Solved

Two routers, one in a DMZ, public services visible but not to me

Posted on 2013-12-27
10
697 Views
Last Modified: 2014-01-01
I have a 76 Mbps FTTC internet connection with a dynamic IP address.

I have used a Netgear WNR2000 router which I've been using for a few years, it connects to the FTTC modem and works well.  It has some open ports for a NAS drive that I access from the outside world, and a remote desktop connection to a PC too.  I've set the fixed internal IP addresses, service names mapped to port numbers, and the port forwarding - so that all works fine.

My ISP also provides an IP-TV service which only works using a multicast connection, but my Netgear router doesn't support multicast.  They provide their own router (BT HomeHub 4) which does.  Unfortunately, the port forwarding on their router is poor - it either doesn't work, or it works unreliably.

I have been switching between the two routers - keeping the Netgear one connected by default, unless we want to use the IP-TV, in which case we temporarily forego the NAS and RDP services.

I realised that I could have both: I have left the ISP's router connected, with the IPTV box connected to it directly, and then connected my Netgear router to the ISP's router, and using the ISP's router, configured it to put the Netgear router into the DMZ.

This means the IPTV works (via the ISP's router), and all incoming traffic is sent to my Netgear router in the DMZ, which means everything else works too.  From the outside world, everything works fine.  Inside my network, everything works fine too.

However, the hostname of my NAS which works outside is no longer accessible inside.  I use a DynDNS-like service from the NAS manufacturer QNAP.  Using DDNS it gives me a hostname of, say, redlondon.qcloudnas.com.  The NAS drive updates the hostname redlondon.qcloudnas.com every 10 minutes so it always matches the public IP address I have from my ISP.  It is always accessible from the outside world, but I can no longer access it from inside it.

My ISP's router is 192.168.1.254, and gives IP addresses via DHCP in the range 192.168.1.65, 66 etc.  The Netgear router used to be 192.168.1.254 as well, when I used one router or the other, but when I connected the two, the Netgear router saw the "internet port" gave it an address of 192.168.1.65, so it changed its internal network numbering to be 10.0.0.1 to avoid conflicts.

I can access my NAS on 10.0.0.200, its fixed internal IP address.  I can also access it via redlondon.qcloudnas.com from outside, but if I try to get to redlondon.qcloudnas.com from inside, it just times out.  If I tracert redlondon.qcloudnas.com it resolves to my public IP address, the first hop pings as 10.0.0.1 and then everything times out.

How can I tell my ISP's router at 192.168.1.254 to let traffic from the 10.0.0.1 IP range access the internal stuff?

I guess each router refers to things with different names, so I'm after what's wrong rather than specific step-by-step instructions - if I know what to look for, I'm sure I can find it.
0
Comment
Question by:RedLondon
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
10 Comments
 
LVL 46

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 39741763
The issue you're seeing is with something called hairpin-NAT.  The BT router (and a lot of others) simply doesn't support it.

Really you could do with an internal DNS server.  This would allow you to map the hostname to its internal IP address.  Your laptop would use the internal DNS server when connected to the local network, and receive the internal IP address of the NAS when at home.

When you go out and about you'd use the public internet DNS servers, which would return the DDNS IP address of the NAS.

There is an easy-ish solution to this though.  The Netgear router can use custom firmware called DD-WRT which includes DNS server features.  This would let you do exactly what I mentioned above.  It's not for the not-so-technical people as it can break your router unless you do it properly, but it'll do exactly what you want.
0
 
LVL 11

Author Comment

by:RedLondon
ID: 39741773
Great - thank you.  Good to know I'm not going mad.

