Allow devices to communicate across 2 network subnets

I have 2 home routers and want to allow (some) devices to communicate across subnets.

ROUTER#1 (ASUS RT-AC87U), subnet 192.168.1.0/24, acting as the main router connected to the ISP
ROUTER#2 (NETGEAR WGR614 v7), subnet 192.168.2.0/24, connecting its WAN port to ROUTER#1 LAN port

[INTERNET] -> [WAN] ROUTER#1 [LAN] -> [WAN] ROUTER#2 [LAN] -> PC#2

How do I allow devices connected directly to ROUTER#1 to talk to devices on ROUTER#2 (by their IP on ROUTER#2’s subnet) but not vice-versa?

For example, given PC#1 (192.168.1.217) connected to ROUTER#1 LAN, reach PC#2 (192.168.2.10) connected to ROUTER#2’s LAN port. As a test, I’m trying to reach a dummy web server hosted on PC#2 port 80 via http://192.168.2.10/index.html or ping 192.168.2.10.

If I configure port forwarding on ROUTER#2 on port 80 to forward to PC#2 (192.168.2.10), and access it via ROUTER#2 IP on ROUTER#1 subnet (192.168.1.5) it works as expected, but that’s not the goal.

ROUTER#1 needs to stay has the main router connecting to ISP. Also, ROUTER#2 needs to provide it’s own subnet and DHCP.

ROUTER#1 allows me to configure static routes, firewall (iptable). ROUTER#2 is a lot more limited in configurations, allowing me to enable/disable SPI firewall and configure static routes. I’ve searched, but couldn’t find any control over NAT on ROUTER#2.

FYI: I’m a NOOB on networking, but trying to learn during the process.

SETUP SUMMARY

ROUTER#1 (ASUS RT-AC87U)

WAN port connected to ISP Modem
ROUTER#2 (192.168.1.5) connected to LAN port
PC#1 (192.168.1.217) connected to LAN port
reserved IP for ROUTER#2 (192.168.1.5)
static route entry to forward 192.168.2.0/24 via 192.168.1.5 interface br0
entry on iptables FORWARD chain to ACCEPT src 192.168.1.0/24 dst 192.168.2.0/24 if br0

ROUTER#2 (NETGEAR WGR614 v7)

WAN port connected to ROUTER#1 LAN port
PC#2 (IP: 192.168.2.10) connected to Router#2 LAN port (running dummy web server on port 80)
port forward to bind 80:80 dst 192.168.2.10
SPI Firewall disabled
Respond to ping on internet port enabled

From PC#1

can ping Router#2 on 192.168.1.5
cannot ping Router#2 on 192.168.2.1
cannot ping PC#2 on 192.168.2.10
cannot reach web server on 192.168.2.10:80

SETUP DETAILS

ROUTER #1 (ASUS RT-AC87U)

WAN

(PPPoE to ISP)

LAN

IP Address: 192.168.1.1
Subnet Mask: 255.255.255.0
DNS Server: 1.1.1.1

DHCP Server

IP Pool Start: 192.168.1.200
IP Pool End: 192.168.1.254
Manually Assigned: 192.168.1.5 to Router #2

LAN Route – Static Route

Network/Host IP: 192.168.2.0
Netmask: 255.255.255.0
Gateway: 192.168.1.5
Metric: 1
Interface: LAN (br0)

Route Table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
(...)
169.254.39.0    0.0.0.0         255.255.255.0   U     0      0        0 br0
192.168.2.0     192.168.1.5     255.255.255.0   UG    1      0        0 br0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
(...)

iptables FORWARD

Chain FORWARD (policy ACCEPT)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  tun21  *       0.0.0.0/0            0.0.0.0/0
2     6558  363K TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcpflags: 0x06/0x02 TCPMSS clamp to PMTU
3       60  3120 ACCEPT     all  --  br0    br0     192.168.1.0/24       192.168.2.0/24
4        0     0 SECURITY   all  --  ppp0   *       0.0.0.0/0            0.0.0.0/0

ROUTER #2 (NETGEAR WGR614 v7)

WAN (Static IP)

IP Address: 192.168.1.5
IP Subnet Mask: 255.255.255.0
Gateway IP Address: 192.168.1.1

LAN

IP Address: 192.168.2.1
Subnet Mask: 255.255.255.0
DNS Server: 192.168.1.1

DHCP Server

IP Pool Start: 192.168.2.10
IP Pool End: 192.168.2.20