With Method Two, can computers of the network 192.168.199.x share files and printers with those in the 192.168.3.x network? I have a feeling that the PCs of the downstream router can see those of the upstream's, but not the other way around because the uptream's PCs will hit the WAN port of the downstream router.

The value of this solution is two-fold. You have gained an extra port over Method One. And by routing between the upstream and downstream LANs, you've effectively created a broadcast separation between the two networks, which can improve overall network performance in a busy LAN

This quote implies that because of the broadcast separation, nothing can share files between the two networks.

Why can one not simply give the WAN port of the downstream router a static IP that is in the same subnet as the LAN side of the upstream router but outside the range of the DHCP server IPs of the upstream's router? Why give the WAN port on the downstream router a different subnet?

But this can interfere with network connectivity to corporate VPNs, VoIP, and other services connected through the downstream router because of the "Double NAT" configuration

I am not clear on why the NAT on the downstream router has to be disabled given the fact that the computers in the downstream router get a different IP addresses in the x.x.199.x anyway. This is the same as NAT which is translate one address to another. Does double NAT makes an already bad situation, due to the first NAT of the upstream router, worse for the downstream computers?

? Is there a limit of how meny routers to be connected ?

Would this information apply if you are trying to hook two routers up together, but the downstream router is the one you want to use as the router. My DSL service provides a router/modem that I do not want to use because I have a better one. Can I use the Method 2 but in reverse?

Thanks for the questions!

Can computers on one subnet share files and printers with those in another network?

Yes they can. You can map a windows share from one router to another. You may have to specify the IP address of the shared drive and give it a name, but it works fine. To do so, enable sharing of the drive or folder on one machine, and then map to that drive via \\(IP address)\(name).

Why can one not simply give the WAN port of the downstream router a static IP that is in the same subnet as the LAN side of the upstream router but outside the range of the DHCP server IPs of the upstream's router?

You should assign to the WAN port of the downstream router a static IP that is in the same subnet as the LAN side of the upstream router.

I am not clear on why the NAT on the downstream router has to be disabled...

Each router running NAT maintains a dynamic table of NAT entries, tracking outbound packet flows and matching them with inbound packet flows. If there is no outbound packet flow matching an inbound packet flow, the inbound packet flow can be discarded. In short, running NAT on the downstream router can restrict traffic flows to devices behind the downstream router unnecessarily.

Answers to two more questions:

Is there a limit to the number of routers connected?

No, but it can get complex with more than two routers as you'll need to set up multiple static routes or utilize a routing protocol.

My DSL service provides a router/modem that I do not want to use because I have a better one.

My suggestion: Call your DSL provider and ask them to "bridge" your router/modem or replace it with a simple modem. Then use your router to control your network.

I asked my DSL company to only provide me with a modem when they did the install but they said that the modem/router was all they offered. Luckily they did not change the admin password so I can change the settings in the router to hopefully bridge the connection.

Hi folks,

This is my first post in this fab forum.

I've been lurking awhile because I am launching a new business very soon where I will be responsible for setting up and maintaining (or finding support for), a small 3D animation studio In Byron Bay Australia.

Due to the generous input of the gurus on smallnetbuilder, I'm gradually getting my head around our requirements and the various issues of storage and network but don't feel I've identified the exact equipment to buy or whether to dive in and learn the skills myself or hire in advice and purchase the business level support options from Dell or HP etc.

Until I am sure what we need I'd prefer to use what gear I already have, including an old ADSL router that will be repaced when I upgrade to ADSL2+.

I'm just wondering if this temporary solution would deliver a reasonable speed between the three computers we currently intend to network.

Cheers

3D

This hack doesn't do anything to improve network speed. It only adds additional network Ethernet ports.

Hi, first time posting to this excellent website.
Apologies for not being able to derive the answer from the above message thread.

I have a 4 port Motorola-Netopia Model 2246N-VGx DSL Ethernet Managed Switch.

