I have this situation:
LAN1 (10.0.0.x)
Subnet 255.255.255.0
Gateway 10.0.0.1
Gateway "WAN" 192.168.1.210
LAN2 (10.0.1.x)
Subnet 255.255.255.0
Gateway 10.0.1.1
Gateway "WAN" 192.168.1.211
By "Gateway WAN" I mean the interface facing on the subnet 192.168.1.x (which is the network of the modem/router I received from the ISP and the one that lets the computers to go on the internet).
To give context to what I will say in the next lines I will be calling the gateway on LAN1 RV110W because it is the cisco model and the gateway on LAN2 LinuxBox
I have made all my test with the firewall of the RV110W disabled so I can focus on a getting the LinuxBox iptables right.
Right now my configurations on the LinuxBox look like this:
/etc/newtwork/interfaces
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 192.168.1.211
netmask 255.255.255.0
broadcast 192.168.1.255
gateway 192.168.1.1
hostname alpine-router
auto eth1
iface eth1 inet manual
auto eth2
iface eth2 inet manual
auto eth3
iface eth3 inet manual
auto br0
iface br0 inet static
bridge_ports eth1 eth2 eth3
address 10.0.1.1
netmask 255.255.255.0
broadcast 10.0.1.255
up ip route add 10.0.0.0/24 via 192.168.1.210
iptables
#########################################################################
# Basic iptables IPv4 routing rule set
#
# 10.0.1.0/24 routed directly to ETH0 via NAT
#
#########################################################################
#
#Mangle Table
#We leave this empty for the moment.
#
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
#
#Filter Table
#This is where we decide to ACCEPT, DROP or REJECT things
#
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
#Create rule chain per input interface for forwarding packets
:FWD_ETH0 - [0:0]
:FWD_BR0 - [0:0]
#Create rule chain per input interface for input packets (for host itself)
:IN_ETH0 - [0:0]
:IN_BR0 - [0:0]
#Create a log drop chain
:LOG_DROP - [0:0]
#Pass input packet to corresponding rule chain
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j IN_ETH0
-A INPUT -i br0 -j IN_BR0
#Pass forwarded packet to corresponding rule chain
-A FORWARD -i eth0 -j FWD_ETH0
-A FORWARD -i br0 -j FWD_BR0
#Forward LAN traffic out
-A FWD_BR0 -s 10.0.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
#Forward traffic to ISP
-A FWD_ETH0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#SSH to router
-A IN_BR0 -s 10.0.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
#DNS to router
-A IN_BR0 -s 10.0.1.0/24 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
#NTP to router
-A IN_BR0 -s 10.0.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
#WEBMIN to router
-A IN_BR0 -s 10.0.1.0/24 -p tcp -m tcp --dport 21000 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
#Accept traffic
-A IN_BR0 -s 10.0.1.0/24 -p udp -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
#Accept incoming tracked ETH0 connection
-A IN_ETH0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
#
#NAT Table
#This is where translation of packets happens and "forwarding" of ports
# to specific hosts.
#
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
#Allow hosts of the network to use the ETH0 "WAN"
-A POSTROUTING -s 10.0.1.0/24 -o eth0 -j MASQUERADE
COMMIT
Static routes
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default internetbox.hom 0.0.0.0 UG 0 0 0 eth0
10.0.0.0 bedroom-router. 255.255.255.0 UG 0 0 0 eth0
10.0.1.0 * 255.255.255.0 U 0 0 0 br0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
internetbox.hom is referring to the ISP router and bedroom-router. is referring to the RV110W.
To clarify the iptables are reported here without any try I have made just to give you the starting point.
Of course the RV110W has also a static route where all the traffic with destination 10.0.1.0 goes to 192.168.1.211 (LinuxBox).
Now before I start telling what I have tried so far I want to clarify what I have in mind and what are my goals. I basically need to access all the LAN2 from the LAN1
What should I access? Everything (LAN2 is supposed to be a laboratory where I can make any sort of IT stuff) and by everything I mean any tcp/udp port on any device.
So far the most interesting and useful things I found are this:
from serverfault (allow-traffic-to-from-specific-ip-with-iptables)
I came up with some rules I need to put in the IP tables but those aren't new to me as I already tried to implement them
-I INPUT -p tcp -s 10.0.0.0 -d 10.0.1.0 -m tcp -j ACCEPT
-I INPUT -p udp -s 10.0.0.0 -d 10.0.1.0 -m udp -j ACCEPT
and also the correspondent OUT rules even though out traffic is allowed by default. I also tried to remove the destination part on the INPUT ones and the source part on the OUTPUT ones but still no luck.
I also thought the possibility that the source is the "WAN" IP from the RV110W but so far I found only people using the remote LAN network as source.
I'm thinking there's something I should do on the NAT section because it may need to process the incoming requests but didn't find anything about.
I've tried many times to search on the internet, to look on the iptables manual and any other means in my possession but I can't find any answer and restricting the search field would be great.
I may miss a banality here and it may be caused by the lack of technical English words I have at my disposition, and that's also a reason why I am trying to ask here.
I'm also aware that the ping with my iptables could not work so I also tried to open up an RDP session and an SSH one, of course without luck. the problem is that despite the ping on LAN2 is blocked also pinging the LAN1 from LAN2 is timing out and this also advised me on the fact that the ping could arrive at destination but not returning back.
I tried to be as exaustive as I can get to let you understand my situation but if I missed something I apologize in advance.
In the end I am really out of ideas and any help, small or big, it is much appreciated.
PS: I also thought to implement a Site-to-Site IPSec VPN, natively supported by the RV110W and with strongswan on the LinuxBox, but at the end the problem is still arround with routing and potentially with iptables