"Transparently" access hosts from a different subnet ?

pazuwu · December 1, 2020, 7:34am

Hi,

I’m running a hAP ac2; I’ve got a wireless network (wlan1 - 172.19.2.0/24) for trusted wifi devices (i.e. my phone) and a guest wireless network (wlan2 - 172.19.5.0/24) for some smart appliances (e.g. tv, robot vacuum cleaner, etc.).

Because the control apps for these appliances try to detect them by scanning 172.19.2.0/24, I need a way to allow the app to reach the device as if it was on the same subnet.

One approach I tried was to configure the two networks as adjacent address spaces (172.19.2.0/25 for trusted and 172.19.2.128/25 for guest), make the clients on the two networks believe they’re actually on 172.19.2.0/24 via DHCP options and use proxy-arp. However, I gave up this setup because the router was actually answering for all ip addresses from the second subnet, even if they weren’t actually DHCP allocated. It was confusing, so I stopped.

The second approach I’m thinking of is to create some “fake” hosts on the trusted subnet (e.g. 172.19.2.250) which redirect traffic to the corresponding host in the second subnet. I started with some static ARP entries for the fake hosts with the mac address of the router, but from there… I don’t know how to proceed.

Any ideas how to solve this?

anav · December 1, 2020, 1:35pm

Best bet is to put the control apps on the same subnet as the IOT devices.
OR on their own subnet and provide firewall rule access to the other subnet.

You can also give an IP (aka your computer) access to the other subnet via firewall rules so that the app can reach them.

mkx · December 1, 2020, 8:10pm

Like @anav wrote: put control app in same subnet as IoT gadget. Auto-discovery doesn’t really work when there’s a router in between. Sure, there are some protocols for which some routers make auto-discovery across different subnets happen, but that’s more an exception than a rule.

pazuwu · December 2, 2020, 8:25am

Well, I agree it would be easier to connect the mobile phone to the guests wifi (where the devices are also connected), if there’s no other way, but that would require me to allow access in the other direction for services which are on the trusted network (e.g. NAS). This will be simpler to achieve though…