RT6600ax Enabling any VPN service drops local internet access

Currently reading
RT6600ax Enabling any VPN service drops local internet access

19
1
NAS
DS216j
Router
  1. RT6600ax
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. iOS
Last edited:
I think, for the moment I have just found a smart solution. I have configured a third network only for VPN and afterwards created firewall rules to allow access to my primary network. Disabled network isolation on both networks and created deny rules between Guest and Primary. Found a KB article on Synology for it.
What do you think about it? Any security concerns I wasn't aware of?
net_vpn.png
vpn_rules_2.png

Edit: Forgot some rules. Updated the pic.
 

Rusty

Moderator
NAS Support
6,390
1,897
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
I'm sure @Rusty experienced, or heard about, some WAN-side VLAN issue but it may have been resolved before SRM 1.3 general release
If you are referning to the custom VLAN tagging to WAN2 port, that is still broken. WAN2 is still a simple trunk port regardless of the tag number you give it. It is not even copying the value from WAN1 port (as the KB states) let alone setting a different one.

Still waiting for Syno to implement that...
 

fredbert

Moderator
NAS Support
Subscriber
4,201
1,672
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
  3. RT6600ax
Operating system
  1. macOS
Mobile operating system
  1. iOS
I think, for the moment I have just found a smart solution. I have configured a third network only for VPN and afterwards created firewall rules to allow access to my primary network. Disabled network isolation on both networks and created deny rules between Guest and Primary. Found a KB article on Synology for it.
I think you can just let the VPN servers use their own subnets and the server will handle DHCP for the clients. The firewall should still be able to mediate between VPN subnets and internal networks. Maybe I'm wrong, but I would expect the firewall to be able to do this without having to consume an internal network for VPN services.

The Synology help details the way to isolate fully or selectively between the internal networks. I have segregated an IOT VLAN so that those suspect devices can't access other home devices.

If you are referning to the custom VLAN tagging to WAN2 port, that is still broken. WAN2 is still a simple trunk port regardless of the tag number you give it. It is not even copying the value from WAN1 port (as the KB states) let alone setting a different one.

Still waiting for Syno to implement that...
May be :) I remember there was something WAN and VLAN, and couldn't recall what it was about. But here we have a WAN VLAN tagging that seems to be interfering with the VPN services.
 

Rusty

Moderator
NAS Support
6,390
1,897
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
But here we have a WAN VLAN tagging that seems to be interfering with the VPN services
Yes I got that from the discussion but had nothing to contribute to it as I was confused why this would be happening in the 1st place. I can just confirm that custom vlan on WAN cases 0 issues for me when it comes to VPN package. Still glad there was a solution in this case. One for the books for sure.
 
19
1
NAS
DS216j
Router
  1. RT6600ax
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. iOS
So I tested SSL VPN with my MacBook too. I can access my local machines by IP but no DNS. I don't understand why it works with my iOS device flawless. Any ideas?
 

fredbert

Moderator
NAS Support
Subscriber
4,201
1,672
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
  3. RT6600ax
Operating system
  1. macOS
Mobile operating system
  1. iOS
From Mac’s Terminal app you could try commands nslookup and dig to see how resolution is happening. Though you may have cached DNS data, which you can flush but you’ll have to google the right command (it changes).
 
19
1
NAS
DS216j
Router
  1. RT6600ax
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. iOS
It still uses the DNS for outgoing internet traffic. Could it be, because I'm using my iPhone as Hotspot?
-- post merged: --

I think you can just let the VPN servers use their own subnets and the server will handle DHCP for the clients. The firewall should still be able to mediate between VPN subnets and internal networks. Maybe I'm wrong, but I would expect the firewall to be able to do this without having to consume an internal network for VPN services.
Without setting up an internal network I don't get DNS to work for my iOS devices and Synology VPN. Sadly my VPN of choice (OpenVPN) doesn't do DNS well at all. Don't know what's going on.
After I export the ovpn file I'm entering the DDNS name and as dhcp-option the local IP of my router. I have also tried the default gateway IP of the OVPN subnet. Sadly I can change it to my own one.

Using OpenVPN on my NAS works just like I expect (nearly same config). But for long term I want do power off my NAS to save up some energy.
 

fredbert

Moderator
NAS Support
Subscriber
4,201
1,672
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
  3. RT6600ax
Operating system
  1. macOS
Mobile operating system
  1. iOS
Usually when using a device as a hotspot it will hide the connected device behind it's own outbound interface. It's not a given, but that is probably what is happening so you don't request another presence (IP) on the external network.

In the .ovpn configuration file it is common practice to edit it. I edit the remote command, comment out the float command, and add in a dhcp-option DOMAIN command. I used to add dhcp-option DNS commands but I find it works well without adding these now.

I understand the desire to move the VPN service to the router. I did this to separate the connectivity/access functionality from the content serving/server functions.
 
19
1
NAS
DS216j
Router
  1. RT6600ax
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. iOS
So yesterday I spent hours of testing VPN to get running the DNS - no luck. As soon as I'm using my OpenVPN of my DS216j everything works. Even my MacBook can resolve local clients by using the iPhone as hotspot. All VPN services on my router don't run. If I force all traffic through VPN and setup the local IP of the router as custom DNS in OpenVPN nslookup terminates by timeout. Do you think factor resetting could help? Don't want to re-configure everything again. Also I want to remove the VPN network which I created for testing, because I think it should work out of the box.
From Synology support there is still no response at all since nearly a week.
 

fredbert

Moderator
NAS Support
Subscriber
4,201
1,672
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
  3. RT6600ax
Operating system
  1. macOS
Mobile operating system
  1. iOS
There should be no problem running OpenVPN server on both the router and NAS, so long as they use a different port or different protocol (TCP, UDP). You only need a port forward rule for the OpenVPN service on the NAS.

