RT6600ax Enabling any VPN service drops local internet access

Currently reading
RT6600ax Enabling any VPN service drops local internet access

Last edited:
I think, for the moment I have just found a smart solution. I have configured a third network only for VPN and afterwards created firewall rules to allow access to my primary network. Disabled network isolation on both networks and created deny rules between Guest and Primary. Found a KB article on Synology for it.
What do you think about it? Any security concerns I wasn't aware of?
net_vpn.png
vpn_rules_2.png

Edit: Forgot some rules. Updated the pic.
 
I'm sure @Rusty experienced, or heard about, some WAN-side VLAN issue but it may have been resolved before SRM 1.3 general release
If you are referning to the custom VLAN tagging to WAN2 port, that is still broken. WAN2 is still a simple trunk port regardless of the tag number you give it. It is not even copying the value from WAN1 port (as the KB states) let alone setting a different one.

Still waiting for Syno to implement that...
 
I think, for the moment I have just found a smart solution. I have configured a third network only for VPN and afterwards created firewall rules to allow access to my primary network. Disabled network isolation on both networks and created deny rules between Guest and Primary. Found a KB article on Synology for it.
I think you can just let the VPN servers use their own subnets and the server will handle DHCP for the clients. The firewall should still be able to mediate between VPN subnets and internal networks. Maybe I'm wrong, but I would expect the firewall to be able to do this without having to consume an internal network for VPN services.

The Synology help details the way to isolate fully or selectively between the internal networks. I have segregated an IOT VLAN so that those suspect devices can't access other home devices.

If you are referning to the custom VLAN tagging to WAN2 port, that is still broken. WAN2 is still a simple trunk port regardless of the tag number you give it. It is not even copying the value from WAN1 port (as the KB states) let alone setting a different one.

Still waiting for Syno to implement that...
May be :) I remember there was something WAN and VLAN, and couldn't recall what it was about. But here we have a WAN VLAN tagging that seems to be interfering with the VPN services.
 
But here we have a WAN VLAN tagging that seems to be interfering with the VPN services
Yes I got that from the discussion but had nothing to contribute to it as I was confused why this would be happening in the 1st place. I can just confirm that custom vlan on WAN cases 0 issues for me when it comes to VPN package. Still glad there was a solution in this case. One for the books for sure.
 
So I tested SSL VPN with my MacBook too. I can access my local machines by IP but no DNS. I don't understand why it works with my iOS device flawless. Any ideas?
 
It still uses the DNS for outgoing internet traffic. Could it be, because I'm using my iPhone as Hotspot?
-- post merged: --

I think you can just let the VPN servers use their own subnets and the server will handle DHCP for the clients. The firewall should still be able to mediate between VPN subnets and internal networks. Maybe I'm wrong, but I would expect the firewall to be able to do this without having to consume an internal network for VPN services.
Without setting up an internal network I don't get DNS to work for my iOS devices and Synology VPN. Sadly my VPN of choice (OpenVPN) doesn't do DNS well at all. Don't know what's going on.
After I export the ovpn file I'm entering the DDNS name and as dhcp-option the local IP of my router. I have also tried the default gateway IP of the OVPN subnet. Sadly I can change it to my own one.

Using OpenVPN on my NAS works just like I expect (nearly same config). But for long term I want do power off my NAS to save up some energy.
 
Usually when using a device as a hotspot it will hide the connected device behind it's own outbound interface. It's not a given, but that is probably what is happening so you don't request another presence (IP) on the external network.

In the .ovpn configuration file it is common practice to edit it. I edit the remote command, comment out the float command, and add in a dhcp-option DOMAIN command. I used to add dhcp-option DNS commands but I find it works well without adding these now.

I understand the desire to move the VPN service to the router. I did this to separate the connectivity/access functionality from the content serving/server functions.
 
So yesterday I spent hours of testing VPN to get running the DNS - no luck. As soon as I'm using my OpenVPN of my DS216j everything works. Even my MacBook can resolve local clients by using the iPhone as hotspot. All VPN services on my router don't run. If I force all traffic through VPN and setup the local IP of the router as custom DNS in OpenVPN nslookup terminates by timeout. Do you think factor resetting could help? Don't want to re-configure everything again. Also I want to remove the VPN network which I created for testing, because I think it should work out of the box.
From Synology support there is still no response at all since nearly a week.
 
There should be no problem running OpenVPN server on both the router and NAS, so long as they use a different port or different protocol (TCP, UDP). You only need a port forward rule for the OpenVPN service on the NAS.

For L2TP/IPsec VPN you can't change the ports and protocols that the clients use, so you have to decide whether to have a port forward rule to the NAS or not (in which case the router's VPN server will receive the connections).

Finally, the SRM firewall processes requests from the top to the bottom of the list and stops once a match has been found. The auto-created port forward rules are at the end.

I'm not sure what else to say.
 
I think, I have found the reason for the DNS troubles via OVPN, L2TP etc. As soon as a client is getting connected SRM is forwarding the (custom) DNS of the ISP instead of own address. So in my case the VPN client is getting 8.8.8.8. The only difference is as soon as Synology VPN gets the address pool of my primary (or different, no address pool object) network the client is getting the right DNS server IP. Sadly this workaround does not work for L2TP. OVPN has no option for changing the address pool at all. The dropdown list just shows "Default" as the only option. Entering the router's IP in the custom fields does not work, too.
Finally, when using my iPhone as hotspot the only way to get working DNS resolultion is to use my OVPN of my Synology NAS.
I have sent all the information to support but still no answer.

