Need help solving a VPN port access issue

Currently reading
Need help solving a VPN port access issue

L

lostinspace

Media
9
0
NAS
1618+
Operating system
  1. Windows
Last edited:
Hi all. Let me start by saying I've spent almost two hours scouring this forum, google, synology, and other areas trying to fix this. I've read through some of the great tutorials and threads on OpenVPN and they've helped a ton, but I have a basic issue I can't figure out. So basically, I've done a fair amount of work and I'm not just showing up empty handed...and I appreciate your time!

Try as I might I can't figure out why my port forwarding isn't working. I have AT&T internet and am stuck with their router/modem, but I figured out how to do an IP passthrough and have my Asus RT-AC3100 public facing now with the AT&T router firewall disabled and Asus enabled.

I have DDNS setup, a DSM firewall with the 3 rules WST16 outlined in the tutorial, a static LAN IP for my DS and OpenVPN setup. But when I setup port forwarding using the AC3100 to my local DS IP (192.168.2.187) it never opens the port. I've tried 1194, 5000, 1199 and others. None work. I've used some of the tools listed out by WST16 and others to try port scanning and the only way I've ever been able to get anything but "timed out". Was when I completely disabled the AC3100 firewall and then I would get "port closed".

I would really appreciate any help to get this figured out, I'm beating my head against the wall over here and it's starting to hurt :)
 
Sort by date Sort by votes
So atm you have 2 routers on your end? How are they configured exactly? Double NAT, bridge? Guessing you are getting blocked on one of those 2 devices regarding port forward and0/or FW.

FW can be disabled for testing purposes, but as you did that already, my guess is port forward is still an issue because of your router configuration.

Again, give a bit more info on your router configuration with AT&T + Asus router and let's take it from there. Be as detailed as possible (including what ports on the back you are using, any DMZ settings, FW, port forwards etc..)
 
Upvote 0
Also confirm that you aren't running the Asus router's built-in VPN server.

Another test would be to enable the router's VPN server and see if you can connect to it (it doesn't require port forwarding, but disable any VPN forwarding rules to the NAS to be sure that there's no interference in the router's policies). If that works then at least your ISP isn't blocking these inbound ports.
 
Upvote 0
Rusty said:
So atm you have 2 routers on your end? How are they configured exactly? Double NAT, bridge? Guessing you are getting blocked on one of those 2 devices regarding port forward and0/or FW.

FW can be disabled for testing purposes, but as you did that already, my guess is port forward is still an issue because of your router configuration.

Again, give a bit more info on your router configuration with AT&T + Asus router and let's take it from there. Be as detailed as possible (including what ports on the back you are using, any DMZ settings, FW, port forwards etc..)
Click to expand...
Thanks for the reply, Rusty. You're correct, I have 2 routers. The AT&T is getting the direct link for the fiber connection from the street. Then i'm feeding out of port 2 to my Asus. I'm not sure the exact terminology, but I'm IP forwarding the Asus through the AT&T via the setting seen here:
AT&T settings1.jpg


To my understanding this should take the AT&T out of the equation. But maybe something still happening on the ISP side?

As far as the Asus goes, I have Firewall enabled (no DoS protection, no IPv6 Firewall). No DMZ enabled. All Nat passthrough enabled except PPPoE Relay.

This is what I was using for port forwarding settings. Though in this screen shot it's turned off while I was testing the Asus VPN server per fredbert's recommendation to see if I could access just into the router (I couldn't). But I did have it turned on for all other testing.

asus pfwd.jpg


If there is anything else specifically that would help troubleshoot let me know. And here is a screenshot of the VPN server details I used to test the Asus VPN (with port forwarding off).

asus vpn.jpg


Thanks!
 
Upvote 0
Rusty said:
What are the dmz settings on your main router? The first image is just firewall section and that’s fine for now.

Also, to what port on your Asus router does the cable go from your main router (port2)?
Click to expand...
I was unable to get into that DMZ setting tab for some reason on old router and AT&T just sent me a new one that I installed 30 minutes ago. Unfortunately it has different menu settings and no DMZ callouts anywhere. It does now have IP Passthrough which I've setup as follows. The MAC address is for my Asus and the Asus is routing out internet traffic fine over both WAN and LAN as port 2 of AT&T router output is going to the input internet port on the Asus marked with a blue globe.