I need to add a downstream Lynksys wireless router, so far, attempts to configure the linksys have failed.

The configuration of the Netopia 2246N-VGx is:

WAN:IP Address 172.16.34.165
Default Gateway 172.16.34.166
Netmask 255.255.255.252
DHCP Client Off
DHCP Lease Expires N/A
NAT On
WAN Users Unlimited

LAN:
IP Address 192.168.1.254
Netmask 255.255.255.0
Ethernet Status Up
DHCP Server On
DHCP Leases 1 out of 253 leases in use

What should be the downstream Lynksys router settings?

The linksys documentation fails to adequately cover setting it up as a downstream.

Any advice will be much appreciated.

Thanks,
Jack

The Netopia's subnet is 172.16.34.X.

For Method 1, set the LAN IP of the Linksys to an unused IP address in that range and shut off its DHCP server.

Hi thiggins, The Netopia's subnet is 172.16.34.X.
For Method 1, set the LAN IP of the Linksys to an unused IP address in that range and shut off its DHCP server.
Unsuccessful so far. I should mention the steps required by Linksys, and what I attempted (mostly defaults):

For convenience, I'll re-state the Netopia DSL Modem settings:
The configuration of the Netopia 2246N-VGx is:

WAN:IP Address 172.16.34.165
Default Gateway 172.16.34.166
Netmask 255.255.255.252
DHCP Client Off
DHCP Lease Expires N/A
NAT On
WAN Users Unlimited

LAN:
IP Address 192.168.1.254
Netmask 255.255.255.0
Ethernet Status Up
DHCP Server On
DHCP Leases 1 out of 253 leases in use
[B]

The Linksys Downstream Router Config:

Under Basic Routing:
Automatic Config (instead of static IP)
Local IP Address: 192.168.1.1 (the Linksys default)
Subnet mask: 255.255.255.0 (default)
DHCP Server: Disabled

Under Advanced Routing
GATEWAY/ROUTER - I changed it to Router
RIP: Disabled
Route Name - I Left it blank
Distination LAN IP: 172.16.34.169 (as you suggested)
Subnet Mask: ___ ___ ___ ___
Default Gateway ___ ___ ___ ___
Interface: LAN & Wireless

DDNS: Disabled
MacAddress Clone: Disabled

Apparently, I'm screwing up the Advance Routing settings; if you can suggest to me how to do this correctly, I'll much appreciate.
Thanks much,
Jack

I am sorry, I got the Netopia subnet wrong. Its LAN subnet is 192.168.1.X.

Disable the DHCP server on the Linksys. Set its LAN IP address to an unused address in the 192.168.1.X range, perhaps 192.168.1.200.

Connect a cable between a LAN port on the Netopia and a LAN port on the Linksys. Make no connection to the WAN port on the Linksys.

Wow, thiggins, it works great wired and wireless. I had to correct the DNS Server settings on the iPod Touch 'cause the linksys didn't correctly write it to the iPod. No big deal there.

Many thanks for coaching me through this.

I'm new to this SmallNetBuilder website; I hope to contribute useful info from time to time. Great website.

Cheers,
Jack

I am trying to follow the steps but not having much success. I have an actionetc router (verizon fios) for the upstream router.

LAN IP: 192.168.177.1

Downstream I have a Netgear FVS338
Wan IP: 192.168.177.2 (static)
Gateway: 192.168.177.1
Lan IP: 192.168.17.1

I currently have this double nat'd and has been fine for years but I know there is a performance hit so I obviously would like to remove the netgears double nat. I have followed the instructions and went into WAN mode and changed to "classical mode" per the instructions from "NAT".

On the actiontec I went into routing and added a route on the Home/office network (i.e. LAN of the actiontec) for a destination of 192.168.17.0 and the gateway of 192.168.177.2 and the netmask as 255.255.255.0. Metric is set to #2.

