Any way to get AiCloud features working on a Double NAT?

nfshp253

Occasional Visitor
Hi, I have an ISP-issued Nokia ONR that cannot be changed to bridge mode, and an AX56U connected to that. Because of the double NAT problem, I cannot use AiCloud features on the ASUS router. The ONR supports DDNS (e.g. test1.sds-de.ip) so I thought setting that up and port forwarding to the ASUS router (e.g. test1.sds-de.ip:8443) would allow access (to at least the local FTP server or WebGUI) but that doesn't seem to be the case. Any help is appreciated.
 

ColinTaylor

Part of the Furniture
Is this specifically an issue with AiCloud access or all forms of remote access. i.e. can you access the router's web interface if you enable it in the Asus GUI and forward port 8443 on the Nokia?
 

eibgrad

Part of the Furniture
Personally, you would never catch me leaving either of those services expose to the WAN anyway, but we'll put that aside for the moment.

Normally in a situation w/ double NAT, you'd put the WAN ip of your router in the DMZ of the primary router, thus avoid the hassle of having to manage port forwarding on the primary router for each and every service. It's just more convenient to let the primary router forward any traffic it would otherwise manage for itself or have blocked.

But remote access always assume a public IP from the ISP. Is this the case? Many are now using CGNAT to save the limited pool of IPv4 public IPs. You can NOT remotely access CGNAT!
 

nfshp253

Occasional Visitor
Is this specifically an issue with AiCloud access or all forms of remote access. i.e. can you access the router's web interface if you enable it in the Asus GUI and forward port 8443 on the Nokia?
Seems like all forms of remote access. I can't access the router's web interface even after forwarding 8443 (or enabling DMZ for the router's WAN IP).

Personally, you would never catch me leaving either of those services expose to the WAN anyway, but we'll put that aside for the moment.

Normally in a situation w/ double NAT, you'd put the WAN ip of your router in the DMZ of the primary router, thus avoid the hassle of having to manage port forwarding on the primary router for each and every service. It's just more convenient to let the primary router forward any traffic it would otherwise manage for itself or have blocked.

But remote access always assume a public IP from the ISP. Is this the case? Many are now using CGNAT to save the limited pool of IPv4 public IPs. You can NOT remotely access CGNAT!

Just tried using DMZ but nothing either. The particular ISP I am using, for as far as I know isn't using CGNAT.
 

ColinTaylor

Part of the Furniture
The particular ISP I am using, for as far as I know isn't using CGNAT.
You can check this by going to somewhere like https://www.whatsmyip.org/ and seeing what IP address it shows. If it's between 100.64.0.0 and 100.127.255.255 it's CGNAT.

You'll also likely have problems if your router is running a VPN client.
 

ColinTaylor

Part of the Furniture
Sounds like it ought to work then. Test this with your public IP address rather than your DDNS name.
 

eibgrad

Part of the Furniture
We need to see if the remote access is even reaching the router.

Code:
iptables -t nat -vnL
iptables -vnL INPUT
 

nfshp253

Occasional Visitor
Sounds like it ought to work then. Test this with your public IP address rather than your DDNS name.
So I should test it with 219.74.197.xxx:8443? If so, it doesn't work. Adding the ASUS' IP address (192.168.1.1) onto the ONR's DMZ should be all that's needed right?
We need to see if the remote access is even reaching the router.

Code:
iptables -t nat -vnL
iptables -vnL INPUT
I don't know what these codes actually mean but here's the output:

Code:
[email protected]:/tmp/home/root# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 15044 packets, 1619K bytes)
 pkts bytes target     prot opt in     out     source               destination
 3081  233K VSERVER    all  --  *      *       0.0.0.0/0            192.168.1.1

Chain INPUT (policy ACCEPT 2828 packets, 255K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 7960 packets, 921K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 7463 packets, 775K bytes)
 pkts bytes target     prot opt in     out     source               destination
10196  816K PUPNP      all  --  *      br101   0.0.0.0/0            0.0.0.0/0
 8282  693K MASQUERADE  all  --  *      br101  !192.168.1.1          0.0.0.0/0
  498  146K MASQUERADE  all  --  *      br0     192.168.50.0/24      192.168.50.0/24

