Internal network configuration

[Mikuni]

Hi everyone, I need help to solve this problem.

My home configuration is:

Fritzbox 7490 modem router connected to internet with optical fiber (FTTC), ip 192.168.178.1.

Router Asus RT-AC86U Merlin 384.8_2 connected to the Fritzbox to Wan port, ip 192.168.178.25.

In the Asus subnet I connected the hardware, Tv, Pc, Sat etc. with ip 192.168.1.XX.

On two IP addresses I use OpenVPN and on others I do not.

Being two different networks, is there a way to make them visible by both routers as if they were a Lan-Lan network?

I'll explain…

For example, I connect Wi-Fi to the Fritzbox's wireless network with my Iphone, I can see my hardware connected to the Asus subnet 192.168.1.1?

I tried to do Port Forwarding but without result.

I also tried in the Fritbox to fully open (DMZ) to the ip 192.168.178.25!

Is there any of you who could post me an example of configuration?

Thank you

 

[ApexRon]

Because you are using a double NAT solution, the answer is no. However, on the RT-AC86U you can turn off NAT and DHCP server. I presume that would make the ASUS perform more as a bridge wherein DHCP services would be provided by the Fritzbox but I don't know.

I ran a configuration similar to your's for years but I had configured the equivalent of your Fritzbox such that it was nothing more than a modem (WiFi was turned off). In other words, all of my devices ran off my ASUS (WiFi and LAN).

 

[Mikuni]

Thank you very much for your response.

In your opinion is a model router problem or the type of configuration that I want to do very particular?

My idea was to continue to use the Fritzbox especially for remote access, has a very fast app that connects from the web with dedicated DNS (that dell'Asus is very slow ...) and I was interested to use it too to access the main Asus page as well as other connected hardware.

 

[ApexRon]

In your opinion is a model router problem or the type of configuration that I want to do very particular?

No, the problem is that there are no routing protocols available at this price point. Additionally, the use NAT on ASUS router prevents bridging the two LAN.

Why are you using ASUS?

 

[martinr]

Are you sure you are totally happy with the security implications of direct web access to the Fritzbox (via the fast app)?

 

[Zonkd]

Solving this would simply require a static route configured on the fritz, am I right?

If I’m understanding you correctly, you have the 2 routers in double NAT, the ASUS behind the fritz and you want clients connected to ASUS (192.168.1.0/24) reachable by any client connected to the fritz (192.168.178.0/24)

Is there any other reason besides fastapp that you don’t just bridge the fritz and give your AC86U the ability to handle all routing? Then you can easily run a few VPN servers on the ASUS for all your remote access needs. No double NAT. No need for static routes or port forwarding. The ASUS firewall can do it’s thing properly.

 

[ApexRon]

Solving this would simply require a static route configured on the fritz, am I right?

@Zonkd I went through the manual for the Fritzbox and could not find an option for static route.

 

[Zonkd]

@Zonkd I went through the manual for the Fritzbox and could not find an option for static route.

Google turned up a couple results for static routes with fritz and it looks like it may support static routes like the ASUS does. Do you guys have this?

http://help.blockless.com/customer/...o-setup-static-routes-on-your-fritzbox-router


Also read

https://en.avm.de/service/fritzbox/...nfiguring-a-static-IP-route-in-the-FRITZ-Box/

 

[ApexRon]

@Zonkd So another incomplete manufacturer manual.

Based on what you found, devices on the Fritzbox and from the internet may be able to find devices on ASUS LAN. However, devices on the ASUS LAN will not be able to find devices on the Fritzbox because of NAT use.

 

[Zonkd]

@Zonkd So another incomplete manufacturer manual.

Based on what you found, devices on the Fritzbox and from the internet may be able to find devices on ASUS LAN. However, devices on the ASUS LAN will not be able to find devices on the Fritzbox because of NAT use.

Tried disabling firewall for the ASUS? Ensure WAN side firewall remains enabled for the Fritz. Tried a second static route on the ASUS? Tried making sure ASUS has its wan dns set to the fritz router? If I recall correctly, it worked for me without doing anything. Ip addresses not within the ASUS local subnet will be sent via wan to the fritz, where they should be resolved.

 

[Mikuni]

Solving this would simply require a static route configured on the fritz, am I right?

If I’m understanding you correctly, you have the 2 routers in double NAT, the ASUS behind the fritz and you want clients connected to ASUS (192.168.1.0/24) reachable by any client connected to the fritz (192.168.178.0/24)

Is there any other reason besides fastapp that you don’t just bridge the fritz and give your AC86U the ability to handle all routing? Then you can easily run a few VPN servers on the ASUS for all your remote access needs. No double NAT. No need for static routes or port forwarding. The ASUS firewall can do it’s thing properly.

