1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Change in loopback in 384.12 ?

Discussion in 'Asuswrt-Merlin' started by GSpock, Jul 19, 2019.

  1. GSpock

    GSpock Regular Contributor

    Joined:
    May 19, 2015
    Messages:
    129
    Location:
    Belgium
    Hi,
    I am running 384.12 on RT-AC87U with an openvpn client set-up to protect one of my NAS device.
    The issue I am now having since 384.12 (was working OK in 384.11) is the following:
    when I try to reach my NAS with its DDNS name from within the LAN, I am now getting a timeout.
    Can you please confirm if it is the intented behavior ?

    and before someone asks why would I want to access this system via DDNS when connected locally, the answer is quite simple: On my smartphone, most of time used when out of home, I need to access the device via its DDNS (e.a. file station, download station, etc ...) ; it is quite anoying having to change those back to the internal IP of the device when I get back home.

    Thanks,
    GS
     
    Last edited: Jul 19, 2019
  2. PolarBear

    PolarBear Regular Contributor

    Joined:
    Apr 14, 2015
    Messages:
    160
    Location:
    North of the Alps
    I also found this inconvenient. I don't know the answer to the specific question, but I can suggest a work around.

    If you always access the NAS by its IP address within your home network (for example 192.168.1.xx) then it does not matter whether you are accessing from inside or outside your home network.

    When you are travelling, after you start the OpenVPN connection, all your home network devices are accessible using their internal network addresses. (OpenVPN may have to be configured appropriately to allow this.)

    You will also need to make sure your NAS does not change its internal network address, either by setting a fixed address in the NAS itself, or by reserving a specific IP address in the DHCP setup page of the router.

    I have used this technique to map drive letters on my Windows laptop. It works perfectly, whether I access the NAS using the drive letter from inside the network, or over OpenVPN while travelling.

    (Edited for typos)
     
  3. GSpock

    GSpock Regular Contributor

    Joined:
    May 19, 2015
    Messages:
    129
    Location:
    Belgium
    Thanks for you answer, your scenario does not apply to my case. I am not using an openvpn client to connect to the NAS, the NAS is connected to internet as an openclient thru the router. It then connects to a VPN server ...
     
  4. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,119
    Location:
    UK
    I can't quite follow where the VPN client and server are in your setup and how that relates to your issue. And how does the VPN "protect" the NAS, policy based routing? Are you still connecting over a VPN even when you are connected to your LAN locally?

    I'm not aware of any changes with NAT loopback in 384.12 but there was a change regarding the router's VPN client.
    Code:
    384.12 (22-June-2019)
    
      - CHANGED: Inbound traffic sent to you through an OpenVPN client
                 will now be dropped by default.  This can be changed
                 through the new "Inbound Firewall" parameter found
                 on the OpenVPN client page.  You should only change
                 this to "Allow" if running a site2site tunnel with
                 a trusted remote server, or if you do expect
                 traffic to be forwarded to you through the tunnel.
     
  5. GSpock

    GSpock Regular Contributor

    Joined:
    May 19, 2015
    Messages:
    129
    Location:
    Belgium
    OK, sorry if I was not clear enough.
    The NAS is added in the "Rules for routing client traffic through the tunnel" of the VPN client 2. This one connects to a VPN server (decidated IP), so the NAS has always the same public IP. (BTW, this is the only device defined there, hence my comment that the NAS is protected via the VPN)
    When the tunnel goes down the NAS cannot access internet anymore thanks to the kill switch, and this is the desired behavior.
    When I am connected to my LAN (either wired or wireless) I cannot access the NAS via its DDNS name, I must use either its IP or its local name.
    BTW, I also changed the "Inboud Firewall" to Allow, but this does not change anything.

    Last, if I remove the NAS from the "VPN protection", then I can acces it locally via its DDNS name, hence my conclusion that it is "VPN" related ...
    Hope this clarifies the set-up.
    Thx
     
    Last edited: Jul 19, 2019
  6. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    30,853
    Location:
    Canada
    I suspect it's the firewall on the NAS that blocks traffic coming from the VPN tunnel's IP range. Check your NAS configuration.
     
  7. GSpock

    GSpock Regular Contributor

    Joined:
    May 19, 2015
    Messages:
    129
    Location:
    Belgium
    Thanks.
    I did not do anything on the NAS level at all, since the connexion to the VPN server is made by the router itself. I am not even sure there is a firewall at NAS level when you use it "out-of-the-box" as I do.
    The only thing I saw in the network config is this (but it has been set-up automatically):
    upload_2019-7-19_16-21-21.png

    Rgds.