Access from LAN, but not disconnected WAN

[Robbie]

I'm a bit confused how I access 192.168.100.1 from my LAN-based computer... to me it seems like computer -> Router LAN -> Router WAN -> Modem IP... but router WAN is that 24.115.xxx.xx address so I'm just not comprehending.

Depending on your ISP connection method this could be completely normal.

The longer explanation:

I'm in the UK where the use of PPPoE to connect users and properties to an ISP backhaul is commonplace and, for ISPs using Openreach's UK network infrastructure, it is mandatory.

For my home network my router's WAN port is connected to my modem, which acts as a bridge. The actual pathway for the PPPoE from modem to the router WAN is just a regular LAN that has the PPPoE as a virtual pipe within it. Or from a different perspective the modem's PPPoE WAN comes wrapped in a regular LAN.

This LAN containing the WAN PPPoE does not need a network address and in that case the only IP associated with is would be the external WAN IP(s). However, in that case there would be no internal way to communicate to the modem itself for settings and alike as there is no way to route to it (a very common configuration in the UK).

Once you give the LAN containing the WAN PPPoE a network address space (like in your case and in mine) and both the router the modem are assigned to that LAN, then you can route to the modem itself from the internal LAN to access modem controls, settings, data etc. This would give both a routable LAN IP and WAN IP to the same physical port, as you appear to have.

It also gives a potential failure route where either WAN or LAN IP is working but the other is not. It could even be the source of your problem when you switched ISPs and that new ISP used a new modem or new settings within it.

Apologies if I have over or under explained things as I don't know your level of knowledge.

[Edit: I also missed the explanation from @Gerard above when typing this.]

 

[Didam]

@tb123 , sorry, I must have messed up my description. I dont have two routers, I was just describing both sides of my router.

@Gerard I thought that was the case. I dont think it matters, but my old modem was on 192.168.0.1. That's one of the few differences I can find between setups and, like I said, I dont think that matters.

@Robbie I think I understand what you mean. You mention routing from my LAN to the cable modem settings IP... I've seen an explanation for how to do this for OpenWRT, but I dont have settings to do it (part of my confusion). It makes sense to me that I'd have to explicitly route, but I dont think I am. This is part of my confusion, though maybe I need to look into how this is happening as it might be a symptom of my problem.

No worries on level of knowledge... I know enough to be dangerous, that's about it. As an engineer, the more explanation, the better!

-- post merged: 9. Aug 2021 --

I guess I need to learn more about OpenWRT's firewall zones, port forwards, and traffic rules. All contain settings around forwarding. I think I don't understand the definition of "forward." I thought it was an action, but I see people referencing "forward connections."

 

[Didam]

Ok, I think I've figured it out. I think I was fighting firewall rules between NAS and router. I forwarded a port other than 443 and everything's is fine, thanks for the help!

A question about Synology's firewall: I have the following setup:

• A rule for all devices on the local network to be accepted
• A rule accepting traffic in the US
• All other interfaces say "if a rule is not matched, reject"

Is this sufficient to block out-of-country traffic? I've read several things that it isn't, but I dont know how to block more than 15 countries.

 

[tb123]

Yes, as a minimum you only need 3 x basic rules, you can get more creative if you really want to limit internal devices to just a few IP addresses or a few ports/services or if you have a VPN you'll need to allow it's IP range but the most basic is

<All Interfaces> <All Ports> <All Protocols>

1. Allow - LAN IP Range (eg 192.168.1.0/255.255.255.0)
2. Allow - Country of choice (eg USA)
3. Deny - ALL

So rule 1 will allow devices from your LAN to access the Diskstation, Rule 2 will only allow connections from within the USA and Rule 3 is a catch all for anything that doesn't meet Rule 1 and Rule 2 and will block access.

You don't need to block access from 1000 different countries, you only need to allow say the USA, then Rule 3 Blocks everything else. Rules are invoked top down. As soon as an incoming connection meets the rule criteria, access is granted, no further rules are checked.

I have 1 extra rule for my VPN so it's

1. Allow LAN (192.168.1.0/255.255.255.0)
2. Allow VPN (192.168.200.0 to 192.168.200.254)
3. Allow Country(s)
4. Deny ALL

When I went away overseas I added another country into the list after my Home country so I could access it when away.

3-4 years ago before I set these rules I was getting constant hits trying to login to DSM, I haven't had 1 single one since.
Also a good idea to disable the default admin account and use 2 Factor Authentication

 

[Telos]

When I went away overseas I added another country into the list after my Home country so I could access it when away.

Connect by VPN, and "Allow Country" rule is unnecessary... yes?

WRT, "Allow LAN"... Allow only those LAN addresses of devices that require LAN access. Not IOT devices/TV/Kids/Spouse... Every unnecessary IP is a potential path for malware.

 

[tb123]

Connect by VPN, and "Allow Country" rule is unnecessary... yes?

I need the Allow VPN rule in there (they are the Internal VPN addresses) otherwise if I connect via VPN I cannot get back out to the Net again. It’s been some years since I set it up so can’t recall all the details (I had a post about it in the old Synology forum I think) but without it, I can’t get it to work.
I just tried it then, connected from my mobile to the NAS over VPN and then browsed the internet from my mobile, social media etc. Logged into DSM from a local device, unticked the VPN firewall rule and saved config, can no longer access any internet from the phone when connected via VPN. Enable the firewall rule again and got immediate internet connection. Maybe there is something else wrong with my setup that causes this?

if the Allow Country rule isn’t there then the NAS just rejects the initial connection attempt for VPN (if outside current country).

 

[Telos]

if the Allow Country rule isn’t there then the NAS just rejects the initial connection attempt for VPN (if outside current country).

Gotcha. If your only access is via phone, you could whitelist your phone provider's IP range to your VPN port. But if you're using Wi-Fi hotspots, then you're pretty much stuck with whitelisting country, but limit it to your VPN port only.

 

[Gerard]

I need the Allow VPN rule in there (they are the Internal VPN addresses) otherwise if I connect via VPN I cannot get back out to the Net again.

I have the same rule for vpn, this allows the vpn subnet to access the local lan subnet, which is where your router /internet gateway is on ; that is how it gets to the outside internet.

allow country for me is very specific to vpn and https 443 (reverse proxy) ports only