I have two identical Netgear routers, one as a spare in case the live one dies: I will experiment with DD-WRT and read up on hairpin NAT.
0
 
LVL 11

Expert Comment

by:Miftaul
ID: 39741777
So you can access the redlondon.qcloudnas.com from outside that means DDNS is working fine for your Synology. But you cant access redlondon.qcloudnas.com from inside, that means your internal workstation is not allowed to access the LAN services using WAN IP. That definitely has something to do with the NAT filtering option in your Netgear WNR2000, that might be set as secure and filtering th loopback access. Please try this

Logon to the Netgear WNR2000
go to Advanced Tab -> Setup ->
WAN Setup -> Check "Disable SPI"
Also change NAT filtering from SECURED to OPEN
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 
LVL 46

Expert Comment

by:Craig Beck
ID: 39741785
@Miftaul - that won't work when the Netgear router is connected to the BT router.

The OP needs to use the BT router as the internet-facing router in order to allow BT's multicast service to work.
0
 
LVL 17

Expert Comment

by:StrifeJester
ID: 39741824
What I would do is just put up a small DNS server inside your network. You could always modify the hosts file as well. Create a static entry in the internal DNS server for the redlondon.qcloudnas.com address and point it to your internal IP. This will not affect external traffic from a different location but will allow you access using the external FQDN. This practice is done a lot when Active Directory is involved. A lot of services have certificates and require you come in using the external FQDN but hitting them from the inside is always easier and faster when you don't have to go all the way to the edge to come back to your internal equipment. I am not sure if the WNR2000 will run anything like DD-WRT which would allow you a little more control and possibly not need an internal DNS server. Setup the Internal DNS server to forward all requests wherever you would like and then just create a single forward lookup zone for your NAS and that should resolve the issue.
0
 
LVL 11

Expert Comment

by:Miftaul
ID: 39741840
Static entry on the host file might create other problem like when using same FQDN to access the Synology from outside will fail.

Synology has a DNS server that can be configured, as far as I remember. Will that work in this scenerio.
0
 
LVL 17

Expert Comment

by:StrifeJester
ID: 39741847
A static entry would fail on something like a laptop if you took that off-site. Yes if the Synology has a DNS server you should be able to use that. Change your WNR settings to hand out the Synology as the DNS server. You will want to make sure that the forwarding domain does not use the base qcloud.com zone since that may break the devices ability to update via their DDNS service.
0
 
LVL 46

Assisted Solution

by:Craig Beck
Craig Beck earned 500 total points
ID: 39742045
Modifying the hosts file WILL cause an issue when you're connected either the LAN or the Internet, depending on what entry you add to the file.  Don't do that.

If you don't know what you're doing with Linux I'd not want to install a DNS server on the NAS (if that's what it's running).

I really would just install DD-WRT on the router, configure the DNS server in it, and leave all other devices as they are - especially a NAS if it's got lots of data on it.  It's simpler.
0
 
LVL 11

Author Comment

by:RedLondon
ID: 39742255
Sorry folks - I thought that I had accepted  craigbeck's original reply as an answer when I posted my message earlier.

The NAS is a QNAP device, not Synology, and while it does run Linux and I'm sure could serve as a DNS server, it's an important NAS device so I need to keep it as near stock setup as possible to allow for changing it should anything fail.

Using WRT-DD sounds like a perfect plan.  I tried it on the spare Netgear router and bricked it - most links on the WRT-DD website about the Netgear router went to a dead page, so I downloaded the 'right' file and installed it via the web interface anyway... and killed it.  A little more reading showed why, and gives notes on how to recover from a bricked router - but the more I read about my 'trusty' Netgear router, the more I see it's a bit of a bugger to flash.

For the challenge and the not wanting to be beaten, I'll probably come back to it another time - but right now common sense says to give in and buy another router.  The cost of time outweighs the cost of a router - and while I'm getting a new router, I might as well get one that supports BT's implementation of multicast for IPTV and cut out the need for two routers.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39742263
Sounds like a sound plan!

If you need any help with the BT setup once you have a new router, just post a new question and I'll see if I can help - I'm UK based and have BT's Infinity and Vision+ service myself :-)
0

Featured Post

MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question