I tried to ping from a computer on the 192.168.17 lan to the 192.168.177 lan and no reply. I tried it in reverse and the same.

I then tried to ensure that the firewall was open on the netgear by putting in a rule to allow any service, Allow always, Lan users set to any and wan users set to any. I would think this would allow all traffic to pass through. Not sure why this is not working.

I can ping from the netgears routers diagnostics but not from the lan. I assume then that the diagnostics is direct through the wan port anyway. What am I doing wrong?

It looks like your configuration is correct.

A couple suggestions:

1. Run a traceroute to a destination on the FVS LAN from the Actiontec LAN, make sure it is routing the ping to the FVS WAN interface.
2. Reboot the FVS and retry, that might clear the firewall.
3. Make sure the only rule on the inbound side is Any-Allow Always. Delete all other rules.
4. Disable all site blocking on the FVS.
5. Try creating a new inbound rule on the FVS with the Service = PING, Allow Always. See if that works.

Post your results, I'm curious to see how it goes.

Thanks.

It looks like your configuration is correct.

A couple suggestions:

1. Run a traceroute to a destination on the FVS LAN from the Actiontec LAN, make sure it is routing the ping to the FVS WAN interface.

I am not a networking guy so not exactly sure what you ment by running a traceroue. But, I tried running "tracert" on my laptop that I connected to the actiontec's lan and tried to ping the lan ip address "192.168.17.1"

The only response back is the lan IP of the actiontec at 192.168.177.1.

2. Reboot the FVS and retry, that might clear the firewall.
3. Make sure the only rule on the inbound side is Any-Allow Always. Delete all other rules.
4. Disable all site blocking on the FVS.
5. Try creating a new inbound rule on the FVS with the Service = PING, Allow Always. See if that works.

Post your results, I'm curious to see how it goes.

Thanks.

I tried steps 3-5 and still no change I cannot ping either lan from either side. Well actually I don't think that statement is true. I was able to ping 192.168.177.1 from my computer on the 192.168.17.x lan but could not ping any other machine on this lan.

I think I stated above I cannot pull up website or anything. The only other thing of interest is that I can type in the DDNS domain name address and I can pull up my actiontec's router page from a computer on the 192.168.17.x network. But if I put 192.168.177.1 in the addresss bar, on a computer in the 192.168.17.x's network to bring up the actontec's router's admin page I get nothing.

Let's double check your static route. Attached is a screen shot from a Verizon Actiontec with your network paramaters. Check to see if this matches your static route configuration.

When you run the tracert from a PC on the Actiontec LAN to an IP on the FVS LAN, your output will look like this when the static route is working: (Change the .5 to something that is live on your FVS LAN)

C:\Users\dreid>tracert 192.168.17.5

Tracing route to 192.168.17.5
over a maximum of 30 hops:

1 <1 ms <1 ms 1 ms 192.168.177.1
2 1 ms 1 ms 1 ms 192.168.177.2
3 1 ms 1 ms 1 ms 192.168.17.5

Trace complete.

If this doesn't work, make sure you can ping the WAN interface on the FVS from the Actiontec LAN. Enable "Respond to Ping on Internet Ports" in the Security-Rules menu. Let me know how it goes.

Ok I checked the settings and everything matched. I then made sure the option to respond to ping was checked on the fvs338.

I have my box to box vpn established and thought that this could be the issue so I deactivated the policy so the vpn was off.

I was able to ping from the actionec to the lan ip on the fvs as well as most computers on the 192.168.17.x network. I was not able to remote desktop though to my VM (virtual machine running on my MAC) of windows XP, which I can do from my office via the vpn (I will check this today when I go to work shortly to make sure I can in fact connect).

As far as reverse pinginging from the 192.168.17.x lan to the 192.168.177.x lan, this was not working. I was getting no response. Even though the router says to allow all outgoing I decided to create a rule to allow all services and voila I can ping computers, settop boxes etc on the 192.168.177.x network.

