Menu
What's new
By:
Filters Better Search

Change in loopback in 384.12 ?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

G

GSpock

Senior Member
Hi,
I am running 384.12 on RT-AC87U with an openvpn client set-up to protect one of my NAS device.
The issue I am now having since 384.12 (was working OK in 384.11) is the following:
when I try to reach my NAS with its DDNS name from within the LAN, I am now getting a timeout.
Can you please confirm if it is the intented behavior ?

and before someone asks why would I want to access this system via DDNS when connected locally, the answer is quite simple: On my smartphone, most of time used when out of home, I need to access the device via its DDNS (e.a. file station, download station, etc ...) ; it is quite anoying having to change those back to the internal IP of the device when I get back home.

Thanks,
GS
 
Last edited:
GSpock said:
Hi,
I am running 384.12 on RT-AC87U with an openvpn client set-up to protect one of my NAS device.

On my smartphone, most of time used when out of home, I need to access the device via its DDNS (e.a. file station, download station, etc ...) ; it is quite anoying having to change those back to the internal IP of the device when I get back home.
Click to expand...

I also found this inconvenient. I don't know the answer to the specific question, but I can suggest a work around.

If you always access the NAS by its IP address within your home network (for example 192.168.1.xx) then it does not matter whether you are accessing from inside or outside your home network.

When you are travelling, after you start the OpenVPN connection, all your home network devices are accessible using their internal network addresses. (OpenVPN may have to be configured appropriately to allow this.)

You will also need to make sure your NAS does not change its internal network address, either by setting a fixed address in the NAS itself, or by reserving a specific IP address in the DHCP setup page of the router.

I have used this technique to map drive letters on my Windows laptop. It works perfectly, whether I access the NAS using the drive letter from inside the network, or over OpenVPN while travelling.

(Edited for typos)
 
PolarBear said:
I also found this inconvenient. I don't know the answer to the specific question, but I can suggest a work around.

If you always access the NAS by its IP address within your home network (for example 192.168.1.xx) then it does not matter whether you are accessing from inside or outside your home network.

When you are travelling, after you start the OpenVPN connection, all your home network devices are accessible using their internal network addresses. (OpenVPN may have to be configured appropriately to allow this.)

You will also need to make sure your NAS does not change its internal network address, either by setting a fixed address in the NAS itself, or by reserving a specific IP address in the DHCP setup page of the router.

I have used this technique to map drive letters on my Windows laptop. It works perfectly, whether I access the NAS using the drive letter from inside the network, or over OpenVPN while travelling.

(Edited for typos)
Click to expand...

Thanks for you answer, your scenario does not apply to my case. I am not using an openvpn client to connect to the NAS, the NAS is connected to internet as an openclient thru the router. It then connects to a VPN server ...
 
I can't quite follow where the VPN client and server are in your setup and how that relates to your issue. And how does the VPN "protect" the NAS, policy based routing? Are you still connecting over a VPN even when you are connected to your LAN locally?

I'm not aware of any changes with NAT loopback in 384.12 but there was a change regarding the router's VPN client.
Code: 
384.12 (22-June-2019)

  - CHANGED: Inbound traffic sent to you through an OpenVPN client
             will now be dropped by default.  This can be changed
             through the new "Inbound Firewall" parameter found
             on the OpenVPN client page.  You should only change
             this to "Allow" if running a site2site tunnel with
             a trusted remote server, or if you do expect
             traffic to be forwarded to you through the tunnel.
 
ColinTaylor said:
I can't quite follow where the VPN client and server are in your setup and how that relates to your issue. And how does the VPN "protect" the NAS, policy based routing? Are you still connecting over a VPN even when you are connected to your LAN locally?

I'm not aware of any changes with NAT loopback in 384.12 but there was a change regarding the router's VPN client.
Code: 
384.12 (22-June-2019)

  - CHANGED: Inbound traffic sent to you through an OpenVPN client
             will now be dropped by default.  This can be changed
             through the new "Inbound Firewall" parameter found
             on the OpenVPN client page.  You should only change
             this to "Allow" if running a site2site tunnel with
             a trusted remote server, or if you do expect
             traffic to be forwarded to you through the tunnel.
Click to expand...

OK, sorry if I was not clear enough.
The NAS is added in the "Rules for routing client traffic through the tunnel" of the VPN client 2. This one connects to a VPN server (decidated IP), so the NAS has always the same public IP. (BTW, this is the only device defined there, hence my comment that the NAS is protected via the VPN)
When the tunnel goes down the NAS cannot access internet anymore thanks to the kill switch, and this is the desired behavior.
When I am connected to my LAN (either wired or wireless) I cannot access the NAS via its DDNS name, I must use either its IP or its local name.
BTW, I also changed the "Inboud Firewall" to Allow, but this does not change anything.

Last, if I remove the NAS from the "VPN protection", then I can acces it locally via its DDNS name, hence my conclusion that it is "VPN" related ...
Hope this clarifies the set-up.
Thx
 
Last edited:
I suspect it's the firewall on the NAS that blocks traffic coming from the VPN tunnel's IP range. Check your NAS configuration.
 
RMerlin said:
I suspect it's the firewall on the NAS that blocks traffic coming from the VPN tunnel's IP range. Check your NAS configuration.
Click to expand...

Thanks.
I did not do anything on the NAS level at all, since the connexion to the VPN server is made by the router itself. I am not even sure there is a firewall at NAS level when you use it "out-of-the-box" as I do.
The only thing I saw in the network config is this (but it has been set-up automatically):
upload_2019-7-19_16-21-21.png


Rgds.
 
You must log in or register to reply here.

Similar threads

L
Custom DDNS vs Drop Down List for Same Provider
Replies
3
Views
279
lukehjo
lukehjo
Y
ASUS AC86U Firmware merlin 386.11 - NAT Loopback not working please help !
Replies
6
Views
2K
yoshimitsu
Y
kaanaslan
DSL-AC88U Port Forwarding doesn't seem to be working when not in the local network
Replies
5
Views
437
kaanaslan
kaanaslan
M
Firewall rule to allow only a specific domain name
Replies
13
Views
797
ColinTaylor
C
nothingness
RT-AC86U VPN Director Not Routing Through WAN
Replies
1
Views
610
nothingness
nothingness
Similar threads
Thread starter Title Forum Replies Date
J DDNS, AX86U-PRO, inadyn isn't called after wan IP change ? Asuswrt-Merlin 1
J Change the name of the guest network in network map? Asuswrt-Merlin 1
M What Firmware Version Did Killswitch Change? Asuswrt-Merlin 1
M Should I Change From Router Mode to Something Else? Asuswrt-Merlin 4
G openvpn server: can not change/select data cipher Asuswrt-Merlin 1
H Wireguard server…. Can I change my IP? Asuswrt-Merlin 4
K _ecc Certificate Folder change Asuswrt-Merlin 0
L Mtu change doesnt work on 386.11 via connection automatic ip. Asuswrt-Merlin 4
M How to change MTU of Wireguard Client Asuswrt-Merlin 1
demokedes How to change /opt path Asuswrt-Merlin 6

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 811 (members: 24, guests: 787)
Top