Chain DNSFILTER (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain LOCALSRV (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain MAPE (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain PCREDIRECT (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain PUPNP (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain VSERVER (1 references)
 pkts bytes target     prot opt in     out     source               destination
   24  1184 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8443 to:192.168.50.1:8443
    1    44 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3390 to:192.168.50.250
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:3390 to:192.168.50.250
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3389 to:192.168.50.213
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:3389 to:192.168.50.213
 3056  232K VUPNP      all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain VUPNP (1 references)
 pkts bytes target     prot opt in     out     source               destination
[email protected]:/tmp/home/root# iptables -vnL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   25  3420 INPUT_PING  icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
54046 9885K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
   13   596 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
19346 3816K PTCSRVWAN  all  --  !br0   *       0.0.0.0/0            0.0.0.0/0
 5721 1041K PTCSRVLAN  all  --  br0    *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5152
 5716 1041K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            state NEW
16264 3582K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            state NEW
 3077  233K OVPN       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
   24  1184 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.50.1         ctstate DNAT tcp dpt:8443
  111  5556 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    9   476 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:57530:57560
    1    44 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8082
   63  3468 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    0     0 INPUT_ICMP  icmp --  *      *       0.0.0.0/0            0.0.0.0/0
 2869  222K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
 
Last edited:

ColinTaylor

Part of the Furniture
Adding the ASUS' IP address (192.168.1.1) onto the ONR's DMZ should be all that's needed right?
If that is your Asus' WAN IP address.

Your Asus' WAN interface looks weird (br101?). How have you got that configured? WAN - Internet Connection > WAN Connection Type should be Automatic IP. Don't enable IPTV (LAN - IPTV).

Can you confirm which firmware version you have installed on the Asus and that it's an RT-AX56U?
Can you also confirm that when you set it up you didn't load a settings file from a previous router but set it up manually?

Is this the same problem you reported before here? In that post you said the problem "suddenly started", implying that it was working but then stopped. Is that correct?
 
Last edited:

nfshp253

Occasional Visitor
Yes, that's the ASUS' WAN IP address (it's the only address assigned by the ONR).

Yes, it's Automatic IP, and IPTV isn't enabled.

Firmware is RMerlin's 386.5_2 on an RT-AX56U. Yes, it was set-up manually, since I bought it only about 2 weeks ago.

That was a different problem on a different router on a different network (in my other home).

This is the new iptables output after restarting the ASUS:

Code:
[email protected]:/tmp/home/root# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 1879 packets, 160K bytes)
pkts bytes target     prot opt in     out     source               destination
  155 14657 VSERVER    all  --  *      *       0.0.0.0/0            192.168.1.1

Chain INPUT (policy ACCEPT 926 packets, 66843 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 298 packets, 37870 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 261 packets, 26039 bytes)
pkts bytes target     prot opt in     out     source               destination
  821 63929 PUPNP      all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
  712 56952 MASQUERADE  all  --  *      eth0   !192.168.1.1          0.0.0.0/0
   37 11831 MASQUERADE  all  --  *      br0     192.168.50.0/24      192.168.50.0/24

Chain DNSFILTER (0 references)
pkts bytes target     prot opt in     out     source               destination

Chain LOCALSRV (0 references)
pkts bytes target     prot opt in     out     source               destination

Chain MAPE (0 references)
pkts bytes target     prot opt in     out     source               destination

Chain PCREDIRECT (0 references)
pkts bytes target     prot opt in     out     source               destination

Chain PUPNP (1 references)
pkts bytes target     prot opt in     out     source               destination

