Solved MR2200ac behind ISP's router - DHCP problem

Currently reading
Solved MR2200ac behind ISP's router - DHCP problem

Hello everyone! I bought a Syno MR2200 few months ago to take advantage of SRM features I like. Unfortunately my ISP doesn’t let me by-pass it’s own modem and doesn’t communicate settings for my MR-router. I couldn’t find this information on the web either. So I am stuck with my ISP’s box, followed by MR2200 in bridge-mode, and then my LAN.

It took me a while to understand (yeah, I am very enthusiastic about network technology, but also a complete newbie… 😊 ) why I lost remote access to my NAS, but I think it’s actually quite clear: my ISP’s box has DHCP server activated, providing a “192.168.x.x” address to the MR. But the MR has also DHCP server activated, distributing 10.0.x.x address to my LAN clients. I could live with it for all my basic internet traffic, but when it comes to remote access (e.g. off-site backup, Quickconnect, etc.) nothing works.

I see two potential solutions to my problem:

  • On the ISP’s box, forward all ports to MR, and then finetune firewall rules and port forwarding to the LAN clients from there. Question is: how would you write a single forward route applying to all ports (which range would you set?). Would that be safe? But I would prefer a solution allowing to get a single IP range for all my devices, from the ISP’s box to the clients…
  • Second option could be to deactivate the DHCP server on one machine. Would this be a solution? On which box would you then deactivate? I would prefer to keep the one on the MR side, but not sure if that is possible or not… Would I still benefit from SRM services like threat control, control access etc. if the IP address are managed by the ISP’s box?
Do you think my problem diagnosis is correct, and what solution would you suggest?

Thanks’ a lot for you help and enjoy your easter week-end!
 
Ok so you want to use your MR2200AC as your main router.

So is it not possible that your ISP modem is set in bridge mode? If it can, this'll be the solution you need. But obviously make sure the MR2200AC is the only device connected to the modem. Al you other LAN devices should be connected to your MR2200AC

If your ISP modem can't be set in bridge mode, then look for the option to set your MR2200AC in it's DMZ zone. You don't (and shouldn't) have to disable DHCP on either device.
 
Agree with @Shadow

If you absolutely have to use the ISP router's DMZ feature then this is the only time it's really justified, from a security point of view.

Connect the MR2200ac's WAN port to one of the ISP router LAN ports. The ISP router will assign an IP address to your MR2200ac's WAN interface. You should then make a reservation in the ISP router's DHCP server so that this IP address is fixed.

Then configure the ISP router's DMZ feature to pass all traffic to the MR2200ac.

Now, when setting up the MR2200ac you should configure it in router mode, with a LAN/Wireless LAN that uses a different private subnet to the one used by the ISP's router. All you home devices should be behind the MR2200ac and protected by its firewall and other security mechanisms.
 
Hi,
Thank you all for your quick and usefull answers!
If you absolutely have to use the ISP router's
well I would prefer not, but for the time being it seems easier to continue like this.

Connect the MR2200ac's WAN port to one of the ISP router LAN ports.
Done (was already like this).

The ISP router will assign an IP address to your MR2200ac's WAN interface.
Well, that is what I would have assumed but that's weird: the ISP router detects the connected device as...being itself (it is reporting his own MAC address and other ident information)! Could it be that the MR is sending back this information? Should I try to put it in the DMZ and see what happens?

Now, when setting up the MR2200ac you should configure it in router mode,
Here I have to correct what I mentionned in my first message: the MR is not set in Bridge mode, but already in Router mode.

with a LAN/Wireless LAN that uses a different private subnet to the one used by the ISP's router.
Could that be the cause of the above mentionned "loop" problem? Does that mean I should fill the "Local IP" and "Guest DHCP server" subnet masks with different values? (See Network Center > Local Network > General). Sorry if that's all obvious for you, but as mentioned in my first post I am learning from scratch in that area... :)

Thanks' a lot for your support, it is much appreciated!
 
If you absolutely have to use the ISP router's
well I would prefer not, but for the time being it seems easier to continue like this.

