On Tue, Dec 26, 2017 at 05:04:34PM +0100, Pascal Hambourg wrote: > Le 26/12/2017 à 16:49, Michael Stone a écrit : > > > > This is unnecessarily complicated, and will make your life harder than > > it needs to be. The best thing would be to not use the airstation as a > > router at all, just use it as a switch + wireless access point in a flat > > configuration, with the router plugged into the switch. Ignore the "wan" > > port on the airstation and turn off any dhcp or other services that it > > is providing. > > The most important part is "turn off any DHCP service it provides". Othewise > it will get in the way of the other DHCP server.
I don't see any setting to turn that off in the AirStation web interface. I considered this approach in the very first place a year ago, and rejected it for that reason. > > > This will not work the way you think it will. Devices on the airstation > > will have packets go directly to 192.168.1.3 (because the airstation > > knows how to get to anything on 192.168.1.0/24) (you never actually > > specified the netmask for 192.168.1., hopefully that's correct). The > > packets returning from 192.168.1.3 will go to 192.168.1.1 because > > 192.168.1.3 does not know how to get to 192.168.11.0/24 and uses the > > default route instead. > > As any SOHO router, it is likely that the Airstation masquerades forwarded > connections, so other nodes on its WAN side do no see the real 192.168.11.x > addresses but only the WAN side address of the Airstation, 192.168.1.2. > > I guess that even the firewall does not have a special route for > 192.168.11.0/24, as it is not supposed to see that address range. > You guess correctly Pascal, that's a known limitation of the approach that I consider irrelevant. There is no need to initiate connections into the "inner LAN" from the firewall, and connections can be initiated the other way with no problems. Mark