Chain VSERVER (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8443 to:192.168.50.1:8443
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3390 to:192.168.50.250
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:3390 to:192.168.50.250
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3389 to:192.168.50.213
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:3389 to:192.168.50.213
  155 14657 VUPNP      all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain VUPNP (1 references)
pkts bytes target     prot opt in     out     source               destination
[email protected]:/tmp/home/root# iptables -vnL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
   46 62928 INPUT_PING  icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
5095  864K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
   96  9679 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
  637  113K PTCSRVWAN  all  --  !br0   *       0.0.0.0/0            0.0.0.0/0
1579  195K PTCSRVLAN  all  --  br0    *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5152
1579  195K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            state NEW
  481 98372 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            state NEW
  156 14569 OVPN       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.50.1         ctstate DNAT tcp dpt:8443
    7   380 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:57530:57560
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8082
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    0     0 INPUT_ICMP  icmp --  *      *       0.0.0.0/0            0.0.0.0/0
  149 14189 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
 
Last edited:

ColinTaylor

Part of the Furniture
Thanks for confirming that.

So it looks like you've got some traffic for port 8443 successfully arriving at the router.

Code:
Chain VSERVER (1 references)
 pkts bytes target     prot opt in     out     source               destination
   24  1184 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8443 to:192.168.50.1:8443


Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   24  1184 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.50.1         ctstate DNAT tcp dpt:8443

So I can't think why you're not seeing the connection.
 

nfshp253

Occasional Visitor
Hmm, I'm a bit confused as to how DDNS, DMZ and Port Forwarding works together. I have the ONR running a DDNS, pointing to say test1.example.com. And then I set up DMZ on the ONR to point at the ASUS router (192.168.1.1) and also port forwarding for both 192.168.1.1:443 and 192.168.1.1:8443, should I be able to connect to the Asus WebGUI using test1.example.com:8443? (The ASUS is not running a DDNS).
 

ColinTaylor

Part of the Furniture
If your client resolves test1.example.com to the same IP address as your ONT's public IP address (219.74.197.xxx) then it should work. But DDNS is really unrelated to port forwarding so I suggest that you just use the IP address for testing purposes to avoid any DDNS issues.

Are you testing this from outside your network. e.g. over a mobile LTE connection?

Setting up the DMZ as well as individual port forwarding on the ONR is pointless as they both do the same thing (assuming the ONR works like other consumer routers). It's just that the DMZ option forwards all ports.
 
Last edited:

eibgrad

Part of the Furniture
You set up the DMZ on the primary router (NO port forwarding there), then configure port forwarding on your own router as normal. The point is to have the primary router forward all traffic to your router, as if the primary router did NOT have a firewall of its own, or even exist. Your ASUS router is going to take full responsibility for handling the firewall for that traffic, including define any port forwards you deem necessary.

The first dump of iptables clearly shows the port forwarding working, at least for the GUI (8443). The second seems similar, although it appears you did NOT attempt to access the GUI remotely in that case, seeing as how the packet count (pkts) field shows ZERO for the relevant rules.

So you need to *try* the port forwards before dumping iptables, else we can't tell the difference between it NOT working vs. you just never tried.
 
Last edited:

ColinTaylor

Part of the Furniture
This is the new iptables output after restarting the ASUS:
Your second iptables dump shows that your WAN interface changed from br101 to the more normal eth0. What did you change?
 

nfshp253

Occasional Visitor
If your client resolves test1.example.com to the same IP address as your ONT's public IP address (219.74.197.xxx) then it should work. But DDNS is really unrelated to port forwarding so I suggest that you just use the IP address for testing purposes to avoid any DDNS issues.

Are you testing this from outside your network. e.g. over a mobile LTE connection?

Setting up the DMZ as well as individual port forwarding on the ONR is pointless as they both do the same thing (assuming the ONR works like other consumer routers). It's just that the DMZ option forwards all ports.
Got it. I've removed the port forwarding and am just using the DMZ. I'm testing it on a mobile LTE connection.

