Three routers in a home network - setup problems

March 29, 2012 at 10:48:14
Specs: Windows 7
I have 3 routers in my home network. Router A connects to the internet. Router B and C are connected to the internet through Router A.
Router A ( is used for hardwired devices and insecure activities (Guest Wifi Access, guest ethernet connections, Vonage, home security system, etc.)
Router B ( has home computers, storage etc (sensitive information) which I would like to keep secure. I would like guest and other devices on other routers to not have access to devices on this router
Router C ( has mostly media devices.

Everything works fine now in terms of basic internet access, etc. The only issue I have is that I would like to to be able to do two things:
1. This is the more important one: I would like to have the devices on Router B able to access devices on Router A.
2. Less significant: I would like to have devices on Router B have access to devices on Router C.

How do I go about makin that happen.

Thanks in advance.

See More: Three routers in a home network - setup problems

Report •

March 29, 2012 at 12:41:22
devices on router B should be able to access devices on router A. Problem is devices on router A won't be able to access devices on router B without a static route to router B.

You should have put in a vlan switch and used the B/C routers as access points if you wanted true security.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's

Report •

March 29, 2012 at 17:38:49
Thanks for the prompt reply, wanderer. Devices on RouterA should not be able to access devices on RouterB so that part is by design. So far so good.

The problem I have is the other way round. For some reason, when I try to access RouterA devices from Router B based station, I can see some but not all the devices on Router A.
I tried couple of Network monitoring softwares to figure out what the problem might be (AsseScout and LanTopLog) but they ask for a SNMP public string which I don't have. Consequently, these softwares don't see anything on the network (looks like it may be a user error or I am using the wrong type of network discovery software for home network)

Scratching my head. Any good freeware tools to help discover a home network? (Windows 7 networking does not see most of the devices for reason)

Report •

March 29, 2012 at 18:20:45
Make sure in tcp/ip properties [wins tab] that netbios over tcp/ip is enabled on the unseen router A devices.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's

Report •

Related Solutions

March 29, 2012 at 21:31:44
Thank you. The devices that I can't see are all purpose-built devices (ex:a secutiy system, security camers.). i am thinking they are possibly Linux or some other RTOS based. It may be a couple of weeks before I can try out the solution you propose.

Report •

March 30, 2012 at 09:02:22
my security cameras don't show up in windows. My linux based NAS unit does.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's

Report •

April 19, 2012 at 07:20:54
So, I came across your post on another website where people were laughing at your setup. And while I do find your post amusing, I hate it when people respond with
ridicule and opinions instead of facts and answers.

I hate it when I post sys admin questions and people flame me for being "stupid". We were all newbies once. So one with the show...

The answer is... There is not enough information to engineer a solution. And even with the proper information, the solution would be too long to post and would come with caveats.

You need to read about TCP/UDP port numbers, Network Address Translation (NAT), and Port Forwarding. The reason your devices can and can't communicate (either or) have to do with these technologies. I'll try to shorten it for you.

Given the number of 192.168 addresses you gave, I will assume you are using consumer home routers (linksys, dlink, netgear...). All of these routers perform a service called Network Address Translation (NAT). NAT performs a crucial function for IPv4 that I will not go into here. But while performing this function, NAT acts as a natural firewall between two networks. This natural firewall creates 1-way communication flow from one device on the "INSIDE" to another device one the "OUTSIDE". The words INSIDE and OUTSIDE are extremely important, place make note.

Well, that's not entirely true. Most network communications are bi-directional (or 2-way). It would be more accurate that say that NAT creates a condition where the device on the inside has to initiate a connection to the device on the outside before the device on the outside can return any network communication to the device on the inside.


Say you had windows file server host A and windows client host B. Both of these devices are on the same network and can communicate freely. In terms of windows file serving, 2 important conversations take place.