Hello,

It's just what I'd like to do

I try to give an explanation to what I have and why I would like to do .....

1) I have the Fritzbox 7490 which was delivered to me by the internet provider I am subscribed to.

2) Then I wanted an OpenVPN service to connect my TV and my Satbox, Fritzbox does not manage OpenVPN, so I bought the Asus RT-AC86U with fw Merlin to have the VPN only on two IP, (Tv and Satbox), all works well!

I continue to use the Fritzbox as a modem.

3) I do not like having the Wi-Fi signal always on and I have the routers at home in an uncomfortable position. Also for this reason I like to keep the Fritbox. For example, when my son turns on the Wi-Fi connection by typing the command from the phone's keypad, this is a very useful function. I prefer this possibility to the setting of time.

4) What I'd like to do is for example if I'm connected to Fritzbox Wi-Fi 192.168.178.1 enter the access page of Asus, 192.168.178.25 (Wan port) or always from Fritzbox enter the login page of Satbox, Subnet IP 192.168.1.123.

All this also from the web with the My Fritz DNS service I activated.

5) Last question: I have also activated the Asus remote DNS service, xxxxxx.Asuscomm.com

If from the web I try to connect with my iPhone using the DDNS service with the APP of Asus

I can give some simplified commands present in the APP, but I can not for example see the main login page of the router, wan 192.168.178.25, lan 192.168.1.1.

You can see using the Asuscomm.com service the subnet 192.168.1.xx (login Asus, login satbox etc.) ??


I hope the questions are understandable!!


Thank you all

 

[Mikuni]

This is my situation with static routes

 

[Zonkd]

I think I understand most of what you are asking to do, but I'm not a fan of the way you're trying to do it. It's extra complicated and less secure. If you're not a network guru you could get confused, make mistakes, introduce security holes, forget how you've configured it and struggle to maintain it when something changes. With an unusual network config you'll also have a harder time getting support on the forums. Answers may be less accurate. I can't really help you with this. I don't own a fritz. Too complex.

2) Then I wanted an OpenVPN service to connect my TV and my Satbox, Fritzbox does not manage OpenVPN, so I bought the Asus RT-AC86U with fw Merlin to have the VPN only on two IP, (Tv and Satbox), all works well!

I continue to use the Fritzbox as a modem.

Read below to check I'm understanding...

So to clarify, what you mean to say is that the only reason you purchased the AC86U was because it supported running OpenVPN CLIENT to route specific clients through a VPN service? In this case you want to route only your TV and Satbox through the VPN, presumably for the purpose of bypassing content geoblocking?

Also to be sure I understand, you are NOT wanting to run an OpenVPN SERVER on the AC86U router for remote access to your LAN? Instead, for remote access you wish to rely only on your mobile phone's Fritz fastapp to remotely access the Fritz subnet... and from there you want to be able to login to the AC86U web UI to toggle wifi on/off. On top of that, any device connected to the fritz subnet should also be able to reach all clients connected to the AC86U.

Lastly to clarify, you don't plan to use the Fritzbox for Wi-Fi, only for the remote access feature? You are wishing to use the AC86U as your primary router for home wifi and to connect all LAN devices?

Did I get all that right?

Ultimately to do it your way would require a static route on the Fritz to the AC86U subnet, and probably disabling the firewall on the AC86U. Fritz presumably has some DDNS service built in to sync your current home IP address with their fastapp for remote access. In that case you should NOT use the DDNS service on the ASUS.

Sidebar: it's ill advised (unsafe) to use manufacturer operated DDNS because hackers know .asuscomm.com points them exclusively to ASUS hardware. They can more easily target those devices with a mass exploit.​

You're far better off just bridging the Fritz (if possible) and relying entire on the AC86U to run an OpenVPN server (or whatever other protocol you wish, ie IPSec) for remote access from your phone, and to run the OpenVPN client for routing your TV and satbox through another VPN service.

 

[Mikuni]

Hi,

In general, are all router remote access services risky?

Or is the system used by Asus risky?

In the meantime, for greater security I followed your advice and I deactivated the DDNS service of Asuscomm.com.

To remotely access a router securely, can I establish a private connection with my smartphone using OpenVPN? Do you have any guide to suggest?

To clarify the Fritzbox I especially need the modem part, also I really like the ease of management and the App, very intuitive!

In conclusion I would like at least to use the Myfritz DNS service to access the Asus access interface, for example, to turn on the wi-fi or to access the Satbox interface (192.168.1.123) to program the recording of the program remotely.

Thanks