NAT problem (Asus RT-AX88U Pro, Merlin 3006.102.4, Starlink, PureVPN with dedicated IP and Port forwarding)

[YvesBk]

Greetings from Switzerland,

I've been struggling for 2 days to get NAT to work on my new Asus RT-AX88U Pro router with Merlin firmware 3006.102.4.

I have a new Starlink connection but need to access my MDaemon mail server (port 443) and my Jeedom home automation server from the outside. As Starlink residential doesn't allow personal IP (CG-NAT), I bought a PureVPN subscription with dedicated IP and port forwarding.

For testing purposes, I used a line of Python to create a mini web server, which works fine locally on http://192.168.2.40:8080/.

On the PureVPN side, I've enabled all ports for port forwarding.

On the Asus side, I set up a NAT from port 8080 to 192.168.2.40:8080.

I've also (ChatGPT suggestion...) added in /jffs/scripts/nat-start:

VPN_IF="tun11"
VPN_PORT="8080"
DEST_IP="192.168.2. 40"
DEST_PORT="8080"
iptables -t nat -A PREROUTING -i $VPN_IF -p tcp --dport $VPN_PORT -j DNAT --to-destination $DEST_IP:$DEST_PORT
iptables -A FORWARD -i $VPN_IF -p tcp --dport $VPN_PORT -d $DEST_IP -j ACCEPT

Then:
chmod +x /jffs/scripts/nat-start
sh /jffs/scripts/nat-start

but I can't display my web page with 172.x.x.x:8080 (my PureVPN fixed ip).

Note that PureVPN gave me xxx.pointtoserver.com in addition to the IP. But curiously, a ping on this domain name points to another IP. I've contacted their support, and they tell me it's normal, that there's load balancing going on.

What's wrong? Can I access Asus logs to see if traffic is coming in?

 

[bennor]

I have a new Starlink connection but need to access my MDaemon mail server (port 443) and my Jeedom home automation server from the outside.

Welcome. A suggestion. Before buying PureVPN subscription service, did you try using the router's VPN server option and DDNS option to setup remote access to both the router and the router's local network?

Also, do not use ChatGPT or any other "AI" when it comes to complex router settings or scripting code. "AI" often gets things wrong with respect to complex router setup. Instead search the forum here, if you haven't done so already, as there are many scripting examples posted.

Edit to add: Also note that Starlink may block certain inbound and outbound ports: What ports does Starlink block?

 

[YvesBk]

Welcome. A suggestion. Before buying PureVPN subscription service, did you try using the router's VPN server option and DDNS option to setup remote access to both the router and the router's local network?

Also, do not use ChatGPT or any other "AI" when it comes to complex router settings or scripting code. "AI" often gets things wrong with respect to complex router setup. Instead search the forum here, if you haven't done so already, as there are many scripting examples posted.

Edit to add: Also note that Starlink may block certain inbound and outbound ports: What ports does Starlink block?

Thanks bennor for the answer.

With Starlink's residential subscription, it's impossible to do inbound NAT, the public IP you receive is shared with others (CG-NAT) so even with a DDNS you can't reach it, plus Starlink blocks inbound connections on CG-NAT.

The Professional subscription gives you a dedicated IP and inbound NAT, but not on all ports. Plus the subscription is limited in data volume. For the price of a residential subscription, 50 Swiss francs per month with unlimited volume, you can have a pro subscription, but limited to 50 GB/month, a volume easily exceeded if you watch TV.

 

[YvesBk]

Welcome. A suggestion. Before buying PureVPN subscription service, did you try using the router's VPN server option and DDNS option to setup remote access to both the router and the router's local network?

Also, do not use ChatGPT or any other "AI" when it comes to complex router settings or scripting code. "AI" often gets things wrong with respect to complex router setup. Instead search the forum here, if you haven't done so already, as there are many scripting examples posted.

Edit to add: Also note that Starlink may block certain inbound and outbound ports: What ports does Starlink block?

Clearly ChatGPT isn't up to the challenge of complex configurations!

 

[Crimliar]

You want to know how bad ChatGPT is: ChatGPT "Absolutely Wrecked" at Chess by Atari 2600 Console From 1977

 

[YvesBk]

You want to know how bad ChatGPT is: ChatGPT "Absolutely Wrecked" at Chess by Atari 2600 Console From 1977

I would be delighted to receive competent human help

 

[ColinTaylor]

but I can't display my web page with 172.x.x.x:8080 (my PureVPN fixed ip).

Note that PureVPN gave me xxx.pointtoserver.com in addition to the IP. But curiously, a ping on this domain name points to another IP. I've contacted their support, and they tell me it's normal, that there's load balancing going on.

What is the second octet of the 172 address? Addresses from 172.16.0.0 to 172.31.255.255 are private addresses not public. Perhaps you should be using the IP address associated with your pointtoserver.com name?

 

[YvesBk]

What is the second octet of the 172 address? Addresses from 172.16.0.0 to 172.31.255.255 are private addresses not public. Perhaps you should be using the IP address associated with your pointtoserver.com name?

172.111.x.x

I've done a tracert, it seems there is a problem:

C:\Users\ybo>tracert 172.111.x.x

Détermination de l’itinéraire vers 172.111.x.x avec un maximum de 30 sauts.

1 24 ms 4 ms 9 ms 10.101.100.216
2 * * * Délai d’attente de la demande dépassé.
3 * * * Délai d’attente de la demande dépassé.
4 124 ms 75 ms 47 ms 212.161.253.139
5 * * * Délai d’attente de la demande dépassé.
6 75 ms 34 ms 33 ms zur01lsr01.ae10.bb.sunrise.net [212.161.150.30]
7 * * * Délai d’attente de la demande dépassé.
8 105 ms 50 ms 68 ms de-fra11b-rc1-ae-7-0.aorta.net [84.116.132.178]
9 120 ms 38 ms 57 ms de-fra02a-ri1-ae-48-0.aorta.net [84.116.130.62]
10 * * * Délai d’attente de la demande dépassé.
11 119 ms 38 ms 59 ms be-200-3905.core2n.fra2.de.m247.ro [193.27.15.178]
12 88 ms 45 ms 40 ms vlan3903.core1.fra4.de.m247.ro [37.120.220.134]
13 136 ms 40 ms 41 ms 146.70.0.55
14 86 ms 41 ms 43 ms vlan2933.as17.fra4.de.m247.ro [185.94.195.71]
15 85 ms 237 ms 41 ms 37.120.196.18
16 * * * Délai d’attente de la demande dépassé.
17 * * * Délai d’attente de la demande dépassé.
18 * * * Délai d’attente de la demande dépassé.
19 * * * Délai d’attente de la demande dépassé.
20 * * * Délai d’attente de la demande dépassé.
21 * * * Délai d’attente de la demande dépassé.
22 * * * Délai d’attente de la demande dépassé.
23 * * * Délai d’attente de la demande dépassé.
24 * * * Délai d’attente de la demande dépassé.
25 * * * Délai d’attente de la demande dépassé.
26 * * * Délai d’attente de la demande dépassé.
27 * * * Délai d’attente de la demande dépassé.
28 * * * Délai d’attente de la demande dépassé.
29 * * * Délai d’attente de la demande dépassé.
30 * * * Délai d’attente de la demande dépassé.

I've started a chat with PureVPN