DMZ being overridden by VPN NAT - How to fix?

[cplay]

I'm trying to get nat type open for one xbox console only.

I have set a static IP and xbox is connecting through this static IP that has also been set as the DMZ IP address.

The issue is I need to run the VPN on this IP also and I believe the "create nat on tunnel" setting in the VPN configuration is adding NAT to that IP even though I have the IP listed in the DMZ zone.

Anyways around this?

Do I need to create nat on VPN tunnel?

 

[MaziahBebop]

I'm trying to get nat type open for one xbox console only.

I have set a static IP and xbox is connecting through this static IP that has also been set as the DMZ IP address.

The issue is I need to run the VPN on this IP also and I believe the "create nat on tunnel" setting in the VPN configuration is adding NAT to that IP even though I have the IP listed in the DMZ zone.

Anyways around this?

Do I need to create nat on VPN tunnel?

DMZ and VPN on the same static LAN ip sounds like something that is not meant to be. Someone else correct me if wrong, but it seems impossible to set that up without NAT conflicts .

 

[ColinTaylor]

If you're using a commercial VPN service (as opposed to a LAN to LAN VPN) you can't avoid double NAT. You would need to create an exclusion so that the Xbox doesn't go through the VPN (and is in your DMZ). This is not possible AFAIK with stock firmware which I assume you have as you have posted this in the "Asus Wireless" forum.

 

[cplay]

DMZ and VPN on the same static LAN ip sounds like something that is not meant to be. Someone else correct me if wrong, but it seems impossible to set that up without NAT conflicts .

This is what I thought - which leaves me with two options:

1. Disable NAT on the router and just have "create nat on tunnel" enabled for the VPN (all ips are routed through the VPN).
2. Leave NAT enabled on the router and disable "create nat on tunnel" for the VPN.


What do you think?

 

[cplay]

If you're using a commercial VPN service (as opposed to a LAN to LAN VPN) you can't avoid double NAT. You would need to create an exclusion so that the Xbox doesn't go through the VPN (and is in your DMZ). This is not possible AFAIK with stock firmware which I assume you have as you have posted this in the "Asus Wireless" forum.

I'm using Astrill with opvn certificate on Merlin (realise now posted in wrong section) and need the xbox IP to go through the vpn.

I'm pretty sure the VPN tunnel is overriding the DMZ - if only you could create DMZ for one IP with VPN enabled and that IP routed through it.

So the only options are;


1. Disable NAT on the router and just have "create nat on tunnel" enabled for the VPN (all ips are routed through the VPN).
2. Leave NAT enabled on the router and disable "create nat on tunnel" for the VPN.

?

 

[ColinTaylor]

You're fundamentally misunderstanding how a VPN works. You cannot turn off "Create NAT on tunnel" with a commercial VPN provider.

You cannot turn off NAT on the router because you will not have a working connection to the internet (and therefore the VPN will also not work).

Unless Astrill offers a service whereby they will forward a (single) port on your behalf (some VPN providers do this) you cannot avoid the double NAT over VPN. The only alternative is to not use the VPN for the Xbox in which case you will have normal NATing and the option to put the Xbox in the DMZ.