The NAT/Gaming table is a horribly generic drop down list of known games and apps (no OpenVPN) that just opens ports.

AT&T settings2.jpg
 
Upvote 0
Sorry I must've missed your reply. ^^^ and now you've replied while I was writing this vvvv

From the AT&T router screenshot I see that there is mention of DMZ. Normally it is unwise to use the DMZ feature as the router will send all inbound connections that haven't got a matching router service or forwarding rule to the LAN IP address set as the DMZ destination. But if you only have one LAN device, the Asus router/firewall, then in this case it is permissible to use AT&T DMZ.

If the AT&T router can be configured to run in bridge or modem mode then this would assume you are providing your own firewall/router. In bridge mode (like my Virgin Media's, ahem, 'Super' Hub) the ISP router passes everything to my RT2600ac and the Synology router gets the ISP assigned Internet IP address. If your AT&T router cannot do bridge mode then the DMZ feature is the nearest thing to it. But using DMZ will mean double NAT where there's a LAN subnet between AT&T and Asus and a second LAN subnet for your real home LAN that's mediated by the Asus.
 
Upvote 0
Rusty said:
What are the dmz settings on your main router? The first image is just firewall section and that’s fine for now.

Also, to what port on your Asus router does the cable go from your main router (port2)?
Click to expand...
Realizing this is probably an important thing to show you as well from the new AT&T router software.

AT&T settings3.jpg
 
Upvote 0
OK so a google for "AT&T router bridge mode" reveals this:
www.att.com

Bridge Mode With AT&T

Bridged mode means the DSL/Broadband modem/gateway device only terminates a DSL connection.
www.att.com

Bridged mode is not possible on the AT&T platform. The reasons for that are:...
Click to expand...
 
Upvote 0
Last edited:
fredbert said:
Sorry I must've missed your reply. ^^^ and now you've replied while I was writing this vvvv

From the AT&T router screenshot I see that there is mention of DMZ. Normally it is unwise to use the DMZ feature as the router will send all inbound connections that haven't got a matching router service or forwarding rule to the LAN IP address set as the DMZ destination. But if you only have one LAN device, the Asus router/firewall, then in this case it is permissible to use AT&T DMZ.

If the AT&T router can be configured to run in bridge or modem mode then this would assume you are providing your own firewall/router. In bridge mode (like my Virgin Media's, ahem, 'Super' Hub) the ISP router passes everything to my RT2600ac and the Synology router gets the ISP assigned Internet IP address. If your AT&T router cannot do bridge mode then the DMZ feature is the nearest thing to it. But using DMZ will mean double NAT where there's a LAN subnet between AT&T and Asus and a second LAN subnet for your real home LAN that's mediated by the Asus.
Click to expand...
thank you! Yes, I've been able to get into bridge or IP passthrough mode without DMZ.
-- post merged: --

fredbert said:
OK so a google for "AT&T router bridge mode" reveals this:
www.att.com

Bridge Mode With AT&T

Bridged mode means the DSL/Broadband modem/gateway device only terminates a DSL connection.
www.att.com
Click to expand...
From what I've read, the IP Passthrough mode is the work around for this. And though not technically a "Bridge" it will let OpenVPN work.
AT&T settings4.jpg


I've been surfing the AT&T forums heavily as well and have seen people say they've gotten it to work, but none of the setups have worked for me as of yet. Starting to get confusing after trying so many different settings 🤪
 
Upvote 0
Since some of AT&T reasons for not permitting bridge mode are
  • AT&T Customer Care has no way to remotely access the modem/gateway device in order to do diagnostics testing.
  • A bridged mode configuration does not allow the device to receive any future firmware updates from AT&T as remote access is disabled with a bridged mode setting.
Click to expand...

then I think it is wise to use IP pass-through if this is the nearest way to achieve it. Their's is a clear statement that you are not the owner of your perimeter security and you should run your own firewall and WiFi devices separately to their box.

www.att.com

Configuring IP Passthrough and DMZplus

When configured for IP Passthrough (Passthrough Mode) the AT&T provided gateway shares its Dynamic WAN IP address with a single device on the LAN.
www.att.com
My previous link points to this page for setting up IP pass-through and it seems you are doing it right... use DHCP-fixed and assign the Asus WAN interface's MAC address as the destination. The DHCP timeout would be as long as you can set it (if fixed, why is a timeout needed? the instructions seem to imply it is ignored). Then reboot the AT&T router.
 