Devices on the same network
Host A <------> Host B <------>

For the first conversation, Host A is broadcasting that it is a windows server. Host B responds by automatically listing Host A in Network Neighborhood. (Yes this is a very simplified explanation. I'm just trying to draw a picture here). In this case Host A is the first device to speak and is INITIATING the network communication. Host B is responding to the network communication initiated by Host A and listing Host A in its Network Neighborhood.

The second conversation is when Host B request a file from Host A. When Host B request a file on Host A, Host B is then the initiator of the network communication. Host A is then the responder and responds with the file requested. Because Host A has already broadcasted itself as a file server and Host B had listed Host A in Network Neighborhood because of that broadcast, Host B can use Network Neighborhood to open communications with Host A with minimal effort.

Now let’s add NAT to the network. Now windows file server Host A is on the outside of the NAT and windows client Host B is one the inside. Remember that with NAT, host on the inside have to initiate a network conversation before host on the outside can respond. If a host on the outside tried to initiate a conversation with a host on the inside, the conversation would fail immediately.

NOTE: Notice the change in the IP of Host B. This is because there is now a router between the two host. The reasons why are beyond this post.

Host A Oustide <---| NAT Router |---> Host B Inside <---| NAT Router |--->

Now trying the same 2 conversations.

The first conversation where Host A is broadcasting itself as a file server will never reach Host B. Host B will not automatically list Host A in its network neighborhood. This is because Host A is the initiator and as such, the NAT router will drop all Host A traffic because its coming from the outside.

That doesn't mean that Host B cannot access Host A. Host B can still access files from Host A, but Host B cannot use the automatic mechanism known as Network Neighborhood. Host B would have to MANUALLY request the file directly from Host A. Host B would need to know the ip address of Host A and would have to MANUALLY browse to Host A. This manual process would then initiate a conversation from the inside to the outside and Host A would now be able to respond with a list of files and the file Host B requested.

The whole point of that example was to demonstrate that NAT imposes a restriction where host on the inside have to initiate conversation to host on the outside before a 2 way conversation can begin. There is a work around for this. The work around is called port forwarding. The port forwarding works can be explained using the same example.

Host A Outside <---| NAT Router |---> Host B Inside <---| NAT Router |--->

Host A failed to broadcast itself to Host B because the NAT Router requires Host B to initiate any communications. Host A is blocked from initiating communications. But what if there were a way for A to initiate this conversation. If you know what PORT NUMBERS Host A is using to broadcast its services, you can have the NAT ROUTER automatically FORWARD those ports to 1 host on the inside. Windows file serving uses TCP/UDP ports 135-139 and port 445. If you configured Ports 135-139 and port 445 to be automatically forwarded from to, then Host A would have permission to initiate communications to Host B. Host A would then be automatically listed in Host B's network Neighborhood.

This is an example of how to enable the windows file sharing service to work from the outside of the NAT to 1 host on the inside. And therein lies the caveats. 1st, you need to know the port numbers for each service you want to enable from the outside. That means you need to know what ports your home security system uses along with any other services you want to allow from Router A to Router B.

Next, and probably the biggest drawback is that this is a 1-to-1 mapping. You can only map 1 service in the outside to one device on the inside. You can't do 1 service to 2 devices. For technical reasons, it just doesn't work.

And to make matters worse, for everyone router you have, you have another level of NAT. You have 3 natural firewalls in place. The one between the internet and your home network is doing what it needs to do. The other two are going to cause you head ache as you try to poke holes in those NATs to allow you device to communicate.

This is not your solution. It is a (very simplified) explanation about why your devices can access the internet (going forward from Router 3 to Router 1) but not going back (Router 1 to Router 3).

My recommendation: you do not need 3 routers to partition your network the way you want it. You need to move away from home routers and get a SOHO/small business router. A cisco 1841 and a few switches would do what you want for $600 new or $280 used (ebay).

If you can't afford that, I would next recommend and spare computer with multiple network cards and some switches. Install IP Cop (a network security Linux distribution). IP Cop has a zone feature that segregates the traffic exactly like you want.

