My initial goal was to have a separate subnet for the three laptops, which is what I have got now. However, my intention is to communicate (mainly via SSH) from a Linux client that is connected to Google Wi-Fi with the Linux laptop 1 that is connected to ER-X. So, basically across IPs existing in different subnets.
-- From the chat discussion
There's three general approaches you can use to enable such a setup:
Set up static routes from the "main" router such that the second subnet is routed towards the Ubiquiti ER-X gateway. You'll also need to turn off the firewall between WAN and LAN on the ER-X. Unfortunately, Google Wi-Fi does not appear to support this.
Set up port-forwarding on the Ubiquiti router for every port you want to access. e.g. you might map <ubiquiti-wan-ip>:22222
to <laptop-ip>:22
. You would need to add a new mapping for every individual internal IP and service you use, which becomes tedious to maintain.
Use the Ubiquiti router as your primary router. I will be exploring this approach in further detail, as it does appear to be the cleanest option in this scenario.
Just a comment on the Google Wi-Fi equipment. It's good hardware and software, but it's very opinionated. Basically, to use its more advanced features, you must do things their way. Unfortunately, their way is designed around simple network setups, and falls apart when you try to use even slightly more esoteric configurations like yours.
Configuring the Ubiquiti router as your primary router
I will try to explain what these steps do, so it might be beneficial to read through the whole thing first so you can figure out if you want to adjust anything before actually configuring anything.
I would recommend updating the Ubiquiti firmware first. The WAN+2LAN2 wizard you used has actually been superseded by the new Basic Setup wizard. Granted, they're actually the same underlying wizard with a new alias, but I'm using it as an indicator that you have mildly outdated firmware ;)
Run through the Basic Setup (or WAN+2LAN2) wizard. Since this will now be your primary router connected directly to the bridged ADSL modem, you'll want to enter your PPPoE connection details here.
Luckily, the basic wizard lets you easily set up two subnets - simply untick the One LAN
checkbox and it will allow you to designate one port as belonging to a different subnet. Enter your desired IP addresses for the different subnets here.
This will create the following configuration (more or less):
eth0 should be connected to the bridged modem. It will be your WAN (internet-facing) interface. Additionally, default firewall rules will be added preventing connections initiated from the internet from connecting to your router's control panel (the WAN_LOCAL
ruleset) and your internal network (the WAN_IN
ruleset). It will also add a Masquerade NAT rule, like your typical consumer routers.
eth1 will belong to one subnet. This is best used for connecting to your Google Wi-Fi device. By default, a DHCP server will be added that will assign addresses to anything connected to this port (including through an external switch). By default, devices on this port/subnet will be allowed to talk to devices on other local subnets (routed through the ER-X), unless you add additional firewall rules blocking this.
eth2, eth3 and eth4 will be assigned to the built-in hardware switch called switch0. This means within the Ubiquiti router software they are treated as a single interface called switch0, and the ports will act as if they all belonged to the same external switch - i.e. switched packets (that travel within the same subnet) will not even be seen by the router's CPU. You can connect your laptops to these switched ports. Otherwise, switch0 is configured the same way as eth1 as far as DHCP, firewall, etc., by default.
If you later need more subnets, you can remove/reassign these ports from the internal switch and use an external switch instead.
I believe this setup will also enable the built-in caching DNS server for both interfaces (eth1 and switch0), but you can confirm that within the Services tab, DNS sub-tab, if desired.
You may wish to enable hardware offloading of NAT, which will improve performance. But this is mostly relevant for >300Mbps NAT to the WAN side, which ... is rather more than ADSL2+ can manage. Or even most NBN options can manage.
From here, you can connect your Google Wi-Fi to eth1, and your laptops to the switched eth2, eth3 and eth4. The router will automatically route packets between the different subnets (assuming it is assigned as the default gateway for each device, which its DHCP server will do by default).
Google Wi-Fi, double NAT, and bridging
The above configuration will allow you to access devices on your new switch0 subnet (the laptops) from your Google Wi-Fi clients. Unfortunately, it only inverts your current config: now you cannot access your Google Wi-Fi clients from your switch0 subnet! Well, not without port forwarding, anyway.
Basically, you end up running a double-NAT config: you're performing NAT on the Ubiquiti router, and on the Google router at the same time. Note that this is what you'd be doing with your original proposed layout anyway. Double-NAT means slightly increased latency on the innermost network (negligible) but more importantly it's rather difficult to get bidirectional communication going across NAT layers - you can generally initiate connections going from within the innermost NAT to the other layers but not the other way around.
There is a way around this: enable bridged mode on the Google Wi-Fi device. This is not a recommended configuration by Google (see: opinionated) and they do list the features that will no longer function when the Google AP is not functioning in router mode, but most of them are not important.
Do note that this will only work if you are using individual Google Wi-Fi access points, as this will disable their mesh network functionality. The other significant (?) loss would be the inability to set up an isolated guest Wi-Fi network. Otherwise, DHCP, DNS, etc., can be happily handled by the Ubiquiti router.
If you do need a mesh network, you would either have to live with double-NAT or consider switching to an alternative, e.g. Ubiquiti's own AmpliFi or TP-Link's Deco should support mesh networks in bridge mode (also known as AP mode). Alternatively, you can run multiple Access Points connected to the main switch/router via wired connections, in which case something like the UniFi range is recommended (for easier management; otherwise you can just connect multiple independent APs and manually configure them to the same SSID).
The usual configuration, for various good reasons is to have: [Modem]-[router]-[switch]-[Wireless access point and any other networked devices] Is there any reason you want this setup? Think of everything on the WAN side of the router as being attached directly to the internet and not to your network. – Baldrickk – 2017-12-22T11:57:53.883
Am I correct in assuming in this setup the "Google Wi-Fi" device is actually acting as a router? – Bob – 2017-12-22T12:13:08.560
Also, which EdgeRouter model is this? They behave differently. – Bob – 2017-12-22T12:28:53.560
@Bob yes, correct Google Wi-Fi is acting as a router and I have a Ubiquiti Edge Router X (https://www.ubnt.com/edgemax/edgerouter-x/)
– hypersonics – 2017-12-23T22:51:40.440@Baldrickk. I can swap Goolge Wi-fi and Ubiquiti Edge router. So google wi-fi would be downstream of my switch. What I want is to have a different subnet for the three laptops shown in the image to the rest of the network. It doesn't matter where Google Wi-Fi sits for me. Thanks – hypersonics – 2017-12-23T22:54:06.507
1Can you set up static routes at whatever device you decide to be “in front” of your innermost router? In the graph that’d be the Google WiFi thingy. – Daniel B – 2017-12-23T23:19:03.430
@DanielB Google Wi-Fi appears to not support static routes. Also we've confirmed in chat that there needs to be a way for the Google Wi-Fi-connected devices to talk to the Ubiquiti-connected devices... which means either the Ubiquiti router needs to be the primary (only?) router, or they'll need to fall back to port forwarding.
– Bob – 2017-12-25T09:27:09.520