Networking between two subnets mutually instead of one-way

PC1 <- LAN to LAN -> DSL Modem <- LAN to WAN -> Router <- LAN to LAN -> PC2

So basically my first PC is connected to modem, second PC is connected to router and router has been connected to modem from WAN to LAN. I have enabled network discovery and file/printer sharing on both of devices. Second PC from router can browse files of first PC that is connected to modem, but modem connected PC cannot even find PC connected to router. Why? That makes it more interesting for me as people say that we cannot communicate between different subnets, but why can router PC connect to modem PC and browse files? Ping works too, but only from router PC to modem PC.

Router 192.168.0.1

Modem 192.168.1.1

First PC 192.168.1.2

Second PC 192.168.0.100

What should I do? Internet works on both of devices, but network sharing is one-way, not a mutual. I want it to be mutual that both can push files to each others.


Solution 1:

What should I do?

On the router, disable NAT and the WAN firewall.

On the modem, add a static route that says "192.168.0.x can be reached via <router's IP>".

If the modem doesn't let you add static routes, do it on PC1 instead, or merge subnets into one.

people say that we cannot communicate between different subnets

They are massively overgeneralizing. Communicating between different subnets is a core feature of IP (and even of networks that existed before IP), and many larger networks consist of inter­connected subnets. It's how the Internet itself was built.

There's just one specific type of packets that generally cannot cross routers into different subnets: broadcast and/or multicast packets that some apps and games use for peer discovery. For example, when you ask Windows to show what computers have File Sharing available, that's limited to the same subnet. When you ping pc2.local, which uses multicast LLMNR/mDNS, that's limited to the same subnet as well.

However, that doesn't apply to direct (unicast) communication. If you give the OS a specific address to connect to, the routers will happily forward the packets across subnets as far as they can – whether it's another subnet in the same LAN, or whether it's another side of the world. That's how you reach websites, after all.

So in short,

  • PC1 and PC2 won't be able to "see" each other in the 'Nearby computers' list.
  • PC1 and PC2 will be able to connect to each other by their IP address.
  • PC1 and PC2 might not be able to resolve each other's hostnames, depending on mechanism used (regular DNS will work, but mDNS/LLMNR/NetBIOS won't).

Next is the question why communications in your network only seem to happen in a single direction (outwards, but not inwards). That's two (or possibly three) separate problems, and unfortunately many cheap modems/routers – especially those issued by the ISP – won't let you solve them.

So before continuing, consider whether you need two subnets at all. It would be simpler (and guaranteed to work) to just have a single large subnet by using a LAN↔LAN connection instead of LAN↔WAN between the two routers, as in this answer.

That said:

Enabling communication between subnets

First, routing tables: Currently, you cannot reach "inwards" from the modem network 192.168.1.x into the router network 192.168.0.x, because the modem does not have a route for this network. It only has two routes by default:

  1. destination 0.0.0.0/0: via the ISP's gateway
  2. destination 192.168.1.0/24: directly on LAN ports

You need to inform the modem that all packets for 192.168.0.x must go through the router, by adding a "static route" through the modem's configuration:

  1. destination 192.168.0.0/24 (netmask 255.255.255.0) via the router 192.168.1.x

Replace the 'x' with whatever your "inner" router thinks to be its WAN address.

Note: Many cheap routers/modems don't allow you to configure static routes. If your modem doesn't, you're out of luck and will have to merge both subnets into one.

Alternatively you can configure the same static route directly on PC1 instead. (PC1 also has the same routing table, except with the modem as default gateway.)

Second, firewalls: Most likely, your "inner" router was built with the assumption that its WAN port will connect directly to the Internet and therefore should have a firewall deliberately blocking incoming connections – and it'll keep blocking them even after you get the routing tables right.

For now, you can safely disable the inner router's firewall, because connections from the Internet are already blocked by the outer router.

Third, NAT. By now, you should have asked: "But if the modem's network doesn't know where to send new connections to the router's network, how does it know where to send replies for inbound connections?"

Currently you're able to reach "outwards" because your inner router has NAT enabled on its WAN port (again, because it's built for connecting to the Internet, not to another local network).

With SNAT (aka masquerading) enabled, the router rewrites all packets going through its WAN port and lies about where the connections really come from. So when PC2 connects to PC1, PC1 actually thinks the connection came from the router itself. Because they're in the same subnet, PC1 already knows how to send a reply to the router – and the router undoes the translation and forwards the packet to PC2.

If the inner router allows disabling NAT, disable it. That'll make communications stop working in both directions, but that's a good thing in your case – the presence of NAT disguises the actual reason why communications weren't fully working before.

(Note: In some routers, the NAT and the firewall are controlled by a single setting or 'mode' switch. The configuration interfaces vary so much between manufacturers that it's impossible to offer any more detail.)