For L2TP/IPsec VPN you can't change the ports and protocols that the clients use, so you have to decide whether to have a port forward rule to the NAS or not (in which case the router's VPN server will receive the connections).

Finally, the SRM firewall processes requests from the top to the bottom of the list and stops once a match has been found. The auto-created port forward rules are at the end.

I'm not sure what else to say.
 
19
1
NAS
DS216j
Router
  1. RT6600ax
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. iOS
I think, I have found the reason for the DNS troubles via OVPN, L2TP etc. As soon as a client is getting connected SRM is forwarding the (custom) DNS of the ISP instead of own address. So in my case the VPN client is getting 8.8.8.8. The only difference is as soon as Synology VPN gets the address pool of my primary (or different, no address pool object) network the client is getting the right DNS server IP. Sadly this workaround does not work for L2TP. OVPN has no option for changing the address pool at all. The dropdown list just shows "Default" as the only option. Entering the router's IP in the custom fields does not work, too.
Finally, when using my iPhone as hotspot the only way to get working DNS resolultion is to use my OVPN of my Synology NAS.
I have sent all the information to support but still no answer.

I think in SRM there has to be fixed a few things:
  • Forward correct DNS using VPN
  • VLAN Tagging conflict between ISP setup and VPN
  • Address pool change for OVPN
 

fredbert

Moderator
NAS Support
Subscriber
4,201
1,672
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
  3. RT6600ax
Operating system
  1. macOS
Mobile operating system
  1. iOS
In VPN Plus go to Object. You can select the OpenVPN address pool and change the subnet. For the other VPN services you can add or edit address pools, then select them in the VPN's server configuration page.

I have changed the ranges so that each internal network (in Network Center) has its own /24 and then follows a set of /24 address pools for VPN services. (a different one per service). The whole of my internal address range is covered in a set of eight contiguous /24 subnets.

Both OpenVPN and L2TP/IPsec settings allow you to set the client DNS to a given IP address (which I set to .1 of their address pool, being the router's IP in that pool).

In the past I have experimented with using the primary LAN address pool for a VPN service, but have found no benefit: discovery services I want to use don't seem to pass across the VPN gateway. This is why I now use a unique address pool per VPN service. Of course, while I have configure all five internal network VLANs, I don't have any defined WAN VLAN.
 

fredbert

Moderator
NAS Support
Subscriber
4,201
1,672
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
  3. RT6600ax
Operating system
  1. macOS
Mobile operating system
  1. iOS
I don't use the VPNs very often so I wasn't checking how mine were currently working, I knew they worked the last time I needed them. At some time in the recent past I changed my SRM firewall rules that control internal subnets going out from being Source Interface 'ALL' to 'LAN' (selecting all LANs). I already defined the source IP address to be the range that covers all internal and VPN subnets.

This seemed to be a better approach than using 'ALL', it should stop any mimicking on the WAN interface. But, but, but, but the side-effect was to exclude my VPN server 'interfaces' even though they are internal interfaces (or at least internal to the router). This was probably also confounded by the fact that I have manually managed port forwarding rules so that I can put a final firewall rule of 'all/any:any/any:any/deny'.

I was testing SSL VPN and OpenVPN via VPN Plus and could not get the DNS resolution to work. When I changed my firewall rules to 'ALL' source interfaces and reconnected the VPNs now I could access DNS.

And SSL VPN service looks to take it's client DNS server IP as the primary server set in Network Center / Internet. I have set mine back to be the router's primary LAN IP (for DNS Server) so that SSL VPN clients get local IP for my home devices.
 
19
1
NAS
DS216j
Router
  1. RT6600ax
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. iOS
Got a response from support today. They have forwarded all the things I submitted to the development department in Taiwan. They want to consider these things for the next update.
Today, I have found another bug with dual stack and IPv6. Since Update 3 the IPv6 DNS server aren't set anymore, only the gateway. As workaround I'm using both Google public IPv4-DNS servers as they respond A and AAAA records.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Hi, My RT6600AX is behind a ISP box in DMZ. The connection is capable of 2 gbps down and 700mbits up. In...
Replies
0
Views
872
I wasn't directing that reply specifically at you Fredbert, It was toward the entire forum community as I...
Replies
7
Views
924
Let's not complicate with VPN atm, but if your WAN access is not working, then not sure how a VPN would...
Replies
1
Views
595
  • Question
Hi all, Unfortunately I can't get it to work. I can VPN connect to LAN B, can ping the gateway on LAN B...
Replies
2
Views
704
  • Question
Others here use Internet VPN services and may be able to help. I don't use SRM's VPN tunnel to Internet...
Replies
3
Views
1,443
Nothing out of the box. There is only a single VPN system notification that you can use, and that's not...
Replies
1
Views
1,324
I've also configured SSTP Vpn and I got an issue in MS WIndows 10 Pro (not in Android). I configure the...
Replies
0
Views
2,738

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Top