I then tried to remote desktop from my the VM of XP to my laptop and that did not work either. I then thought that the issue could be a really slow wireless connection off the actiontec to my laptop so I plugged in direct. However, I was not even able to ping this computer from the 192.168.17.x network. This was very strange. I had an ip address of 192.168.177.5 but no luck. If I try and ping I get no reply. But I can ping in reverse though. strange?

I have attached pics of my settings so you can see.

Not sure why I cannot remote desktop though. I also need to try and see if I can connect from the .177.x network to my nas on the 17.x network. I will try this later.

Now for the bad part. I then reactivated the VPN on the fvs338 and tried pinging again from the 192.168.177.x network and no response from any computer. Not even from 192.168.17.1 (Lan IP of the netgear). I need the VPN for a fvs338 - fvs338 box to box connection.

Should the VPN affect anything? Is there a way to make this work with VPN activated? If not I am back to square 1 :(.

ADDED WHEN EDITING POST:

OK well I am at my office and connected home via the VPN and I can remote desktop to the VM of XP just fine.

Then as I was driving to work I had another thought. I did disable the vpn, as noted above and then was able to basically ping both ways. But that was about it. I still could not pull up a web site via the brower on a computer in the 192.168.17.x lan. Why? I could not remote desktop either, why?

What else am I missing? As you can see from the attachements, I have opened the firewall of the fvs338 to all services both ways. Is there something not configured correctly on the actiontec?

Thanks for all the detail. I can see you've put quite a bit of work into this.

It appears you're making progress.

The surfing problem on the FVS LAN is likely due to the need for a DNS address in your FVS DHCP configuration. Put 192.168.177.1 as a DNS IP in the DHCP configuration on the FVS.

Let's see what that does.

I added the 192.168.177.1 to the LAN of the FVS338 DHCP and it made no difference.

Man, this one is tricky. I like all your configurations, they look correct. I'm using similar configurations on a Netgear FVS336G on my LAN. I'm not using an Actiontec as the head router, but all that router has to do is have a working static route.

I noticed you have a WINS Server IP assigned on the FVS. What happens if you delete that setting?

Let's also enable logging and see what that tells us. On your Inbound service conifguration on the FVS, set Log to Always. Runs some pings to generate log messages. To see log output, click Monitoring-Firewall Logs&Email - View Logs.

Another thing would be to disable and re-enable your inbound rule on the FVS. Sometimes resetting these things does the trick.

Guys. This is a lot of work to just add a few switch ports, isn't it?
Why not use method 1 or just a switch?

Guys. This is a lot of work to just add a few switch ports, isn't it?
Why not use method 1 or just a switch?

Well this brings up the next question I was going to post.

I am not using this stricktly for addional ports. I am running a box to box vpn connection to another netgear fvs338 in my office. I use the vpn connection to do an offisute backup each night. I also like the ability to access my home NAS when I am at the office if I need anything. I am running a hub and spoke configuration and can access my parents house via the VPN in case they have any issues and then I can remote desktop in.

In a perfect worrld I would just use the FVS338 as my router and then a gigabit switch behind that for my home lan. However, this is not an option with Verizon Fios. If you have the TV service, you must use there router. Not going to go into the full details of why.

So I have been running my fvs338 behind the Verizon Fios actiontec router for over 2 years. But in this config, I am double nat'd since I am running nat on the fvs and of course the actuiontec. I originally had the fvs338 behind the actiontec in the actiontec's dmz. Since I was playing around with this config, I have moved it out of the dmz. The vpn works fine since the actiontec has vpn passthrough. Running the fvs338 in classical mode eliminates the double nat, thus my reason for doing step 2.

All of my testing has been with the vpn turned off since the vpn connection causes issues. I was trying to get this to work without the vpn and then once that was accomplished I would figure out how to keep this working with the vpn turned on.

