Following your comment:

One observation -..... additional subnet.

I did wonder what had lead me there, well (in my defence):

• The GL-iNet device encourages this mode, as it's intended to be used in Hotels etc and piggy back off their WiFi

• It matches what I do on the "other side"

To explain the latter point.

The intention is 192.168.1.X is private/internal
192.168.6.x is untrusted/external/VPN etc

Now I actually only have one device on 192.168.1/24 which is a Linux box running a custom firewall. Behind this is a completely different network (not NATed , just routed) and I add a static to to the Vigor (this was a key feature missing from my ISPs Modem)
So It seemed "familiar" to use the GL-iNet device in a similar fashion on the untrusted network, (172.16.6/24) and add another static route on the Vigor.

But, as you highlighted, the Gl-iNet device is NOT just doing that, due to the "intended use case" it's also (double) NATing the addresses .

So what I think is/was happening is the two static routes (trusted network + untrusted) allow traffic to route between them (see later)


The GL-iNet bax has a 2nd "advanced" GUI + SSH access (with busybox) . Using these I set it up in fashion similar to your suggestion (normal usage) the GL-iNet sees it very oddly (no outgoing connection) but in reality eth0, eth1 and the Wifi are all bridged (192.168.6.1) withe a default gateway back to the Vigor, so all "untrusted devices" are now on the 192.168.6/24 network. Now the untrusted devices cannot see the trusted network (the desired outcome). On the surface it looks as of traffic can cannot flow between trusted and untrusted networks. However this is not quite true.

< I don't want to discuss the actual addresses on a public forum> so lets say, following this rejig:

192.168.1/24 is trusted
192.168.6/24 is untrusted

There is only one device on 192.168.1/24 , namely 192.168.1.151, it routes to 172.16.1/24 (the real private LAN)

Devices on 192.168.6/24 can see other devices on the LAN + the WAN
Devices on 192.168.1/24 can see other devices on the LAN + the WAN

But Devices on 172.16.1/24 (so behind the 192.168.1.151 box) can see 172.16.1/24 (obviously) 192.168.1/24 + WAN (static routes) but also 192.168.6/24

So I have, for example 2 PVRs one on 192.168.6/24 and one on 192.168.1/24. Both support a web interface.

If I connect to the "untrusted network" 192.168.6/24 I can only see the "untrusted PVR" . However if I connect to the "(real) trusted network" 172.16.1/24 I can see BOTH.

HOWEVWR if I make the attempt from the "192.168.1.151 box" itself, traffic to the untrusted network is blocked.

So, in effect, superficially the LAN1 and LAN6 on the Vigor are disjoiint, however a "hidden network" behind a host on LAN1 IS able to access LAN6. Due, I assume to the static route.

I won't pretend to have understood the detail of your configuration - though I get the general idea.

I was bemused by the issue you had discovered (the addition of an extra network, making the LAN separation fail) and have been meaning to investigate for a while. I finally got the urge and ventured into the (integral) garage, where my 2860 lives, armed with a laptop and a spare 2830. (The house is a new-build and the garage is where the phone line enters).

Anyway, I configured a new LAN, plugged in the laptop and was happy with the result: since no Inter-lan routing was configured, it could get to the Internet and nowhere else. I then added the 2830 to the mix, with its WAN port plugged in instead of the laptop, and the laptop now moved downstream to the 2830's LAN port. Same result...

So in my case, adding an extra device, extra network and another layer of NAT did not break the 2860's rule and allow it to suddenly start routing between LANs. I turned on RIP on the 2830 WAN, but this did not cause any extra Route table entry on the 2860, so I added it manually. Still no access, to anywhere but the Internet.

It was not until I ticked the box and specifically allowed Interlan-routing that it started to happen.

Perhaps your setup isn't double-natting after all? Everything leaving my 2830 would NAT'ed and would have the IP address it got via DHCP from the 2860, whereas if it was really just Routing it wouldn't have :?: [I'm mildly uneasy about that statement and will gladly be contradicted!]

I'm not sure I can easily reproduce pure routeing with the equipment I have to hand, but I'll have a think about it...

To address your question in a earlier post. I've now reconfigured the "shadow" back to "router mode".

I have a very old box little seen nowadays , a HUB ! (only 1Mbps but all I need)

So I inserted this between the shadow and the Vigor ... then connected a netbook to the HUB. Thus I could run a promiscuous "wireshark" looking at all the HUB traffic .
Then I connected my phone to the shadow WiFi and run "speedtest" .... all the traffic was between the shadow box and the vigor.

The only mention of any address on the "private LAN" (which I think is being natted) is the eth1 port on the shadow, my phone address does not crop at . The vast majority of traffic appears to come from the shadow out ( to the speedtest server I'm guessing) ...so I think that makes it pretty clear the traffic is getting NATed (so double)