1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Cannot port forward to a machine behind the VPN

Discussion in 'Asuswrt-Merlin' started by madfusker, May 19, 2018.

  1. madfusker

    madfusker Regular Contributor

    Joined:
    Jul 20, 2014
    Messages:
    94
    I have a NAS server running subsonic and have been excluding it from the VPN, mostly just for crashplan backup speed. But now with my 86U I should be able to put it behind the VPN as well. My router that is not inside the VPN does a port forward to the service port of the NAS, and life is good until I put the NAS inside the VPN. How can I still port forward if it goes inside the VPN?

    VPN Policy Rules (strict):
    All LAN 192.168.1.0/24 0.0.0.0 VPN
    router 192.168.1.1 0.0.0.0 WAN
    NAS 192.168.1.10 0.0.0.0 WAN

    Port forward on the WAN:
    Subsonic 4041 192.168.1.10 4041 TCP
     
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    5,469
    Location:
    UK
    You can't, it's a contradiction. Port forwarding forwards traffic arriving on the router's WAN IP address to an internal server. The server replies through the same route. If your NAS traffic is being redirected through a VPN service then the incoming traffic would have to come in through this route also.

    The only way I can see where it might work would be if you could somehow create a VPN rule that excluded traffic to and from port 4041 on the NAS. AFAIK that's not an option.
     
  4. madfusker

    madfusker Regular Contributor

    Joined:
    Jul 20, 2014
    Messages:
    94
    Ah, I see. It looks like the NAS will have to stay outside the VPN then. I don't really trust port forwarding on the VPN service, but believe it's possible.
     
  5. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,601
    Location:
    UK
    If the NAS is routed via the VPN, can you try:
    Code:
    ip rule del fwmark 0x7000/0x7000 2> /dev/null
    ip rule add fwmark 0x7000/0x7000 table 100 prio 9990
    ip route flush cache
    
    NAS_Server='192.168.1.10'
    
    # Remember port 4041 must also already be port forwarded using the normal GUI rules!
    iptables -t mangle -D PREROUTING -i br0 --src $NAS_Server -p tcp -m multiport --sport 4041 -j MARK --set-mark 0x7000/0x7000 2> /dev/null
    iptables -t mangle -A PREROUTING -i br0 --src $NAS_Server -p tcp -m multiport --sport 4041 -j MARK --set-mark 0x7000/0x7000
     
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!