I will try turning off the wins and see if that helps. Could be that the actiontec is blocking something as well. It seems that when I try to pull up a website it is sort of searching and doesn't time out right away, like if I force the 192.168.177.1 into the DNS for the lan settings on the fvs.

This brings me to ask if there is another way to accomplish my goal. Is there a way to run a vpn connection (that is constantly on) and avoid the whole double nat issue, either with the fvs338 or another device/method? The vpn is what I really need. I don't have to use the netgear. I just want to have one instance of nat running and a dedicated vpn connection to my office. Not sure how to accomplish this goal.

A way to accomplish your goal is to get a second public IP address from Verizon.

You could then run the WAN Ethernet cable from the ONT into a small switch, and then feed the Actiontec WAN and FVS WAN ports from the switch.

Both routers will then have public IP addresses and run indepently, eliminating the double NAT and ensuring the VPN works.

I am on the residential service. Thus one dynamic IP only. In order to get a secondary IP, I would have to also sign up for business service. Not looking to spend that kind of $$.

Please pardon my lack of expertise, but I followed these instructions and everything worked perfectly - I was able to change my Wireless router into a downstream switcher / hub / access point (whichever terminology is right). But... now I want to put it back, and I can't for the life of me figure out how to re-login to my Wireless router (a Netgear WNR2000) via a web browser. I even did a factory reset (which hopefully didn't screw things up more), but even with a 192.168.1.1 basic browser login, I get nothing, on either a Mac or a PC (I tried both), on Safari or Firefox.

Did I hose myself here? Or should I be able to log back in and set things back to make my now Access point / switcher / hub back to being a regular old Wireless router? (the one I was using upstream is no longer even being used).

Any help would be *huge*ly appreciated.


D.

Please pardon my lack of expertise, but I followed these instructions and everything worked perfectly - I was able to change my Wireless router into a downstream switcher / hub / access point (whichever terminology is right). But... now I want to put it back, and I can't for the life of me figure out how to re-login to my Wireless router (a Netgear WNR2000) via a web browser. I even did a factory reset (which hopefully didn't screw things up more), but even with a 192.168.1.1 basic browser login, I get nothing, on either a Mac or a PC (I tried both), on Safari or Firefox.

Did I hose myself here? Or should I be able to log back in and set things back to make my now Access point / switcher / hub back to being a regular old Wireless router? (the one I was using upstream is no longer even being used).

Any help would be *huge*ly appreciated.


D.

If you followed the tutorial the way I understand it, you would have changed the IP of the downstream router (AP). To login to that particular router, you would need to use that modified IP address. After your logged in, you should be able to do a factory restore (resetting the IP) at which point you would be able to use your original login. Hope this was your problem. GL.
Nick

The value of this solution is two-fold. You have gained an extra port over Method One. And by routing between the upstream and downstream LANs, you've effectively created a broadcast separation between the two networks, which can improve overall network performance in a busy LAN.

While I don't foresee needing the additional LAN port, I would like to know if the improved performance of Method 2 would be negated by the 100Mbps WAN connection on the DGL-4300. It would seem to me that the gigabit LAN connections on the DGL-4300 would produce faster data transfers than the increased overhead from a busy LAN setup according to Method 1 would induce on the DIR-655. I would do some test runs myself, but I have so been unsuccessful at bridging via Method 2.

Step 4: [Wireless routers only] Disable the downstream router's wireless function. It doesn't hurt to unscrew the antennas from the downstream router as well if they are detachable. This gets them out of the way since you aren't using them anymore. Figure 5 shows the wireless disabled for a D-Link DGL-4300.

In How To Add an Access Point to a Wireless Router (http://www.smallnetbuilder.com/content/view/30355/228/), the downstream router (AP) wireless radio was left on. In my attempts to bridge the DGL-4300, the clients on the DGL-4300 could obtain an IP from the DIR-655 when wired but not when connected via wifi. If anyone has any ideas, please feel free to comment or PM me. TIA.
Nick