|So, I came across your post on another website where people were laughing at your setup. And while I do find your post amusing, I hate it when people respond with |
ridicule and opinions instead of facts and answers.
I hate it when I post sys admin questions and people flame me for being "stupid". We were all newbies once. So one with the show...
The answer is... There is not enough information to engineer a solution. And even with the proper information, the solution would be too long to post and would come with caveats.
You need to read about TCP/UDP port numbers, Network Address Translation (NAT), and Port Forwarding. The reason your devices can and can't communicate (either or) have to do with these technologies. I'll try to shorten it for you.
Given the number of 192.168 addresses you gave, I will assume you are using consumer home routers (linksys, dlink, netgear...). All of these routers perform a service called Network Address Translation (NAT). NAT performs a crucial function for IPv4 that I will not go into here. But while performing this function, NAT acts as a natural firewall between two networks. This natural firewall creates 1-way communication flow from one device on the "INSIDE" to another device one the "OUTSIDE". The words INSIDE and OUTSIDE are extremely important, place make note.
Well, that's not entirely true. Most network communications are bi-directional (or 2-way). It would be more accurate that say that NAT creates a condition where the device on the inside has to initiate a connection to the device on the outside before the device on the outside can return any network communication to the device on the inside.
Say you had windows file server host A and windows client host B. Both of these devices are on the same network and can communicate freely. In terms of windows file serving, 2 important conversations take place.
Devices on the same network
Host A <------> Host B
192.168.1.10 <------> 192.168.1.30
For the first conversation, Host A is broadcasting that it is a windows server. Host B responds by automatically listing Host A in Network Neighborhood. (Yes this is a very simplified explanation. I'm just trying to draw a picture here). In this case Host A is the first device to speak and is INITIATING the network communication. Host B is responding to the network communication initiated by Host A and listing Host A in its Network Neighborhood.
The second conversation is when Host B request a file from Host A. When Host B request a file on Host A, Host B is then the initiator of the network communication. Host A is then the responder and responds with the file requested. Because Host A has already broadcasted itself as a file server and Host B had listed Host A in Network Neighborhood because of that broadcast, Host B can use Network Neighborhood to open communications with Host A with minimal effort.
Now let’s add NAT to the network. Now windows file server Host A is on the outside of the NAT and windows client Host B is one the inside. Remember that with NAT, host on the inside have to initiate a network conversation before host on the outside can respond. If a host on the outside tried to initiate a conversation with a host on the inside, the conversation would fail immediately.
NOTE: Notice the change in the IP of Host B. This is because there is now a router between the two host. The reasons why are beyond this post.
Host A Oustide <---| NAT Router |---> Host B Inside
192.168.1.10 <---| NAT Router |---> 192.168.15.30
Now trying the same 2 conversations.
The first conversation where Host A is broadcasting itself as a file server will never reach Host B. Host B will not automatically list Host A in its network neighborhood. This is because Host A is the initiator and as such, the NAT router will drop all Host A traffic because its coming from the outside.
That doesn't mean that Host B cannot access Host A. Host B can still access files from Host A, but Host B cannot use the automatic mechanism known as Network Neighborhood. Host B would have to MANUALLY request the file directly from Host A. Host B would need to know the ip address of Host A and would have to MANUALLY browse to Host A. This manual process would then initiate a conversation from the inside to the outside and Host A would now be able to respond with a list of files and the file Host B requested.
The whole point of that example was to demonstrate that NAT imposes a restriction where host on the inside have to initiate conversation to host on the outside before a 2 way conversation can begin. There is a work around for this. The work around is called port forwarding. The port forwarding works can be explained using the same example.
Host A Outside <---| NAT Router |---> Host B Inside
192.168.1.10 <---| NAT Router |---> 192.168.15.30
Host A failed to broadcast itself to Host B because the NAT Router requires Host B to initiate any communications. Host A is blocked from initiating communications. But what if there were a way for A to initiate this conversation. If you know what PORT NUMBERS Host A is using to broadcast its services, you can have the NAT ROUTER automatically FORWARD those ports to 1 host on the inside. Windows file serving uses TCP/UDP ports 135-139 and port 445. If you configured Ports 135-139 and port 445 to be automatically forwarded from 192.168.1.10 to 192.168.15.30, then Host A would have permission to initiate communications to Host B. Host A would then be automatically listed in Host B's network Neighborhood.
This is an example of how to enable the windows file sharing service to work from the outside of the NAT to 1 host on the inside. And therein lies the caveats. 1st, you need to know the port numbers for each service you want to enable from the outside. That means you need to know what ports your home security system uses along with any other services you want to allow from Router A to Router B.
Next, and probably the biggest drawback is that this is a 1-to-1 mapping. You can only map 1 service in the outside to one device on the inside. You can't do 1 service to 2 devices. For technical reasons, it just doesn't work.
And to make matters worse, for everyone router you have, you have another level of NAT. You have 3 natural firewalls in place. The one between the internet and your home network is doing what it needs to do. The other two are going to cause you head ache as you try to poke holes in those NATs to allow you device to communicate.
This is not your solution. It is a (very simplified) explanation about why your devices can access the internet (going forward from Router 3 to Router 1) but not going back (Router 1 to Router 3).
My recommendation: you do not need 3 routers to partition your network the way you want it. You need to move away from home routers and get a SOHO/small business router. A cisco 1841 and a few switches would do what you want for $600 new or $280 used (ebay).
If you can't afford that, I would next recommend and spare computer with multiple network cards and some switches. Install IP Cop (a network security Linux distribution). IP Cop has a zone feature that segregates the traffic exactly like you want.
And if you don't have a spare computer, you should look into OpenWRT or DD-WRT. If you have a compatible router (and you probably do), to can get enterprise level functionality from a home router.
Well, that was long wasn't it. It was long because you are using routers in a fashion for which they were not intended. And while it works, it’s a disaster waiting to happen.