[Semibug] Router / Routing questions

Josh Grosse josh at jggimi.net
Thu Jan 21 16:33:45 EST 2021 

Mark wrote:

> at home, I have a two networks, a wired network, which is on 192.168.1.0 
> and a wireless network on 192.168.2.0, which is handled by a Linksys 
> WRT1900ACS.
> [snip]
> I want to be able to set firewall rules for specific devices on the 
> wireless network.  The Linksys has three modes, NAT, Dynamic Routing 
> (RIP) , and Static Routing.  I know NAT doesn't work but should I try to 
> set up RIP on the Firewall (OpenBSD based), or just try and use Static 
> Routing?

1. NAT *should* work, but you may not want to use it even if it does,
   as you'd be double-NATting your wireless devices.  Simply, if the 
   Linksys WRT provides NAT the way any SOHO router does, all devices on
   the wireless network would share a single address on your wired
   network, and the WRT would keep its own state tables for that
   shared address.  Running any wireless services reachable by the
   wired network would require port forwarding, and with double-NAT,
   serial port forwarding in sequence to expose services to the Internet.
   Double-NAT could cause problems for any IoT devices on the wireless
   subnet if they expect incoming packets to create state, such as for
   a "pushed" firmware update from a vendor. 

2. Static routing is easy to set up.  Every device on the wired network
   already knows its 192.168.1/24 subnet, and today any other addresses
   route through your gateway router to the Internet.  For any wired
   network device that needs to talk to wireless devices -- including
   the gateway router for any incoming packets from the Internet -- add a 
   route to its table that directs packets to the wireless network
   192.168.2/24 through the wired address of the WRT router.

   If you neglect to add a static route to the 192.168.2/24 subnet from
   a device on the 192.168.1/24 subnet, the outbound packets will be 
   sent to your gateway router.  As long as *it* has the static route
   for 192.168.2/24, it will redirect those packets to the WRT router
   for processing.  Giving each device on the wired network a direct
   route to the wireless network eliminates those duplicate packets
   and the performance degradation they introduce.

3. RIP or any other routing protocol is likely overkill, because you
   don't have a need to reroute failed links through alternate routers,
   you have no backup routing to provision.  Yes, you could provision
   RIP, but it won't add any benefit.

More information about the Semibug mailing list