You cut that off... I was saying if you have to use the DMZ feature of the ISP router. I have to use the cable router provided by my ISP, there is no option not to use it. But I can set it in bridge/modem mode and that makes the WAN interface of my RT2600ac have the Internet IP instead of the ISP's device getting it.


When the MR2200ac is configured in the ISP router as the DMZ destination then all inbound traffic from the Internet to TCP/UDP ports on the router's IP will be translated and sent to the MR2200ac's WAN port.

If, for example:
  • your ISP's router has a LAN subnet of 192.168.0.0/24 (IPs 192.168.0.0 to 192.168.0.255) then you should not use this same subnet for the MR2200ac's LAN subnet.
  • You can use, for example, 192.168.1.0/24 (IPs 192.168.1.0 to 192.168.1.255) for the main subnet and 192.168.10.0/24 (IPs 192.168.10.0 to 192.168.10.255) for the guest WiFi
The point being that the subnets should not overlap each other. The main problem here would be when using overlapping subnets then the MR2200ac having both WAN and LAN interfaces on the same subnet but in different zones then it will get confused as to which interface to use. So, yes you have to use different subnets in each DHCP server of the ISP router and MR2200ac. Once done, you'll probably have to reconnect client devices so they get assigned an IP in subnets you have changed.

When you try to access your home from the Internet you will point browsers/apps/personal domains/DDNS to the ISP router's WAN IP (the none 192.168.x.x one). Once traffic gets to this router the destination IP will be translated in the IP packets to the local WAN IP of the MR2200ac and forwarded to it.
 
Last edited:
Woohoo! Thank you, it's working!

You cut that off
Sorry, english is not my mother language, I guess I read a bit too fast ;)

The two different subnets were set, but the weird thing came from the ISP's box detecting it's own MAC address connected to it's LAN port, instead of the MR2200 that is actually pluged in there...anyway, it couldn't be wrong as I obviously know where my cable is going. So I pushed it into the DMZ and it did the job.

Now that my MR is facing the dangerous WWW, I have two questions remaining before I can sleep quietly:
  1. Do we agree that all firewall/port forwarding and other security settings set in the ISP's box do not have any influence on my network anymore? The only rules that matter are the ones set in the MR (provided of course all my devices are connected to the MR). Or are there any settings I should still pay attention to on the ISP side?
  2. The last question is a bit out of the scope of this thread, but still important for immediate security. Something is not clear about firewall settings for me: I opened and forwarded a port dedicated to HyperVault so I can proceed with an off-site Syno Back-up. What external IP should I indicate if the remote site doesn't have a fixed IP (but has a DDNS service)? Is there any way to be more restrictive than just geo-tagging?
I think you all deserve a beer (edit: and/or a coffee) for your help, so I'm heading to the donation page now... cheers!
 
Woohoo! Thank you, it's working!
Great!

  1. Do we agree that all firewall/port forwarding and other security settings set in the ISP's box do not have any influence on my network anymore? The only rules that matter are the ones set in the MR (provided of course all my devices are connected to the MR). Or are there any settings I should still pay attention to on the ISP side?
Usually a DMZ feature will send any traffic to that selected LAN device unless the ISP router has port forwarding rules for the particular destination TCP/UDP port, in which case these forwarding rules will take precedence. The firewall is probably the same too. I've never had to use a DMZ feature, but you should read up on your ISP's device to understand how it works.

Your MR2200ac firewall, Threat Prevention, and Safe Access should be configured to protect your [real] LAN.

  1. The last question is a bit out of the scope of this thread, but still important for immediate security. Something is not clear about firewall settings for me: I opened and forwarded a port dedicated to HyperVault so I can proceed with an off-site Syno Back-up. What external IP should I indicate if the remote site doesn't have a fixed IP (but has a DDNS service)? Is there any way to be more restrictive than just geo-tagging?
I assume you mean you created a port forwarding rule on the MR2200ac to a DSM NAS. So that an Internet-based DSM NAS can send a Hyper Backup tasks data to your home DSM NAS's Hyper Backup Vault. Or do you mean you created a firewall rule to allow outbound traffic from Hyper Backup and want to limit the permitted destinations?

