1

I can setup remote access to a pc behind a single router/firewall by using NAT and Port Forwarding, simples!

But there is a customer that shares an internet connection with another office, and they are behind a second router firewall. I drawed a picture with my crayons but I can't attach it because I'm a new account on SF. see it here: https://i.stack.imgur.com/b3FDx.png

So how would I setup remote access to the pc that is beind the second firewall?

It must be something about static routes, i.e.

if I hit the wan ip on port 4905 I want it to forward it to 10.0.0.30 by going through 192.168.1.10

so a route statement like for all requests to 10.0.0.30, use 192.168.1.10 ?

and ass u me router 2 has a static gateway ip of 192.168.1.10

and need a standard NAT on router 2 to point port 4905 to 10.0.0.30

is this the right way, any tips?

both routers are netgear consumer equipment.

thanks

Steve Wasiura
  • 141
  • 1
  • 9

3 Answers3

3

Basically you NAT and portforward twice. Once on router2 to get an ip/port on the router1 network and then again on router1 to get onto the internet. Then you connect to the IP that is exposed to the internet and it automatically gets translated and port forwarded to the internal ip. No need for any special routes when it is a single pc like this.

JamesRyan
  • 8,166
  • 2
  • 25
  • 36
  • I'm understanding this, but from the opposite direction. i'm viewing it as coming in from the WAN, into Router1, then to Router 2. I got it to work, but I added both a static route and NAT Port Forwarding, so i'm not sure which one worked, and I ran out of time to test, I'll try it again later this week and update. – Steve Wasiura Jan 04 '11 at 04:24
  • I find it easier to think of it in terms of what ports/servers you expose rather than the flow of incoming connections because this way is layered. – JamesRyan Jan 04 '11 at 12:48
0

I think you're asking for trouble with that setup.

I'm not sure this is desired but in your current diagram a computer on the 10.0.0.x subnet can access computers on the 192.168.1.x subnet.

If you want to really have control over how the two networks can send data between each other and the Internet then you should get a proper router that either has multiple internal non-bridged interfaces or supports vlans. You'll need a switch that can tag vlans if you go the vlan route but it doesn't need to be a very large switch as you can put another switch on each port for each companies network. The network would then look something like this.

Internet----router----small switch----vlan10 switch---company A network  
                             |   
                          vlan20 switch----company B network
3dinfluence
  • 12,449
  • 2
  • 28
  • 41
  • Yes, in a perfect world, but... in this case, both offices are essentially partners, so the trust level is high, and the user knowledge level is so low, they wouldn't know how to access the 192 computers, and even if they stumbled upon, the windows user account would prompt them for authentication. oh I wish it was a perfect world... – Steve Wasiura Jan 04 '11 at 04:19
  • @Steve Wasiura If that's the case why have two networks at all? If you must have 2 networks then having the correct network equipment and setup will save money in the long run. B/c today it's just trying to forward a port to an IP on the 10.0.0.x subnet. Tomorrow it's going to be blocking Facebook for the 192.x subnet but not the 10.0.0.x subnet. For $200 or so you can get a ALIX.2D3 kit from Netgate running pfSense. It has 3 ports so you can have one for the WAN and then one for each company. – 3dinfluence Jan 04 '11 at 04:48
0

Router 1 is the one who nat 10.x.x.x net so is the only place to make nat-pt. To get access to the PC, you must configure the return route for that network through the router 2 (in router 1: ip route 10.x.x.x 255.x.x.x router_2´ip

C_Sense
  • 5
  • 1