Solved

Two routers, one in a DMZ, public services visible but not to me

Posted on 2013-12-27
10
675 Views
Last Modified: 2014-01-01
I have a 76 Mbps FTTC internet connection with a dynamic IP address.

I have used a Netgear WNR2000 router which I've been using for a few years, it connects to the FTTC modem and works well.  It has some open ports for a NAS drive that I access from the outside world, and a remote desktop connection to a PC too.  I've set the fixed internal IP addresses, service names mapped to port numbers, and the port forwarding - so that all works fine.

My ISP also provides an IP-TV service which only works using a multicast connection, but my Netgear router doesn't support multicast.  They provide their own router (BT HomeHub 4) which does.  Unfortunately, the port forwarding on their router is poor - it either doesn't work, or it works unreliably.

I have been switching between the two routers - keeping the Netgear one connected by default, unless we want to use the IP-TV, in which case we temporarily forego the NAS and RDP services.

I realised that I could have both: I have left the ISP's router connected, with the IPTV box connected to it directly, and then connected my Netgear router to the ISP's router, and using the ISP's router, configured it to put the Netgear router into the DMZ.

This means the IPTV works (via the ISP's router), and all incoming traffic is sent to my Netgear router in the DMZ, which means everything else works too.  From the outside world, everything works fine.  Inside my network, everything works fine too.

However, the hostname of my NAS which works outside is no longer accessible inside.  I use a DynDNS-like service from the NAS manufacturer QNAP.  Using DDNS it gives me a hostname of, say, redlondon.qcloudnas.com.  The NAS drive updates the hostname redlondon.qcloudnas.com every 10 minutes so it always matches the public IP address I have from my ISP.  It is always accessible from the outside world, but I can no longer access it from inside it.

My ISP's router is 192.168.1.254, and gives IP addresses via DHCP in the range 192.168.1.65, 66 etc.  The Netgear router used to be 192.168.1.254 as well, when I used one router or the other, but when I connected the two, the Netgear router saw the "internet port" gave it an address of 192.168.1.65, so it changed its internal network numbering to be 10.0.0.1 to avoid conflicts.

I can access my NAS on 10.0.0.200, its fixed internal IP address.  I can also access it via redlondon.qcloudnas.com from outside, but if I try to get to redlondon.qcloudnas.com from inside, it just times out.  If I tracert redlondon.qcloudnas.com it resolves to my public IP address, the first hop pings as 10.0.0.1 and then everything times out.

How can I tell my ISP's router at 192.168.1.254 to let traffic from the 10.0.0.1 IP range access the internal stuff?

I guess each router refers to things with different names, so I'm after what's wrong rather than specific step-by-step instructions - if I know what to look for, I'm sure I can find it.
0
Comment
Question by:RedLondon
  • 4
  • 2
  • 2
  • +1
10 Comments
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
Comment Utility
The issue you're seeing is with something called hairpin-NAT.  The BT router (and a lot of others) simply doesn't support it.

Really you could do with an internal DNS server.  This would allow you to map the hostname to its internal IP address.  Your laptop would use the internal DNS server when connected to the local network, and receive the internal IP address of the NAS when at home.

When you go out and about you'd use the public internet DNS servers, which would return the DDNS IP address of the NAS.

There is an easy-ish solution to this though.  The Netgear router can use custom firmware called DD-WRT which includes DNS server features.  This would let you do exactly what I mentioned above.  It's not for the not-so-technical people as it can break your router unless you do it properly, but it'll do exactly what you want.
0
 
LVL 11

Author Comment

by:RedLondon
Comment Utility
Great - thank you.  Good to know I'm not going mad.

I have two identical Netgear routers, one as a spare in case the live one dies: I will experiment with DD-WRT and read up on hairpin NAT.
0
 
LVL 11

Expert Comment

by:Miftaul
Comment Utility
So you can access the redlondon.qcloudnas.com from outside that means DDNS is working fine for your Synology. But you cant access redlondon.qcloudnas.com from inside, that means your internal workstation is not allowed to access the LAN services using WAN IP. That definitely has something to do with the NAT filtering option in your Netgear WNR2000, that might be set as secure and filtering th loopback access. Please try this

Logon to the Netgear WNR2000
go to Advanced Tab -> Setup ->
WAN Setup -> Check "Disable SPI"
Also change NAT filtering from SECURED to OPEN
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
@Miftaul - that won't work when the Netgear router is connected to the BT router.

The OP needs to use the BT router as the internet-facing router in order to allow BT's multicast service to work.
0
 
LVL 17

Expert Comment

by:StrifeJester
Comment Utility
What I would do is just put up a small DNS server inside your network. You could always modify the hosts file as well. Create a static entry in the internal DNS server for the redlondon.qcloudnas.com address and point it to your internal IP. This will not affect external traffic from a different location but will allow you access using the external FQDN. This practice is done a lot when Active Directory is involved. A lot of services have certificates and require you come in using the external FQDN but hitting them from the inside is always easier and faster when you don't have to go all the way to the edge to come back to your internal equipment. I am not sure if the WNR2000 will run anything like DD-WRT which would allow you a little more control and possibly not need an internal DNS server. Setup the Internal DNS server to forward all requests wherever you would like and then just create a single forward lookup zone for your NAS and that should resolve the issue.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 11

Expert Comment

by:Miftaul
Comment Utility
Static entry on the host file might create other problem like when using same FQDN to access the Synology from outside will fail.

Synology has a DNS server that can be configured, as far as I remember. Will that work in this scenerio.
0
 
LVL 17

Expert Comment

by:StrifeJester
Comment Utility
A static entry would fail on something like a laptop if you took that off-site. Yes if the Synology has a DNS server you should be able to use that. Change your WNR settings to hand out the Synology as the DNS server. You will want to make sure that the forwarding domain does not use the base qcloud.com zone since that may break the devices ability to update via their DDNS service.
0
 
LVL 45

Assisted Solution

by:Craig Beck
Craig Beck earned 500 total points
Comment Utility
Modifying the hosts file WILL cause an issue when you're connected either the LAN or the Internet, depending on what entry you add to the file.  Don't do that.

If you don't know what you're doing with Linux I'd not want to install a DNS server on the NAS (if that's what it's running).

I really would just install DD-WRT on the router, configure the DNS server in it, and leave all other devices as they are - especially a NAS if it's got lots of data on it.  It's simpler.
0
 
LVL 11

Author Comment

by:RedLondon
Comment Utility
Sorry folks - I thought that I had accepted  craigbeck's original reply as an answer when I posted my message earlier.

The NAS is a QNAP device, not Synology, and while it does run Linux and I'm sure could serve as a DNS server, it's an important NAS device so I need to keep it as near stock setup as possible to allow for changing it should anything fail.

Using WRT-DD sounds like a perfect plan.  I tried it on the spare Netgear router and bricked it - most links on the WRT-DD website about the Netgear router went to a dead page, so I downloaded the 'right' file and installed it via the web interface anyway... and killed it.  A little more reading showed why, and gives notes on how to recover from a bricked router - but the more I read about my 'trusty' Netgear router, the more I see it's a bit of a bugger to flash.

For the challenge and the not wanting to be beaten, I'll probably come back to it another time - but right now common sense says to give in and buy another router.  The cost of time outweighs the cost of a router - and while I'm getting a new router, I might as well get one that supports BT's implementation of multicast for IPTV and cut out the need for two routers.
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
Sounds like a sound plan!

If you need any help with the BT setup once you have a new router, just post a new question and I'll see if I can help - I'm UK based and have BT's Infinity and Vision+ service myself :-)
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now