I think in SRM there has to be fixed a few things:
  • Forward correct DNS using VPN
  • VLAN Tagging conflict between ISP setup and VPN
  • Address pool change for OVPN
 
In VPN Plus go to Object. You can select the OpenVPN address pool and change the subnet. For the other VPN services you can add or edit address pools, then select them in the VPN's server configuration page.

I have changed the ranges so that each internal network (in Network Center) has its own /24 and then follows a set of /24 address pools for VPN services. (a different one per service). The whole of my internal address range is covered in a set of eight contiguous /24 subnets.

Both OpenVPN and L2TP/IPsec settings allow you to set the client DNS to a given IP address (which I set to .1 of their address pool, being the router's IP in that pool).

In the past I have experimented with using the primary LAN address pool for a VPN service, but have found no benefit: discovery services I want to use don't seem to pass across the VPN gateway. This is why I now use a unique address pool per VPN service. Of course, while I have configure all five internal network VLANs, I don't have any defined WAN VLAN.
 
I don't use the VPNs very often so I wasn't checking how mine were currently working, I knew they worked the last time I needed them. At some time in the recent past I changed my SRM firewall rules that control internal subnets going out from being Source Interface 'ALL' to 'LAN' (selecting all LANs). I already defined the source IP address to be the range that covers all internal and VPN subnets.

This seemed to be a better approach than using 'ALL', it should stop any mimicking on the WAN interface. But, but, but, but the side-effect was to exclude my VPN server 'interfaces' even though they are internal interfaces (or at least internal to the router). This was probably also confounded by the fact that I have manually managed port forwarding rules so that I can put a final firewall rule of 'all/any:any/any:any/deny'.

I was testing SSL VPN and OpenVPN via VPN Plus and could not get the DNS resolution to work. When I changed my firewall rules to 'ALL' source interfaces and reconnected the VPNs now I could access DNS.

And SSL VPN service looks to take it's client DNS server IP as the primary server set in Network Center / Internet. I have set mine back to be the router's primary LAN IP (for DNS Server) so that SSL VPN clients get local IP for my home devices.
 
Got a response from support today. They have forwarded all the things I submitted to the development department in Taiwan. They want to consider these things for the next update.
Today, I have found another bug with dual stack and IPv6. Since Update 3 the IPv6 DNS server aren't set anymore, only the gateway. As workaround I'm using both Google public IPv4-DNS servers as they respond A and AAAA records.
 
Hey there,
just wanted to let you know that I’m still waiting for some clarification from support. I just got myself a Raspberry Pi 4 and installed WireGuard on it. All my VPN issues are now gone.
How is your experience with Synology support? Do you think restore to factory could fix VPN and ISP VLAN tagging conflicts? Currently my switch in the cabinet is making the tagging between Router and Modem.
I am a little bit upset as I’m feeling lonely due to nearly no reaction from support. The RT6600ax cost me nearly 370 euros. Was really considering buying the WRX560 for mesh, but beside a good hardware I want good support as well.
 
Sometimes you really have to keep updating the support ticket. But if they said it’s going to be considered as feature update then I’m not sure what extra info you’ll get.

When in mesh the additional router extends the networking but the issues you have experienced shouldn’t be replicated, since they only occur on the primary device and its additional functionality. But the WRX560 isn’t cheap, and if you’re feeling a bit bruised it can be hard to reach your wallet…
 
Got a response from support last Friday and I'm not sure how to take it. Should I laugh or cry? I've submitted my ticket over two months ago and the response was "Please restart your router and have a look if the issue persists afterwards.".
I have submitted two pages how to reproduce the issue and what workarounds I've tried so far (including restarts).
Sadly the response came in after I have bought a WRX560 for my mesh. Few years ago my experience with the Synology support was much better.
 
Got a response from support last Friday and I'm not sure how to take it. Should I laugh or cry? I've submitted my ticket over two months ago and the response was "Please restart your router and have a look if the issue persists afterwards.".
I have submitted two pages how to reproduce the issue and what workarounds I've tried so far (including restarts).
Sadly the response came in after I have bought a WRX560 for my mesh. Few years ago my experience with the Synology support was much better.
You've entered the Kafkaesque world of corporate 1st line 'support'...you have my deepest sympathies ;)
 
Thanks ☺️. It’s really annoying that there isn’t any progress at all. Bought a Fritzbox 4060 as backup now. And guess what. It’s working and less expensive.
 
Hi, I'm experiencing this exact same issue with an RT6600ax, VPN Plus and an ISP that requires VLAN tagging. Any progress on this issue or word from Synology on the status of a bug fix? Thanks
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

OHHH, I totally missed this too - I assumed he had it set up on his DS920+. So, same goes for my answer...
Replies
5
Views
362
  • Question
Others that are far more familiar/intelligent will answer too, but my understanding is this is down to the...
Replies
1
Views
747
Only if that combination is not using split DNS. If that device is in full tunnel, then yes, it's fine. TP...
Replies
3
Views
1,209
There is a Mac version. They stopped updating the Linux version after 1.3.9-0472. As a linux user outside...
Replies
6
Views
1,882
Hi, My RT6600AX is behind a ISP box in DMZ. The connection is capable of 2 gbps down and 700mbits up. In...
Replies
0
Views
2,948
I wasn't directing that reply specifically at you Fredbert, It was toward the entire forum community as I...
Replies
7
Views
2,070
Let's not complicate with VPN atm, but if your WAN access is not working, then not sure how a VPN would...
Replies
1
Views
1,136

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top