RT6600ax Enabling any VPN service drops local internet access

Currently reading
RT6600ax Enabling any VPN service drops local internet access

26
3
NAS
DS216j
Router
  1. RT6600ax
  2. WRX560
Operating system
  1. macOS
  2. Windows
Mobile operating system
  1. iOS
Hi guys,

I'm new here, so if I'm doing something wrong, please let me know. I'll do my best considering the guidelines.

About two weeks ago I have received a brand new RT660ax router and setting up was straight forward, no problems so far. Everything is working really well, but my VPN service does not.
I have installed the VPN plus package and configured the privilegs for my user as well. As soon as I am enabling the OpenVPN or L2TP service my local clients don't have internet access anymore in a special way. Testing ping or tracert via cmd still works, but it seems that every (HTTPS) traffic isn't working for the wired clients. My wireless clients can still access the internet.

My ISP is Deutsche Telekom using dual stack IPv4 PPPoE and IPv6 PD. The firewall rules are automatically created during setup or after enabling any VPN service after the confirmation dialog. My router is running the latest firmware which is SRM 1.3.1-9346 Update 3.

I have tried a different port and different client ip ranges for VPN as well. The only way to restore internet access is by disabling the service. Afterwards everything is back to normal. I have already contacted support, but after ten days there is no progress at all. Currently I'm using a workaround by running the VPN server on my Synology NAS.

Do you have any ideas what I can do? Even hard reset or reboot doesn't work at all.

Thanks for your help in advance.

SmoothMoon

Firewall rules are automatically being created for Port 1194 (OpenVPN) and 1701 (L2TP) or either 9443 (Synology VPN).
firewall_rules.png
 
Thanks for your quick answer. As soon as I'm ticking this checkbox and click apply after a few seconds my wired clients are "offline" (no internet access anymore). Everything is running with default setting.

Screenshot 2023-01-12 140003.png
 
What is curious is that your wifi clients work fine but your ethernet don't. After you click that and clients go offline, what happens if you change their DNS setting to an outside one? Like 1.1.1.1? Can they access the web then?

What happens after you lose connection to the web, can you still ping your router?
 
Thanks again for all your answers. Hope I haven't forgotten something. NAT Pass-Through is enabled. Seems to make no difference at all. I tried toggling the already checked ones. No other VPN are configured.
Setting an outside DNS server doesn't change anything. I also tried using a custom DNS server in the ISP setup as well.
After "losing" my conection my wired machines are still able to ping the router or domains outside, like google.de. IPv4 and IPv6 are working and I also tried a tracert which is working fine also (I just don't post it here due to security concerns).
It seems like the whole HTTP(S) traffic is being blocked in a confusing way.
ping.png

The same time where my wired machines are "offline" my wireless devices still can access the internet and open web pages. That's so confusing for me. I also tried connecting directly to the router without any switches in my network, but no difference at all.
 
Have tried creating another network only for VPN with own VLAN as well for using as IP range. Does not change anything. Still the same confusing problem.
 
New wireless clients can connect fine. I have also tried disable WiFi on my iPhone and turn it on again when the wired clients are having the problems.
The only thing I can imagine why they behave differently is VLAN tagging. My ISP needs VLAN-Tag 7 for PPPoE. As far as I understand the support right ISP VLAN tagging is configured by a internal bridge. My whole network runs flawless and all my managed switches support VLAN tagging as well. Even direct connection from wired client to the router makes no difference. That's not logical to me.
vlan7.png

vlantagging.png
 
Do you have the same model and software version running?
I’m currently thinking of resetting again, but then the support token will change and I’m not sure if I’m going to lose my custom DDNS subdomain name of synology.me.
Still no further response of my ticket.
Found another person in the official forum, but no helpful or even official answer yet.
 
Do you have the same model and software version running?
I’m currently thinking of resetting again, but then the support token will change and I’m not sure if I’m going to lose my custom DDNS subdomain name of synology.me.
Still no further response of my ticket.
Found another person in the official forum, but no helpful or even official answer yet.
No I have the 2600 model but same SRM. Also, you will not lose the registerd ddns name by syno as it is tied to your Synology Account (account.synology.com).
 
Really sad about the non working VPN. Everything else is running wonderfully. I had a Fritzbox before and always WiFi connection problems with my HomePods.
Beside that I’m a little Syno fan 😊.
Maybe I’ll try another reset, but I should wait a few days for official response, I think.

I tried uninstalling the VPN plus package and reinstalling it. No difference.

The guy I found in the official forum has problems with his WRX560. Maybe it’s something related to the new HW platform?
Edit: The guy is running an older version (Update 2).
 
