forum.

handycapp wrote

Hi @MisterW, thanks for your reply.

The ER605 (router 2) NAT can't be turned off.

The use case is for 2 pc's from 1 subnet to connect to 1 pc on the other subnet via Windows 11P shared folders accessing files in both directions.

Any pc from the 50.x subnet still can't ping any ip's from the 100.x subnet..

What firewall rules or policy configs are required for this scenario?

 

 

Check with the support team to see if they have an early access(beta) firmware of disabling the NAT.

 

The ping will definitely not work due to the NAT.

If you need access in bi-direction, it can be done. Just open the port on the router(2). 2 to 1 does not require any port forwarding.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  1  
  1  
#6
Options
7 Reply
Re:ER605 firewall config
2024-09-06 10:22:58

  @handycapp 

 

Providing NAT is enabled on router 2 it should just work!

 

Any traffic from the 192.168.100.1 subnet going out of router 2 will be NATed and thus appear to be coming from 192.168.50.200 (router 2 WAN IP). So any traffic destined for a 192.168.50.x address is now local to router 1 subnet

  0  
  0  
#2
Options
Re:ER605 firewall config
2024-09-06 10:57:33

Hi @MisterW, thanks for your reply.

The ER605 (router 2) NAT can't be turned off.

The use case is for 2 pc's from 1 subnet to connect to 1 pc on the other subnet via Windows 11P shared folders accessing files in both directions.

Any pc from the 50.x subnet still can't ping any ip's from the 100.x subnet..

What firewall rules or policy configs are required for this scenario?

 

 

  0  
  0  
#3
Options
Re:ER605 firewall config-Solution
2024-09-06 11:08:06 - last edited 2024-09-09 02:03:21

  @handycapp 

 

The use case is for 2 pc's from 1 subnet to connect to 1 pc on the other subnet via Windows 11P shared folders accessing files in both directions.

Any pc from the 50.x subnet still can't ping any ip's from the 100.x subnet..

 

Ahh! that's not going to work. PC's in the 100.x subnet should be able to access the 50.x subnet but not vice versa.

 

Recommended Solution
  1  
  1  
#4
Options
Re:ER605 firewall config
2024-09-07 04:27:29

Ok, thanks very much for confirming there's no solution for this use case@MisterW.

  0  
  0  
#5
Options
Re:ER605 firewall config-Solution
2024-09-09 02:03:04 - last edited 2024-09-09 02:03:09

Hi @handycapp 

Thanks for posting in our business forum.

handycapp wrote

Hi @MisterW, thanks for your reply.

The ER605 (router 2) NAT can't be turned off.

The use case is for 2 pc's from 1 subnet to connect to 1 pc on the other subnet via Windows 11P shared folders accessing files in both directions.

Any pc from the 50.x subnet still can't ping any ip's from the 100.x subnet..

What firewall rules or policy configs are required for this scenario?

 

 

Check with the support team to see if they have an early access(beta) firmware of disabling the NAT.

 

The ping will definitely not work due to the NAT.

If you need access in bi-direction, it can be done. Just open the port on the router(2). 2 to 1 does not require any port forwarding.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  1  
  1  
#6
Options
Re:ER605 firewall config
2024-09-09 11:29:10

Hi @Clive_A , thanks for the input. I've already opened SMB/CIFS TCP ports 139 and 445 to a specific static IP (workstation) which is in the Router 2 subnet.

I had created two rules with the same port value for each of external and internal port pairs i.e. 139/139 and 445/445.

However, no workstation from the Router 1 subnet can see it, and this is the problem. 

Clive_A wrote

Hi @handycapp 

Thanks for posting in our business forum.

handycapp wrote

Hi @MisterW, thanks for your reply.

The ER605 (router 2) NAT can't be turned off.

The use case is for 2 pc's from 1 subnet to connect to 1 pc on the other subnet via Windows 11P shared folders accessing files in both directions.

Any pc from the 50.x subnet still can't ping any ip's from the 100.x subnet..

What firewall rules or policy configs are required for this scenario?

 

 

Check with the support team to see if they have an early access(beta) firmware of disabling the NAT.

 

The ping will definitely not work due to the NAT.

If you need access in bi-direction, it can be done. Just open the port on the router(2). 2 to 1 does not require any port forwarding.

Cheers

  0  
  0  
#7
Options
Re:ER605 firewall config
2024-09-10 01:54:55

Hi @handycapp 

Thanks for posting in our business forum.

handycapp wrote

Hi @Clive_A , thanks for the input. I've already opened SMB/CIFS TCP ports 139 and 445 to a specific static IP (workstation) which is in the Router 2 subnet.

I had created two rules with the same port value for each of external and internal port pairs i.e. 139/139 and 445/445.

However, no workstation from the Router 1 subnet can see it, and this is the problem. 

Clive_A wrote

Hi @handycapp 

Thanks for posting in our business forum.

handycapp wrote

Hi @MisterW, thanks for your reply.

The ER605 (router 2) NAT can't be turned off.

The use case is for 2 pc's from 1 subnet to connect to 1 pc on the other subnet via Windows 11P shared folders accessing files in both directions.

Any pc from the 50.x subnet still can't ping any ip's from the 100.x subnet..

What firewall rules or policy configs are required for this scenario?

 

 

Check with the support team to see if they have an early access(beta) firmware of disabling the NAT.

 

The ping will definitely not work due to the NAT.

If you need access in bi-direction, it can be done. Just open the port on the router(2). 2 to 1 does not require any port forwarding.

Cheers

It does not discover. Discovery is -cast packet and it cannot travel the NAT.

That's expected. But if you need to use it, they don't have a problem.

Even if there is a firmware to disable the NAT in the future, that may still be a problem due to the subnet. -cast packet may not travel between the subnets. You'd still try to fix that in the future if that's what I described.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#8
Options