You set up the DMZ on the primary router (NO port forwarding there), then configure port forwarding on your own router as normal. The point is to have the primary router forward all traffic to your router, as if the primary router did NOT have a firewall of its own, or even exist. Your ASUS router is going to take full responsibility for handling the firewall for that traffic, including define any port forwards you deem necessary.

The first dump of iptables clearly shows the port forwarding working, at least for the GUI (8443). The second seems similar, although it appears you did NOT attempt to access the GUI remotely in that case, seeing as how the packet count (pkts) field shows ZERO for the relevant rules.

So you need to *try* the port forwards before dumping iptables, else we can't tell the difference between it NOT working vs. you just never tried.
My understanding is that I don't need to setup port forwarding for 8443 to test the GUI (since it's in the settings)? I did attempt to access the GUI remotely using test1.example.com:8443 but there's always no response from the server.

Your second iptables dump shows that your WAN interface changed from br101 to the more normal eth0. What did you change?
I think I changed the "Choose IPTV STB Port" back to None. There wasn't a profile selected for the setting above that but LAN3 and LAN4 were set to IPTV previously.


And running those commands again:

Code:
[email protected]:/tmp/home/root# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 120 packets, 8732 bytes)
 pkts bytes target     prot opt in     out     source               destination
   10  1083 VSERVER    all  --  *      *       0.0.0.0/0            192.168.1.1

Chain INPUT (policy ACCEPT 63 packets, 4326 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 31 packets, 4908 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 27 packets, 3123 bytes)
 pkts bytes target     prot opt in     out     source               destination
   52  3626 PUPNP      all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
   47  3316 MASQUERADE  all  --  *      eth0   !192.168.1.1          0.0.0.0/0
    4  1785 MASQUERADE  all  --  *      br0     192.168.50.0/24      192.168.50.0/24

Chain DNSFILTER (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain LOCALSRV (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain MAPE (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain PCREDIRECT (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain PUPNP (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain VSERVER (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8443 to:192.168.50.1:8443
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3389 to:192.168.50.213
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:3389 to:192.168.50.213
   10  1083 VUPNP      all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain VUPNP (1 references)
 pkts bytes target     prot opt in     out     source               destination
[email protected]:/tmp/home/root# iptables -vnL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 INPUT_PING  icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
  443 73571 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
   61  8233 PTCSRVWAN  all  --  !br0   *       0.0.0.0/0            0.0.0.0/0
  127 15363 PTCSRVLAN  all  --  br0    *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5152
  127 15363 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            state NEW
   46  6930 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            state NEW
   15  1303 OVPN       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.50.1         ctstate DNAT tcp dpt:8443
    3   164 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpts:57530:57560
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8082
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    0     0 INPUT_ICMP  icmp --  *      *       0.0.0.0/0            0.0.0.0/0
   12  1139 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
 

eibgrad

Part of the Furniture
My understanding is that I don't need to setup port forwarding for 8443 to test the GUI (since it's in the settings)? I did attempt to access the GUI remotely using test1.example.com:8443 but there's always no response from the server.

Correct. I was just explaining the difference between using the DMZ vs. port forwarding on the primary router. If you don't use the DMZ on the primary router, then in fact you DO need to port forward from 8443 (for example) on its WAN and over to your ASUS router. But you don't have to port forward on the ASUS router for services hosted on the router itself (e.g., the GUI/8443), only services hosted behind the router on the LAN.

It just gets confusing to discuss because we have two different routers here, each w/ their own firewall protecting their respective WAN.
 

ColinTaylor

Part of the Furniture
And running those commands again:
Was this after attempting to connect to the router again, because there's no traffic being recorded. If you have tried to connect make sure your ONR's public IP address hasn't changed.
 

eibgrad

Part of the Furniture
BTW, I don't see any ports open for AICloud in that dump (which was the basis of this thread). What I see are the GUI (8443), and a couple of RDP port forwards to a LAN device (udp and tcp, 192.168.50.213).

Once again, the packet counts are ZERO. Did you attempt to access those services before dumping iptables?
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top