DDNS is a way to maintain access when you cannot be certain of the Internet IP. The geo-location data is associated to the IP address not the DDNS name you're using. The ISP's IP address range will [usually] be tagged as the country it is operating from. So if you know that the other site is in UK then you can set the firewall rule destination as UK, regardless of the DDNS service you use.

I think you all deserve a beer (edit: and/or a coffee) for your help, so I'm heading to the donation page now... cheers!
🍪🍪 are the usual currency around here :cool: and beverage of choice too!
 
Hi all,
I assume you mean you created a port forwarding rule on the MR2200ac to a DSM NAS. So that an Internet-based DSM NAS can send a Hyper Backup tasks data to your home DSM NAS's Hyper Backup Vault. Or do you mean you created a firewall rule to allow outbound traffic from Hyper Backup and want to limit the permitted destinations?
I actually did both: port forwarding to allow an internet based NAS to Backup on my home NAS, and I thought I had to create a specific firewall rule to allow that traffic to enter my Network... But I realised now that port-forwarding automatically digs a hole in the firewall, so I deleted my own rule.

My doubt is the following: the firewall rule that has been created by the port-forwarding request allows connections from any IP. Can we not be more restrictive? Like: connection is only allowed from that specific NAS? What is protecting my NAS on that port if is opened to all IPs? That rule is uneditable (grey color), so I cannot even restrict it geographically...
 
My doubt is the following: the firewall rule that has been created by the port-forwarding request allows connections from any IP. Can we not be more restrictive?
Yes. In Port Forwarding tab you can elect to disable the automatic creation of firewall rules. But, since these auto rules are at the bottom of the firewall rules, you could instead create two firewall rules the first is the restrictive allow rule and the second a deny all others rule (for this port).
 
Makes sense, thank you.
I also thought this morning that establishing a Site-to-site VPN could be a good solution. Maybe the most secure (?).

Thnak's again for your time and help!
I'll mark this thread as solved.
 
Hi all,

'got to come back to this thread, as bringing my MR2200 in the ISP's DMZ actually solved one issue, but created some other problems.

I used to have shared folders connected as "remote disks" on my laptop. Since the move of the MR and all my LAN infrastructure in the ISP's DMZ (yes my LAN is behind the MR, not exposed inthe DMZ), including my NAS, I lost not only these connections, but also several User access (like Drive services, remote BackUp, ...). DSM basically refuses access to any service requested by my "User" account.

Another thing I lost access to is the connection to certain servers of my VPN provider. All swiss servers are unreachable. The other ones are OK...

So I thought I might have set a wrong rule in the SRM firewall settings (despite I don't get why the firewall would interfere with outbound VPN connections) but:
  • Deactivating the firewall did not help with any of the above mentionned problems;
  • Why would a firewall block internal LAN traffic?
  • While trying to connect to my network drives, the system reports an access denial. As if my account would just not have the rights to access these shared folders. But it has...
I don't know anymore where to look for the solution. 'looks like there are actually several problems here. Would you guys have an idea? Can this all be related to the move into he DMZ?
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

  • Question
Just a thought, but I think you have to have your Cosmote router in "bridged" or "pass-through" mode. This...
Replies
2
Views
822
  • Question
Yeah, sometimes it takes ages to ring, or you go to it and it doesn't pick up the first time and you have...
Replies
3
Views
2,366
As already linked Router Products | Synology Inc. you can compare the four available routers (use the...
Replies
4
Views
2,776
You can follow this up on your other posting Synology Community
Replies
2
Views
2,277
We use default setup. Not very special. Another problem: I turn off these GUEST network but the next day...
Replies
8
Views
2,773
The synology is not using the 2nd band (the specific for mesh) no idea why... Anyone here with any...
Replies
5
Views
2,859
Ok. I use network devices for network functions. I keep storage off the perimeter.
Replies
8
Views
3,657

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top