I have the RT6600ax and SRM 1.3.1 with VPN Plus running OpenVPN, L2TP IPsec VPN, and SSL VPN servers for remote access. I don't have the issue of it affecting my internal devices. I also run OpenVPN server as an alternative on the NAS. From home I connect to work via their remote access VPN service.

The only thing different is that my broadband, by Virgin Media in UK, doesn't specify that I configure a VLAN when I use their router in bridge/modem mode.
 
I think, I solved it. Thanks for telling about the difference that your ISP doesn't need to setup VLAN. Can't believe and will send the information to Synology.

I have configured now a small managed 5-port switch for handling ISP's VLAN7 instead of handling it by SRM and boom! OpenVPN, Synology VPN or L2TP is working now. Can't believe. So i think there's a bug handling special VLAN tagging for ISP with VPN services enabled. Will update my support ticket
The untagged port of the switch is connected with the router and the tagged port with the DSL modem.

One small problem is still left. DNS for my VPN clients isn't working. It doesn't matter which VPN service I use. In the config file of OpenVPN I entered the local IP of my RT6600ax, but it's not working. Direct IP access is working fine. What do I have to do?

The OpenVPN service on my NAS is working with DNS and the config file is similiar (only different port and DDNS name).
 
Good point on SSL VPN*, it does what it does itself. For me it works and is the one I use most often from mobile devices.

For you, since others may already remember this and be bored of me regurgitating it, I run DNS Server on the router. This runs resolution of my personal domain** to LAN IPs and then requests resolution from Cloudflare for other domains. Within the DHCP services for local networks I make the router the primary DNS server and, for those LANs that are allowed to access the NAS's LAN, the secondary DNS server is the NAS.

I don't have IPv6 DHCP enabled on local networks, only IPv4, because I'm still a luddite.


*I was away from the computer when writing that, going from memory.
**Slave zones which rely on master zones in DNS Server on my NAS. But that's a detail too far.
 
So your Synology VPN works with DNS resolution?

The DNS package sounds interesting. I’m not used to such configuration. Can I use it for the Synology DDNS subdomain too?

Or can I use it without local domains and afterwards it asks the external DNS servers like 8.8.8.8 or something?
Don’t want to destroy my network, so some questions.

Really happy that the reason has been found what beaks Internet and VPN.
 
With DNS Server you don't have to define any zones (forward and reverse resolution of domains). You define forward DNS servers that are used to resolve anything that the server's zones can't: with no zones then everything will be forwarded.

I do this because I like to access my home devices, from home, using the same browser bookmarks as I would from outside. But instead of relying on the router to use local loopback (not all routers support this, the SRM ones do, but that's obviously a tromebone-bottleneck at the router*) I use an internal DNS to resolve direct to the LAN IPs. This also means my local HTTPS requests are covered by the SSL certificates, and browsers and apps don't raise objections for 'untrusted' connections.

I guess you could create a forward zone for your own Synology DDNS, I haven't tested doing this. I have a personal domain and define a forward and reverse zone. I also use DHCP to reserve IPs for devices, if you don't have static IPs then the DNS resolution is a little pointless! It would be nice if the DHCP and DNS were connected but they aren't so it's a manual process.


*I use a 24 port 1GbE switch for wired devices so sending all request to/from the router's single 1GbE port somewhat negates the available backbone bandwidth for direct connections between multiple wired devices. My mesh router (MR2200ac) doesn't have to send it's wireless client traffic to the RT6600ax for wired LAN devices, so at present the wireless devices are sharing two 1GbE switch ports when accessing the NAS (which uses LAG).

Really happy that the reason has been found what beaks Internet and VPN.
Good to know you found the VLAN issue. I'm sure @Rusty experienced, or heard about, some WAN-side VLAN issue but it may have been resolved before SRM 1.3 general release.

Great fix too!
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

OHHH, I totally missed this too - I assumed he had it set up on his DS920+. So, same goes for my answer...
Replies
5
Views
362
  • Question
Others that are far more familiar/intelligent will answer too, but my understanding is this is down to the...
Replies
1
Views
744
Only if that combination is not using split DNS. If that device is in full tunnel, then yes, it's fine. TP...
Replies
3
Views
1,208
There is a Mac version. They stopped updating the Linux version after 1.3.9-0472. As a linux user outside...
Replies
6
Views
1,879
Hi, My RT6600AX is behind a ISP box in DMZ. The connection is capable of 2 gbps down and 700mbits up. In...
Replies
0
Views
2,947
I wasn't directing that reply specifically at you Fredbert, It was toward the entire forum community as I...
Replies
7
Views
2,069
Let's not complicate with VPN atm, but if your WAN access is not working, then not sure how a VPN would...
Replies
1
Views
1,136

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top