No Internet Access with Second Router/Subnet

Hi, guys.  I'm not the best at networking and I'm totally stuck at this point.  I'm trying to setup a home lab with a second subnet and it absolutely can't get to the internet.  Here is my setup:

modem ---->  DLINK ROUTER 1(lan ip =  -----> (wan ip = DD-WRT ROUTER (lan ip =

Here are the routes tables for each one:
                                   Destination IP       Netmask               Gateway       Metric       Interface       Type       
 DLINK ROUTER 1:      1      LAN                      STATIC      
 DD-WRT ROUTER:           1      LAN                 STATIC

Now, there are some more settings on the DD-WRT router that might be of interest:

Wan connection type: Static
Wan IP Gateway:  (this is for the wan ip)

Router IP Gateway: (this is for the local ip)

Operating Mode: Router

I will tell you that I can ping any host from any other host on any network.  So, routing WITHIN the house seems fine.  However, only the first router can get to the internet.  The second one can't even ping or any DNS server on the internet properly.  It times out.  I swear that it gets ip addresses from DNS, though.  I can see it with Wireshark, but can do the test again if you guys think that doesn't make sense.  Please let me know how to proceed and I will do whatever tests you want, thanks.
Thomas StrussAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
modem ---->  DLINK ROUTER 1(lan ip =  -----> (wan ip = DD-WRT

It would appear you are hooking up the WAN port of the DD-WRT to your network. Hook up a LAN port instead.

Give the DD-WRT a static IP on your network (192.168.1.x) and turn DHCP OFF on the DD-WRT. Now the wireless device will be a transparent extension of your network. I do this and it works great.
David Johnson, CD, MVPOwnerCommented:
don't have 2 gateways on 1 machine/vm i.e.

cloud - cable modem ( -> Dlink -> -  DDWRT  network drawing
Skyler KincaidNetwork/Systems EngineerCommented:
To keep things simple you need to leave your "house" router the way it is and then just run a cable from the LAN of your router to the WAN port on your "lab" router. This we allow your "lab" router to get a DHCP address on the LAN of your "house" router but will still keep lan traffic from your lab seperate from your house.

You are trying to what is normally achieved with VLANs but that would require a managed switch and a firewall.

Keep it simple.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Fred MarshallPrincipalCommented:
Here is a diagram.  There should be no need to add routes to either of the routers if you don't expect to "see" computers from one subnet to the other.  You may still Here is a diagram for doing this:

You may see computers in the upper subnets (i.e. closer to the modem) from the lower ones.

Packets going anywhere from a lower subnet will get to the WAN interface of the local router and then to the next LAN's gateway, etc.

I think it's already been mentioned that this:           1      LAN                 STATIC
isn't right.
It should be:      1      WAN                 STATIC

But adding this route shouldn't be necessary as it will be included in:   WAN
Thomas StrussAuthor Commented:
Wow, I'm very impressed with the responses here--especially considering that it hasn't even been a whole day since I posted.  

David and John, thanks for responding.  However, I do need a solution that will separate my normal house traffic, which is used by three other people, from my lab which has a 2012 server, Centos server, Cisco routers, etc.  

xKinkaidx and Fred, thanks for responding, too.  I tried your ideas and some others, and it actually helped me figure out the problem, I think:  the second subnet is not being natted by the first router.  I come to this conclusion because when messing around, I turned the second one into a gateway, and it worked fine.  However, I do need (I think) the second one to be a router mode router because I want VPN traffic to hit it.  Is that right?  Anyways, I'm gonna try to switch the two routers and see if the DD-WRT router can nat the second subnet.  Any other ideas are welcome!
Fred MarshallPrincipalCommented:
Not all VPNs can traverse multiple NATs on both ends.  But it may work for you.

