ER605 firewall config
Hi folks,
I'm trying to configure the ER605 to operate behind an existing router such that pc's in 2 subnets can communicate..similar to the scenario below.
The pc's in the ER605 subnet (Router 2 - 192.168.100.1) can communicate to each other and the internet, but not with pc's in the other subnet (Router 1 -192.168.50.1).
I do understand that the ER605's NAT function is the issue, and since it can't be switched off, is there any other solution to enable this scenario?
Any help is much appreciated.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
The use case is for 2 pc's from 1 subnet to connect to 1 pc on the other subnet via Windows 11P shared folders accessing files in both directions.
Any pc from the 50.x subnet still can't ping any ip's from the 100.x subnet..
Ahh! that's not going to work. PC's in the 100.x subnet should be able to access the 50.x subnet but not vice versa.
- Copy Link
- Report Inappropriate Content
Hi @handycapp
Thanks for posting in our business forum.
handycapp wrote
Hi @MisterW, thanks for your reply.
The ER605 (router 2) NAT can't be turned off.
The use case is for 2 pc's from 1 subnet to connect to 1 pc on the other subnet via Windows 11P shared folders accessing files in both directions.
Any pc from the 50.x subnet still can't ping any ip's from the 100.x subnet..
What firewall rules or policy configs are required for this scenario?
Check with the support team to see if they have an early access(beta) firmware of disabling the NAT.
The ping will definitely not work due to the NAT.
If you need access in bi-direction, it can be done. Just open the port on the router(2). 2 to 1 does not require any port forwarding.
- Copy Link
- Report Inappropriate Content
Providing NAT is enabled on router 2 it should just work!
Any traffic from the 192.168.100.1 subnet going out of router 2 will be NATed and thus appear to be coming from 192.168.50.200 (router 2 WAN IP). So any traffic destined for a 192.168.50.x address is now local to router 1 subnet
- Copy Link
- Report Inappropriate Content
Hi @MisterW, thanks for your reply.
The ER605 (router 2) NAT can't be turned off.
The use case is for 2 pc's from 1 subnet to connect to 1 pc on the other subnet via Windows 11P shared folders accessing files in both directions.
Any pc from the 50.x subnet still can't ping any ip's from the 100.x subnet..
What firewall rules or policy configs are required for this scenario?
- Copy Link
- Report Inappropriate Content
The use case is for 2 pc's from 1 subnet to connect to 1 pc on the other subnet via Windows 11P shared folders accessing files in both directions.
Any pc from the 50.x subnet still can't ping any ip's from the 100.x subnet..
Ahh! that's not going to work. PC's in the 100.x subnet should be able to access the 50.x subnet but not vice versa.
- Copy Link
- Report Inappropriate Content
Ok, thanks very much for confirming there's no solution for this use case@MisterW.
- Copy Link
- Report Inappropriate Content
Hi @handycapp
Thanks for posting in our business forum.
handycapp wrote
Hi @MisterW, thanks for your reply.
The ER605 (router 2) NAT can't be turned off.
The use case is for 2 pc's from 1 subnet to connect to 1 pc on the other subnet via Windows 11P shared folders accessing files in both directions.
Any pc from the 50.x subnet still can't ping any ip's from the 100.x subnet..
What firewall rules or policy configs are required for this scenario?
Check with the support team to see if they have an early access(beta) firmware of disabling the NAT.
The ping will definitely not work due to the NAT.
If you need access in bi-direction, it can be done. Just open the port on the router(2). 2 to 1 does not require any port forwarding.
- Copy Link
- Report Inappropriate Content
Hi @Clive_A , thanks for the input. I've already opened SMB/CIFS TCP ports 139 and 445 to a specific static IP (workstation) which is in the Router 2 subnet.
I had created two rules with the same port value for each of external and internal port pairs i.e. 139/139 and 445/445.
However, no workstation from the Router 1 subnet can see it, and this is the problem.
Clive_A wrote
Hi @handycapp
Thanks for posting in our business forum.
handycapp wrote
Hi @MisterW, thanks for your reply.
The ER605 (router 2) NAT can't be turned off.
The use case is for 2 pc's from 1 subnet to connect to 1 pc on the other subnet via Windows 11P shared folders accessing files in both directions.
Any pc from the 50.x subnet still can't ping any ip's from the 100.x subnet..
What firewall rules or policy configs are required for this scenario?
Check with the support team to see if they have an early access(beta) firmware of disabling the NAT.
The ping will definitely not work due to the NAT.
If you need access in bi-direction, it can be done. Just open the port on the router(2). 2 to 1 does not require any port forwarding.
Cheers
- Copy Link
- Report Inappropriate Content
Hi @handycapp
Thanks for posting in our business forum.
handycapp wrote
Hi @Clive_A , thanks for the input. I've already opened SMB/CIFS TCP ports 139 and 445 to a specific static IP (workstation) which is in the Router 2 subnet.
I had created two rules with the same port value for each of external and internal port pairs i.e. 139/139 and 445/445.
However, no workstation from the Router 1 subnet can see it, and this is the problem.
Clive_A wrote
Hi @handycapp
Thanks for posting in our business forum.
handycapp wrote
Hi @MisterW, thanks for your reply.
The ER605 (router 2) NAT can't be turned off.
The use case is for 2 pc's from 1 subnet to connect to 1 pc on the other subnet via Windows 11P shared folders accessing files in both directions.
Any pc from the 50.x subnet still can't ping any ip's from the 100.x subnet..
What firewall rules or policy configs are required for this scenario?
Check with the support team to see if they have an early access(beta) firmware of disabling the NAT.
The ping will definitely not work due to the NAT.
If you need access in bi-direction, it can be done. Just open the port on the router(2). 2 to 1 does not require any port forwarding.
Cheers
It does not discover. Discovery is -cast packet and it cannot travel the NAT.
That's expected. But if you need to use it, they don't have a problem.
Even if there is a firmware to disable the NAT in the future, that may still be a problem due to the subnet. -cast packet may not travel between the subnets. You'd still try to fix that in the future if that's what I described.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 431
Replies: 7
Voters 0
No one has voted for it yet.