I have Verizon FIOS for internet service and I have a roommate. I like to play with my network and don’t necessarilly mind a temporary outage when something goes wrong. My roommate just wants the internet to work. For those reasons I’ve decided that my vmware guests will be on their own subnet and behind a router / firewall so I can freely break things without hearing anyone else complain. This sounded easy enough. Setup a guest in the VM with one leg in the physical network and one in the virtual network to act as a router. Setup a static route on the Actiontec router that comes with FIOS. Be happy. It sounded simple but getting things right with the Actiontec took a little more work and the googles, they did nothing.
The physical network here will be 192.168.1/24 while my VM guests will be on 192.168.2/24. After setting up a VM guest as a router with a guest behind it I logged into the Actiontec and went to Advanced -> Routing and selected New Route where I entered in the routing information for the 192.168.2/24 network.
New Routes screen
After doing this I found an odd problem. I could ping a host on the VM network from the physical network but couldn’t ping a host on the physical network from the VM network. After setting up a few sniffers I saw the packet leave the VM guest, in the VM router and then out, in the physical host and back out to the Actiontec router, but nothing was received by the VM router. I looked through the firewall logs under Firewall Settings -> Security Log but it was a flood of entries. After going into the Security Log Settings I disabled logging of accepted incoming and outgoing connections and had it log all denied connections.
Firewall Log Settings page
Now the logs gave me something useful. (Not sure why the Security Log logged all accepted connections and no denied connections by default but whatever.) The Actiontec’s default policy is blocking the return traffic from the physical network back to the VM network.
Security Log
I’m not sure where that policy is defined to see exactly what is blocked but under Firewall Settings -> Advanced Filtering I added some additional inbound and outbound rules to just allow all traffic between the two subnets to fix this problem and hopefully prevent any other network issues in the future between the two.
Firewall Advanced Filtering
First I added an inbound rule from the physical subnet to the VM subnet. Under the inbound Network (Home/Office) Rules I selected Add to take me to the “Add Advanced Filter” screen.
Add Advanced Filter
On this screen for “Source Address” I changed the drop down to “Specify Address” and selected Add again to take me to the Edit Network Objects screen.
Edit Network Object
There I hit Add again which brought me to the “Edit Item” screen. There I changed the “Network Object Type” to “IP Subnet” and entered in the physical subnet’s information.
Edit Item
After that I hit Apply until I got back to the “Add Advanced Filter” page where I did the same for “Destination Address” and entered in the VM subnet information. Once I was back at the “Add Advanced Filter” page again I left the “Protocol” as “Any” and under “Operation” selected “Accept Packet” and finally hit Apply.
Inbound Rules
Next repeat the process for the VM subnet to the physical subnet and then create the same two rules under the outbound Network (Home/Office) Rules.
Outbound Rules
After that all traffic appears to be just fine between the two networks.
(In retrospect, if you want to do any even slightly complicated network setup with FIOS you’re probably better off switching the Actiontec into bridge mode and putting your own router that your comfortable with in its place. For a few reasons this option isn’t easilly available to me which is why I had to jump through these hoops. :-/)
P.S. Added some screenshots now.
This helped me out alot, but I’ve got question. I need to do the same thing with a Dlink DIR-655. Right now I can only see one way. Any help would be appreciated.
Comment by tony — December 8, 2008 @ 3:49 pm
Unfortunately I’ve never seen the Dlink router before. If it has the same web interface you should be good. If not, I wouldn’t know.
Comment by tmclaugh — December 8, 2008 @ 8:41 pm
Thanks anyway!
Comment by tony — December 10, 2008 @ 10:39 am
Follow your conversation. Why is the gateway address 192.168.1.253 ?
Have you fixed the gateway address to 253.
Comment by scott — December 23, 2008 @ 10:33 am
wonderful guide. thanks! Couldn’t get it to work though. In my situation I have the physical network on 192.168.2.1 and I have a d-link WAP which has a static IP out of the box set to 192.168.0.50. The install guide wants me to change the setup PC to the same subnet and physically connect the two things to each other and then change the IP of the WAP to whatever I want. I was hoping that twiddling with the ActionTec settings would let me avoid that. You guide seems like it should work but, alas…
Comment by Art — January 11, 2009 @ 11:30 pm
Awesome, this is exactly the answer I needed to solve my VPN routing issues.
Comment by Matthew — January 22, 2009 @ 7:20 pm
Thanks! I can now go back to a routed vpn rather than bridged. I thought for a while that the actiontec was incapble of rerouting packets back out through the same interface similar to cisco pix but this works great.
Comment by Simon — February 5, 2009 @ 6:27 pm
Hey I saw this and had a question:
Were you able to get out to the internet from your remote subnet? The problem I am having right now is that the Actiontec router will not NAT my traffic from the inside network.
In your example the inside network would be 192.168.2.0/24. The Actiontec network to the Router is 192.168.1.0/24.
I can log into the Actiontec and reach things on the inside and I can even put my PC on the 192.168.1.0/24 network and print to my HP Network printer on the 192.168.2.0/24 network.
The problem I am having is the outbound NAT is being blocked. I get the:
Blocked – NAT out failed
Message. I don’t see anywhere in the Actiontech where I can verify that my 192.168.2.0/24 network is permitted to be NAT’d out to the internet.
(Yes this is 100% a problem with traffic going through the Actiontec- yes routing from the Actiontec to the inside subnet works fine it appears to be a NAT issue)
Comment by Frank — March 7, 2009 @ 4:21 pm
I have the exact same problem as Frank describes.
I can get between subnets internally, but the inside subnet (behind the the wireless client) on 192.268.2.0/24 won’t make it to the Internet.
I’m not seeing the blocked NAT out failed message in the security logs, but it sure seems like a NAt issue.
Comment by Ike — April 4, 2009 @ 1:00 am
can now go back to a routed vpn rather than bridged. Thanl you
Comment by Jigar soni — June 13, 2009 @ 8:18 pm
I’m having the same problem as Frank and Ike. Anyone make any progress with this? I’d rather not go ahead and put the router into bridge mode.
Comment by Ben — August 3, 2009 @ 11:49 am
Do you have the images relating to the blog. I would like to subnet my actiontec.
Comment by Ken — March 13, 2010 @ 10:06 am
The images look to have been lost unfortunately. They’re listed in wordpress but the files are missing. Sorry about that.
Comment by tmclaugh — March 13, 2010 @ 3:38 pm