I don't understand "the second subnet is not being natted by the first router".
If you have two NATting routers in cascade, i.e. LAN1 to WAN2, then:

- packets leaving LAN1 will get NATted in Router1 going out and receive a public ip address with a port extension for the computer LAN IP and the computer's application.
- return packets will use the public IP address and the port extensions so Router1 will know where to send the packets on the LAN: IP address and port.

- packets leaving LAN2 will get NATted in Router2 going out onto LAN1.  Then apply the first rule above as they travers Router 1.  They will receive a public ip address with a port extensions.
- return packets will use the public IP address and the port extensions so Router1 will know where to send the packets on the LAN - which will be the WAN ofr Router2.  Then Router2 will deal with NATting onto LAN2 in order to hit the right IP address and port.

In the diagrams I sent you, the Routers are both in Gateway or NATting mode.
Thomas StrussAuthor Commented:
Hi, Fred.  I see where you're going with the diagram.  Like I said, I don't want to go that two gateway route due to the VPN.  So, I need two things: 1) a router that can provide nat to multiple subnets as a gateway; 2) a router to use as an AP, and a second subnet, which can be set to routing mode.  My Dir-655 is simply not up to either challenge.  I ordered an E1200 used which I will put DD-WRT on.  I will keep all you guys said in mind and report back with the results in a few days.  Thanks.
Fred MarshallPrincipalCommented:
Have you considered changing the order of subnets from top to bottom in the cascaded stack?  Then the VPN connection could be at the top.
You may still need to turn off NAT in the modem or at least pass through the VPN ports as necessary.  That's pretty typical.

If you put the two routers in parallel / on the same WAN subnet then you would do the same.
Without 2 public IP addresses you'd still need NAT in the modem.
It sounds like you'll have enough routers to do it this way.
Thomas StrussAuthor Commented:
Ya Fred, I actually did switch the VPN to the network.  Thanks for that.  I get my new router today or tomorrow so I will let you know how it goes.  Thanks.
Thomas StrussAuthor Commented:
OK, thanks to DD-WRT and your help it works!  Here are my settings:

OVERVIEW:    Modem ---->      Router 1 ---->                         Router2  
Router mode:                            Gateway                                Router
Wan IP Config:                           DHCP                                     Static
Wan IP:                                       76.x.x.x                        
Gateway (wan):                          76.x.x.1                       
Lan IP :                                               
Gateway (lan):                                               

Static routes for Router 1:   Metric = 1   Destination =   Subnet Mask:   Gateway =

Static routes for Router 2:  None

Router 1 Model and Firmware: Linksys E1200 with v24-sp2-Big DDWRT firmware
Router 2 Model and Firmware: Linksys E1200 with v24-sp2-Mini DDWRT firmware      

Firewall commands for Router 1:  iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
Firewall commands for Router 2:  iptables -I FORWARD -j ACCEPT

It turns out that you need DDWRT on BOTH of them to do what I wanted, which is why some people posting said it couldn't work.  That would be 100% true with a typical SOHO router setup.  The VPN is now on the first router, which makes it easier to access.  This setup allows me to have a lab setup in the 192.168.2.x range that is separate from the 192.168.1.x range, a setup that is not double-natted and yet can get to the internet.  Thanks to all who responded.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Thomas StrussAuthor Commented:
My reason is that none of the other commenters accepted my parameters for the desired network solution: they told me that it couldn't be done  the way I wanted it done.  That's why I had to get DDWRT and figure much of it out on my own.
Fred MarshallPrincipalCommented:
Thanks for the points!
Really, I see no reason why DD-WRT would be necessary to make any of this work.  It's a common setup.
Thomas StrussAuthor Commented:
Fred, I don't know what fancy routers you have lol, but my crummy Dir-655 and stock e1200 could not NAT the second subnet to the internet.  Maybe that's uncommon, I don't know.  However, I knew DDWRT could do it so I went with that since I had the e1200 sitting around anyways.
Fred MarshallPrincipalCommented:
Thomas.  Understood.  Thanks.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.