5

Trying to understand why I cannot reach other LAN devices on a ISP modem. WiFi is off. I'm using two of the 4 LAN ports on the back.

I have one ISP modem at 192.168.1.1 (LAN), WAN is not relevant, as it is the public IP, let's say 1.2.3.4. Already triple checked there is no option for client isolation or the likes for the LAN side (at least visible on the UI). It's set up to offer DHCP from .2 to .200

Then on one LAN port I have a device 192.168.1.101/24 (it should receive connections from all interfaces on port 22. I tested moving it to a proper router using same DHCP IPs).

I plugged another device on another LAN port of the ISP modem and got 192.168.1.2/24

It's a Linux device with NetworkManager handling DHCP.

It gets the following address and route:

$ ip a
2: enp3s0f4u1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether b6:c3:97:fe:2e:fb brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.2/24 brd 192.168.1.255 scope global dynamic noprefixroute enp3s0f4u1
       valid_lft 258516sec preferred_lft 258516sec
    inet6 fe80::b4c3:97ff:fefe:2efb/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever

 $ ip r
default via 192.168.1.1 dev enp3s0f4u1 proto dhcp src 192.168.1.2 metric 100 
192.168.1.0/24 dev enp3s0f4u1 proto kernel scope link src 192.168.1.2 metric 100 

1.2.3.4 -wan- [modem] -lan- 192.168.1.1
                             |-port1->192.168.1.2
                             `-port2->192.168.1.101

But it cannot reach that other device. The trace is weird as it does not look like it even reaches the ISP modem/router. But maybe I'm just clueless to the output here:

 $ tracepath -n 192.168.1.101
 1?: [LOCALHOST]                      pmtu 1500
 1:  192.168.1.2                                         3030.125ms !H
     Resume: pmtu 1500

compared to the trace to the router itself

 $ tracepath -n4  192.168.1.1
 1?: [LOCALHOST]                      pmtu 1500
 1:  192.168.1.1                                           1.089ms reached
 1:  192.168.1.1                                           0.857ms reached
     Resume: pmtu 1500 hops 1 back 1

The router has an option to setup port forwards. I set them up (wan)*:22->(lan)192.168.1.101:22 (plus the ICMP ping stuff). I can connect and ping from outside to 192.168.1.101 (thru the external IP) fine.

outside4Gnetwork$ ssh 1.2.3.4
root@192.168.1.101 $ ...

But the port mapper is only on the WAN interface, from the LAN it doesn't work

192.168.1.2$ ssh 1.2.3.4
(times out) (expected, as mentioned in one comment, this would be hairpin/NAT loopback)

192.168.1.2$ ssh 192.196.1.1
(connection refused) (again, expected there's no mapping from the lan side, nor ssh server on the ISP modem)


192.168.1.2$ ssh 1.2.3.4 -J external.server.example.com
root@192.168.1.101$ ... (works. since it goes via an external jumphost and back into the WAN)

It is a Sagemcom Fast 5657 device and there's no firewall or routing settings on the UI.

So, what I'm trying to understand is why the devices are isolated on the wired LAN side? Why can't 192.168.1.2 and 192.168.1.101 talk between them?

jcaron
  • 2,346
gcb
  • 5,442
  • 13
  • 62
  • 86

3 Answers3

3

then on one port I have a device 192.168.1.101

That looks like manual configuration. Make sure you don't forget:

  • the same subnet mask as the rest: 255.255.255.0 or /24
  • default gateway: 192.168.1.1
  • DNS server: 192.168.1.1 (or whatever the others are using)
Zac67
  • 5,130
  • 1
  • 13
  • 22
3

You need to localize/isolate the problem.

The simplest way to do that is to buy/borrow a simple switch and connect all your devices to that (the LAN side of the router and both your hosts). One of two things will happen:

It Starts Working

In which case, you know it is a problem with the router and you can either, invest more time trying to figure out what the heck is up with the router or just live with having an extra switch.

It Still Doesn't Work

In which case you know it's not the router - since it's not involved, in such cases you need to enumerate other possibilities:

  • Bad piece of wire.
  • Bad hardware on the hosts.
  • Something wrong with the network config on the hosts.
  • Security/Fire-walling on the hosts.
  • ...
DavidT
  • 1,242
2

Router firewall.

There's two ways in which this one can be in your way. First, it might not allow anyone to talk to anyone on your network. This is a common setting for guest wifi points, and I've seen it in other places.

Second, you mention changing your dhcp range. Some routers have a "group" of ip-addresses called "lan", and will only allow communication within that group. Basically it's then re-using that group for both the dhcp server and the firewall.

I see that you have turned off the firewall temporarily for testing, but with consumer grade equipment you can't always know what that means. Does it keep failing if you renew the IP for your .101, which should then get .3?

Daniël van den Berg
  • 538