Link to home
Start Free TrialLog in
Avatar of RedLondon
RedLondonFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Two routers, one in a DMZ, public services visible but not to me

I have a 76 Mbps FTTC internet connection with a dynamic IP address.

I have used a Netgear WNR2000 router which I've been using for a few years, it connects to the FTTC modem and works well.  It has some open ports for a NAS drive that I access from the outside world, and a remote desktop connection to a PC too.  I've set the fixed internal IP addresses, service names mapped to port numbers, and the port forwarding - so that all works fine.

My ISP also provides an IP-TV service which only works using a multicast connection, but my Netgear router doesn't support multicast.  They provide their own router (BT HomeHub 4) which does.  Unfortunately, the port forwarding on their router is poor - it either doesn't work, or it works unreliably.

I have been switching between the two routers - keeping the Netgear one connected by default, unless we want to use the IP-TV, in which case we temporarily forego the NAS and RDP services.

I realised that I could have both: I have left the ISP's router connected, with the IPTV box connected to it directly, and then connected my Netgear router to the ISP's router, and using the ISP's router, configured it to put the Netgear router into the DMZ.

This means the IPTV works (via the ISP's router), and all incoming traffic is sent to my Netgear router in the DMZ, which means everything else works too.  From the outside world, everything works fine.  Inside my network, everything works fine too.

However, the hostname of my NAS which works outside is no longer accessible inside.  I use a DynDNS-like service from the NAS manufacturer QNAP.  Using DDNS it gives me a hostname of, say, redlondon.qcloudnas.com.  The NAS drive updates the hostname redlondon.qcloudnas.com every 10 minutes so it always matches the public IP address I have from my ISP.  It is always accessible from the outside world, but I can no longer access it from inside it.

My ISP's router is 192.168.1.254, and gives IP addresses via DHCP in the range 192.168.1.65, 66 etc.  The Netgear router used to be 192.168.1.254 as well, when I used one router or the other, but when I connected the two, the Netgear router saw the "internet port" gave it an address of 192.168.1.65, so it changed its internal network numbering to be 10.0.0.1 to avoid conflicts.

I can access my NAS on 10.0.0.200, its fixed internal IP address.  I can also access it via redlondon.qcloudnas.com from outside, but if I try to get to redlondon.qcloudnas.com from inside, it just times out.  If I tracert redlondon.qcloudnas.com it resolves to my public IP address, the first hop pings as 10.0.0.1 and then everything times out.

How can I tell my ISP's router at 192.168.1.254 to let traffic from the 10.0.0.1 IP range access the internal stuff?

I guess each router refers to things with different names, so I'm after what's wrong rather than specific step-by-step instructions - if I know what to look for, I'm sure I can find it.
ASKER CERTIFIED SOLUTION
Avatar of Craig Beck
Craig Beck
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of RedLondon

ASKER

Great - thank you.  Good to know I'm not going mad.

I have two identical Netgear routers, one as a spare in case the live one dies: I will experiment with DD-WRT and read up on hairpin NAT.
Avatar of Miftaul H
Miftaul H

So you can access the redlondon.qcloudnas.com from outside that means DDNS is working fine for your Synology. But you cant access redlondon.qcloudnas.com from inside, that means your internal workstation is not allowed to access the LAN services using WAN IP. That definitely has something to do with the NAT filtering option in your Netgear WNR2000, that might be set as secure and filtering th loopback access. Please try this

Logon to the Netgear WNR2000
go to Advanced Tab -> Setup ->
WAN Setup -> Check "Disable SPI"
Also change NAT filtering from SECURED to OPEN
@Miftaul - that won't work when the Netgear router is connected to the BT router.

The OP needs to use the BT router as the internet-facing router in order to allow BT's multicast service to work.
What I would do is just put up a small DNS server inside your network. You could always modify the hosts file as well. Create a static entry in the internal DNS server for the redlondon.qcloudnas.com address and point it to your internal IP. This will not affect external traffic from a different location but will allow you access using the external FQDN. This practice is done a lot when Active Directory is involved. A lot of services have certificates and require you come in using the external FQDN but hitting them from the inside is always easier and faster when you don't have to go all the way to the edge to come back to your internal equipment. I am not sure if the WNR2000 will run anything like DD-WRT which would allow you a little more control and possibly not need an internal DNS server. Setup the Internal DNS server to forward all requests wherever you would like and then just create a single forward lookup zone for your NAS and that should resolve the issue.
Static entry on the host file might create other problem like when using same FQDN to access the Synology from outside will fail.

Synology has a DNS server that can be configured, as far as I remember. Will that work in this scenerio.
A static entry would fail on something like a laptop if you took that off-site. Yes if the Synology has a DNS server you should be able to use that. Change your WNR settings to hand out the Synology as the DNS server. You will want to make sure that the forwarding domain does not use the base qcloud.com zone since that may break the devices ability to update via their DDNS service.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Sorry folks - I thought that I had accepted  craigbeck's original reply as an answer when I posted my message earlier.

The NAS is a QNAP device, not Synology, and while it does run Linux and I'm sure could serve as a DNS server, it's an important NAS device so I need to keep it as near stock setup as possible to allow for changing it should anything fail.

Using WRT-DD sounds like a perfect plan.  I tried it on the spare Netgear router and bricked it - most links on the WRT-DD website about the Netgear router went to a dead page, so I downloaded the 'right' file and installed it via the web interface anyway... and killed it.  A little more reading showed why, and gives notes on how to recover from a bricked router - but the more I read about my 'trusty' Netgear router, the more I see it's a bit of a bugger to flash.

For the challenge and the not wanting to be beaten, I'll probably come back to it another time - but right now common sense says to give in and buy another router.  The cost of time outweighs the cost of a router - and while I'm getting a new router, I might as well get one that supports BT's implementation of multicast for IPTV and cut out the need for two routers.
Sounds like a sound plan!

If you need any help with the BT setup once you have a new router, just post a new question and I'll see if I can help - I'm UK based and have BT's Infinity and Vision+ service myself :-)