Upvote 0
fredbert said:
Since some of AT&T reasons for not permitting bridge mode are


then I think it is wise to use IP pass-through if this is the nearest way to achieve it. Their's is a clear statement that you are not the owner of your perimeter security and you should run your own firewall and WiFi devices separately to their box.

www.att.com

Configuring IP Passthrough and DMZplus

When configured for IP Passthrough (Passthrough Mode) the AT&T provided gateway shares its Dynamic WAN IP address with a single device on the LAN.
www.att.com
My previous link points to this page for setting up IP pass-through and it seems you are doing it right... use DHCP-fixed and assign the Asus WAN interface's MAC address as the destination. The DHCP timeout would be as long as you can set it (if fixed, why is a timeout needed? the instructions seem to imply it is ignored). Then reboot the AT&T router.
Click to expand...
I've successfully done this. My Asus is correctly identifying the external IP as it's IP so I know the passthrough has worked.

But I still can't access any open ports even though I have port forwarding setup on the Asus and have also tried the Asus OpenVPN client. Tried them both on 1194 (only trying one at a time) and neither has worked. Always says "timed out".

The only success I've had to get something else is completely turning off the Asus firewall setting and then it changes to "port 1194 closed". Any ideas and what could be blocking my port forwarding attempts?
 
Upvote 0
lostinspace said:
The only success I've had to get something else is completely turning off the Asus firewall setting and then it changes to "port 1194 closed". Any ideas and what could be blocking my port forwarding attempts?
Click to expand...
So once you turned off the FW your port is closed? The fact that you are getting time-out errors would mean that you have port/fw problems on some level.

Any FW on the NAS itself?
 
Upvote 0
Rusty said:
So once you turned off the FW your port is closed? The fact that you are getting time-out errors would mean that you have port/fw problems on some level.

Any FW on the NAS itself?
Click to expand...
Correct, when I turn off Asus firewall it stops timing out and starts saying closed port. I do have a firewall on the NAS, but I've been trying other combinations of ports and IPs with the same results.
 
Upvote 0
Does the ASU’s router need to have both firewall and port forwarding rules configured? Or does it not distinguish between firewall and port forwarding?

In you original screenshot of the port forwarding rule it doesn’t have an internal port defined: does it assume it’s the same as the external port?
 
Upvote 0
fredbert said:
Does the ASU’s router need to have both firewall and port forwarding rules configured? Or does it not distinguish between firewall and port forwarding?

In you original screenshot of the port forwarding rule it doesn’t have an internal port defined: does it assume it’s the same as the external port?
Click to expand...
Firewall rules are for IPv6 only, IPv4 which I'm using uses just the port forwarding.
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Register

Log in

Already have an account? Log in here.

Similar threads

W
Help!! Active Backup for Business + DDNS Server + Certificates + Tailscale + MagicDNS = Total Confusion!!
Thanks for clearing that up. I'll look into the Synology drive and backup taSK METHOD.
Replies
5
Views
975
wickett
W
M
  • Question
Help needed to setup SSH tunnel for MariaDB
OK... so I'm beginning to follow now! If I install VPN server on the work NAS and use OpenVPN on my home...
Replies
4
Views
997
mgdorset
M
C
  • Question
Help Package center not working
Actually it was ‘parcel centre’ that was having problems ;)
Replies
10
Views
2,110
fredbert
fredbert
Phone Guy
Arris NVG589 help! I want to name services running on ip's, so I can go to LIST.local (or whatever) and it take me to the IP
I can't remember if I wrote up about using DNS Server, but I do use it. It's not linked to DHCP, not sure...
Replies
4
Views
938
fredbert
fredbert

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Register

Trending threads

Back
Top