And if you don't have a spare computer, you should look into OpenWRT or DD-WRT. If you have a compatible router (and you probably do), to can get enterprise level functionality from a home router.

Well, that was long wasn't it. It was long because you are using routers in a fashion for which they were not intended. And while it works, it’s a disaster waiting to happen.

Good Luck

Report •

April 19, 2012 at 07:51:34

Nobody here is laughing at chakr. Nobody here is ridiculing him or offering opinions about his setup.

Were I to have need for 3 separate subnets at home and I didn't have the access to Layer 2/3 equipment that I do, I'd do it with SOHO Routers.

I suspect that anybody who's laughing is rather clueless about networking and was unable to offer any useful information so instead of just shutting up, they made rude comments to cover their lack of knowledge and skill.

The answer is... There is not enough information to engineer a solution. And even with the proper information, the solution would be too long to post and would come with caveats.

Sorry but you're dead wrong here.

There is a simple solution and wanderer already told the OP how to achieve what he wants by adding a static route.

That extremely long post of yours was basically useless. Most of what you wrote didn't apply and what was directly related to the OP's question, you got wrong.

So, thanks for trying but do us all a favor and don't bother in the future as you dont' seem to know much about networking either.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***

Report •

April 20, 2012 at 03:04:30
Curt R
WOW… Hold the insults. You took that rather personally, didn't you.

1. I found this post here:
At no point did I say was laughing. Not only that, even though others may think this is a fail, I choose to come and try to help.

2. At no point did I question the user’s need for 3 separate subnets. I did not even question his need to use consumer hardware to accomplish what he needed. Not everyone has the luxury of enterprise equipment. Hence I gave 3 recommendations, 2 of which could be implemented on a dime.

Curt R. Your comments on the other hand are childish and unnecessary. You don’t like my answer, fine, move on. The internet can do without the peanut gallery.

As for my answer; I assumed that since this particular question did not have a score and in the last entry posted, wanderer was still not able to access his cameras meant his problem was indeed not solved. I took a swing at trying to help him understand why it might not be working.

I will admit one fault. I assumed he had his routers connected in serial. Router A connected to Router B. And Router B connected to Router C. A very common error many home users make when building something more complicated than 1 one router sharing an internet connection.

But even if I gave him the benefit of a doubt, and he did indeed connect routers B & C directly to A, there is still a (very high) possibility that his network is configured with nested NAT (Router B and C running NAT behind router A running NAT).

Why you might ask?? Because he stated that basic internet access was working for all devices. If that is true then either A: He is running nested NAT and the NAT happened to (haphazardly) taken care of the routing for him, or B: He had enough experience to have had already configure the static routes or dynamic routing necessary to between his A, B, and C routers to enable his networks behind routers B & C to reach the internet. He would have also had configured the firewalls necessary to partition the network as he did. And if B is the case, he probably would not have asked the question.
If the answer is B, then he is only running NAT on the gateway router (A). The routing has already been configured between A, B, and C to support internet access for networks 192.168.1.x and 192.168.2.x. And I will be the first to admit I was way, way off. But then I go back to my initial answer of there is not enough information.
So was that the case?? I so, I will shut up.
Now consider that it is indeed scenario A. The user is running nested NAT on routers B and C. Was there anything technically wrong with my explanation (other than over simplifying it)? Port Forwarding would indeed solve his problem.

Report •

April 20, 2012 at 07:21:57
Nobody here cares what some no-mind elsewhere I'm not even going to waste a second following that link you posted.

Your long-winded and useless post was also not needed as was this last reply of yours. Why anybody would waste paragraphs on an answer that's a single sentence is beyond me. Unless of course the person in question just likes hearing themself talk.

At best, your posts will confuse the OP. At the worst, he'll be trying to make changes that won't help him.

wanderer posted the correct reply and all the OP has to do is add a that route and his setup will work the way he wants. Period, end of story.

Oh and don't bother responding to me, I'm done talking to you.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***

Report •

Ask Question