Multiple subnets with DD-WRT

This week I configured a network with two routers and multiple subnets using DD-WRT. This article explains how I did it. This following graphic represents the physical topology of the network.


For this setup I bought two router TL-WR941ND.

The first step is to replace the stock firmware by a DD-WRT firmware. It took me a while to find the appropriate firmware version of this device. I find DD-WRT's web site a bit chaotic to find the right firmware.. The database present on the main page is most of the time outdated and the forum is a nightmare to search.

At the time of writing this post, a working firmware for this device is available at this link. Download the factory-to-ddwrt.bin file and update both routers with it.

Next step is to configure the routers. I recommend connecting a single computer in the LAN interface to proceed with the configuration.

Configuration du routeur 1

Add a new static route to allow the subnet 192.168.1.0/24 to contact the second subnet 192.168.2.0/24. Got to Setup > Advanced Routing.

  1. Metric: 1
  2. Destination LAN NET: 192.168.2.0
  3. Subnet Mask: 255.255.255.0
  4. Gateway: 192.168.1.2
  5. Interface: ANY

Add a new firewall rule to allow the router to NAT the traffic from the second subnet 192.168.2.0/24. Without this rule, the subnet can't access Internet. By default, DD-WRT only NAT the traffic from the first network. Go to Administration > Commandes. Paste the following line in the text area:

iptables -t nat -I POSTROUTING -o get_wanface -j SNAT --to nvram get wan_ipaddr

Click the the "Run Commands" button. Then click "Save Firewall" to let the router remember about it on the next reboot.

Router2 configuration

Change the router network setting to fix the WAN interface to a specific IP and redefine the local subnet as 192.168.2.0/24. Go to Setup > Basic Setup

  • WAN Connection Type
  • Connection Type: Static IP
  • WAN IP Address: 192.168.1.2
  • Subnet mask: 255.255.255.0
  • Gateway: 192.168.1.1
  • Router IP
  • Local IP Address: 192.168.2.1
  • Subnet mask: 255.255.255.0
  • Gateway: 192.168.2.1

Change the operating mode to "router". This allows the router to act as a real router without NATing. With this operational mode, traffic may be forward to the first subnet present on the network.

Add a new firewall rule to allow the traffic to be forwarded according to the routing table. Go to Administration > Commands. Paste the following line in the text area:

iptables -I FORWARD -j ACCEPT

Click the the "Run Commands" button. Then click "Save Firewall" to let the router remember about it on the next reboot.

Final test

Last step is to connect the routers together and test the communication between the two subnets and check if both of them has access to Internet. Notice, you may not have access to router2 web interface from the first subnet if you didn't enable the remote management in Administration > Management > Remote Access.

PPTP VPN with DD-WRT and TP-Link TL-ER6120