Access from LAN, but not disconnected WAN

[Didam]

I had a setup with a DS720 behind my router, port forwarding 443 from the router to the NAS, a wildcard Let's Encrypt cert, and reverse proxy for several services. Eeverything worked great. Then I moved (switched ISP) and now I can access NAS services by using the NAS IP/port or by using the port forward address (so https://wiki.mydomain.com/), but ONLY when I'm logged onto the LAN. When I use cellular or am on another network, I get a timeout.

The odd thing (to me) is that the port forward address works on the LAN. Doesn't that go outside my LAN and come back in? Why does that work, but not when I start from another network? The NAS can access the internet fine.

I didn't change router or NAS settings between ISPs. I'm stumped on where to begin looking. I started with firewall rules and disabled the NAS firewall entirely. Still didnt work. I feel like the router settings are fine since I can access the NAS.

Thoughts?

 

[Rusty]

Doesn't that go outside my LAN and come back in? Why does that work, but not when I start from another network?

NAT loopback support by your router.

Thoughts

if it’s not the firewall and nothing changed on the pan side, looks like isp is blocking 443 hosting

 

[Didam]

Loopback... right.

I'm contacting the ISP. Thanks for the idea!

 

[Didam]

So, yes, the ISP blocks 443 traffic. But they said:

"You an use Port Forwarding through your router to work around this. Port forwarding essentially selects a port number that is closed and redirects the information to an alternate open port. Many devices such as security systems and cameras require ports that are not open on their networks. When port forwarding is complete, it allows the user to have a work around for these vulnerabilities."

I tried setting both sides of my router's port forwarding setting, but nothing changed. I dont fully understand things, but I dont understand port forwarding would help if the ISP is blocking 443 traffic?

 

[Telos]

This seems like ISP gibberish. If 443 isn't open to you, then you will have to find alternative ports that are... for example, 21354. So that will be the port you use remotely. Then from your router forward 21354 to 443. Then 443 will still work on LAN, but outside your net, you'll need to add the port number to the HTTPS URL.

... if I understood correctly. Or request that they open 443 to your router.

Or maybe someone else here will have a more highly educated answer.

 

[Didam]

I guess I dont understand how I can force https to 21354 (your example port). If I send a request to https://wiki.mydomain.com, I dont get to choose the port, do I?

 

[tb123]

You do if you add the port address on the end
nas.Synology.me:21354 or xxx.xxx.xxx.xxx:21354

you also need a Public IP address

 

[Rusty]

but I dont understand port forwarding would help if the ISP is blocking 443 traffic?

As it was said, isp prevents 443 usage but will allow any other port (1024 and up). you just have to find one that works.

Bottom line is you will be able to gain access just not using a clean url. Using https and any port other then 443 means you will have to add a custom port in your url

 

[Didam]

Ok, I've changed port forwarding and tried several different ports, and I know the port works on my end (assuming NAT loopback as stated above) since I had to adjust my links on the LAN to include the changed port. So LAN access still works when I add the port number.

But I still can't get anything more than a timeout error when accessing from the WAN... using the same link address... should I just keep trying ports? I did receive a list of blocked ports from the ISP, and I'm not choosing any of them.

 

[tb123]

Do you have a PUBLIC IP address on your routers WAN port?

 

[Didam]

I am using Synology DDNS, is that what you're referring to? So my link looks like:

https://wiki.<myName>.synology.me:3721/

Or, are you saying that I need to assign my router's WAN port the IP provided by the ISP?

I havent changed the DDNS since moving and everything worked fine before switching ISPs.

 

[tb123]

Depending on where you are in the world, many ISP only provide a private CGNAT address to the customer. These are not accessible (non routable) from the outside world.

If your WAN IP address is anything like the following, it's CGNAT

10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

If you do have a CGNAT address, talk to your ISP, they can usually allocate a Public address on request.

 

[Didam]

My public IP is 24.115.xxx.xxx.

 

[Gerard]

Use a computer on your lan and go to canyouseeme.org type 443 , what’s the result?

 

[Didam]

It says closed. Well 443 is ISP blocked, but I've tried forwarding several ports on my router and they remain closed. Even ones that I've set previously and had working. My WAN IPv4 IP is the same as shown on canyouseeme.org so I assume my modem is not acting as a router (rendering port forwarding useless).

I assume at this point that it's my router settings (OpenWRT). Again, I've forwarded ports before without any problems so I'm not sure what I'm doing wrong! Thanks for the help so far, I'm a lot further than I would have been on my own! Just not sure where to look from here.

 

[Rusty]

did receive a list of blocked ports from the ISP, and I'm not choosing any of them.

If you are still in time out it’s either some firewall on some level or more isp port blocking. There is nothing else that could be returning that kind of message

 

[tb123]

My public IP is 24.115.xxx.xxx.

Ok, that’s by far the biggest issue I normally see with external access, I’m all out of ideas then

oh, except 1 maybe, you aren’t double NAT’d are you? Is there an ISP modem forwarding ports to your router? (Or your old router).

 

[Didam]

Stupid question on my part... to access my cable modem I use 192.168.100.1 and my LAN (not WAN) IP is 192.168.1.1. Is this a problem? Should my LAN be 192.168.100.x?

I'm a bit confused how I access 192.168.100.1 from my LAN-based computer... to me it seems like computer -> Router LAN -> Router WAN -> Modem IP... but router WAN is that 24.115.xxx.xx address so I'm just not comprehending.

 

[tb123]

So you definitely have a Cable modem > Router 1 > Router 2 > LAN?

Is there any reason why you have 2 x Routers?
Ideally, if you could get rid of one of the routers it would make this much easier.

If you DO have 2 x routers, you need to log into Router 1 and forward your ports to the WAN interface of Router 2. Then log into Router 2 and forward those same ports to the NAS.

Double Router Forwarding

actually, I just re-read what you wrote regarding routers, I initially thought you meant you had 2 x routers (WAN and LAN) but now think you were just talking about the two sides of the same router. In that case, you can disregard what I said about double port forward,

 

[Gerard]

Stupid question on my part... to access my cable modem I use 192.168.100.1 and my LAN (not WAN) IP is 192.168.1.1. Is this a problem? Should my LAN be 192.168.100.x?

I'm a bit confused how I access 192.168.100.1 from my LAN-based computer... to me it seems like computer -> Router LAN -> Router WAN -> Modem IP... but router WAN is that 24.115.xxx.xx address so I'm just not comprehending.

24.115.xxx.xxx is your public ip which hits your modem (device ip is 192.168.100.1). Your router (device ip 192.168.1.1) is then connected to the modem so that it can get to the outside. This is a standard setup and no your devices should be on the route subnet (192.168.1.1) not the modem subnet (192.168.100.1) - if you were to do this your devices would be sitting on the modem (aka sitting on the internet without any protection). The router is where your firewall and protection is.