VPN issues after new ISP equipment

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
TheLuffe
DD-WRT Novice


Joined: 27 May 2017
Posts: 8

PostPosted: Fri Mar 06, 2020 3:11    Post subject: VPN issues after new ISP equipment Reply with quote
This was originally posted on the Marvell subforum, but I was told, I might have better luck here for a solution to my problem.

I've had some strange behaviour with my network after I switched ISP equipment and somewhat changed my network setup.

Old setup:
ISP Router(DHCP server)/Fibermodem ----> LAN PORT----> WRT3200ACM -> NAS(DS918+)

New setup:
Fibermodem ----> WAN PORT ----> WRT3200ACM(DHCP Server) -> NAS

So in short all thats changed is that the ISP router/modem combo is replaced with only a fibermodem and the modem is connected to the WRT3200ACM through the WAN port instead of LAN port on the previous setup. Furthermore the 3200ACM is now the DHCP server on the network, though the NAS has a static IP.

The problem:
I use the WRT3200ACM to connect to my VPN provider, Torguard, through OpenVPN. The VPN connection seems completely stable after the network change, and the only device using the VPN is my NAS, which I regularly connect to outside my own home network. For example when I am at work. This leads me to the problem; that the external access doesnt really work. By really I mean that it is EXTREMELY slow in such a way, that it is completely unusuable. It takes several minutes to even load the login screen to my NAS, if it even loads at all. Right now it doesn't even try loading and just turns up a completely white page with no error or information.

What I have tried:
I suspected that my new ISP and the modem equipment somehow interfered with the VPN connection, so I tried disabling the VPN connection on the 3200ACM and set it up directly on my NAS. After I did that, my external access came back to normal speed immediately. Therefore I strongly suspect my problem are somehow related to the WRT3200ACM router.

After my post on the Marvell subforums I've tried updating my firmware to see if the problem was related to the build I was running. I tried two different builds but the problem still persists.

I am, however, a giant network novice, and I just don't understand what the issue could be. Especially seeing as the external access is not completely gone all the time. Could it have something to do with the change to the WAN port, which I have never used before?

I took a screenshot of the configuration page of the VPN, which you can see below. If there's any other information you need to help me troubleshoot, I'll gladly provide it.



WRT3200ACM is running the firmware version:

DD-WRT v3.0-r42557 std (02/28/20)
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5789
Location: Netherlands

PostPosted: Fri Mar 06, 2020 11:58    Post subject: Reply with quote
The problem is it should not work at all in this setup.

You are connecting via the WAN interface to your NAS and the NAS sends return traffic via the VPN (as it is in the PBR field) your firewall should not allow that kind of split tunnelling.

You can try to reach your NAS via the VPN so actually connect via your external IP address of the VPN and on the VPN port forward to your your router. Some VPN providers allow port forwarding, you can check your provider.

Another solution is to run a VPN server on your router and then connect to the VPN server on your router, via that connecting you should be able to reach your NAS (I think) as there is a local route to your VPN server which should trump the default route out via your VPN client (at least on modern builds which copy local routes to the PBR table (table 10)

Yet another solution is to use split tunnel based on port, i.e. your NAS is running transmission and only the transmission port is routed via the VPN and other ports not so that you can contact your NAS

But maybe my holiday has given me brain damage because I would expect that in your setup it would be impossible to contact your NAS Sad

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
TheLuffe
DD-WRT Novice


Joined: 27 May 2017
Posts: 8

PostPosted: Fri Mar 06, 2020 14:11    Post subject: Reply with quote
egc wrote:
The problem is it should not work at all in this setup.

You are connecting via the WAN interface to your NAS and the NAS sends return traffic via the VPN (as it is in the PBR field) your firewall should not allow that kind of split tunnelling.

You can try to reach your NAS via the VPN so actually connect via your external IP address of the VPN and on the VPN port forward to your your router. Some VPN providers allow port forwarding, you can check your provider.

Another solution is to run a VPN server on your router and then connect to the VPN server on your router, via that connecting you should be able to reach your NAS (I think) as there is a local route to your VPN server which should trump the default route out via your VPN client (at least on modern builds which copy local routes to the PBR table (table 10)

Yet another solution is to use split tunnel based on port, i.e. your NAS is running transmission and only the transmission port is routed via the VPN and other ports not so that you can contact your NAS

But maybe my holiday has given me brain damage because I would expect that in your setup it would be impossible to contact your NAS Sad


I think I have explained my situation badly, guess thats my inexperience that makes it hard to explain properly.

The procedure, when I normally get external access to my NAS outside my home network is as following:

Connect to dedicated Torguard VPN IP with specified portnu,ber with DDNS, example: https://ddwrt.synology.com:5001
I have port forwarding service on Torguard on my dedicated IP, so all the ports that I use are definately open.
Port 5001 is routed through the WRT3200ACM with a firewall command like this:

iptables -I FORWARD -i tun1 -p udp -d 192.168.1.150 --dport 5001 -j ACCEPT
iptables -I FORWARD -i tun1 -p tcp -d 192.168.1.150 --dport 5001 -j ACCEPT
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 5001 -j DNAT --to-destination 192.168.1.150
iptables -t nat -I PREROUTING -i tun1 -p udp --dport 5001 -j DNAT --to-destination 192.168.1.150

I have done the above routing for several different applications on the NAS, like torrents, Plex, Sonarr, Radarr and so on, and I have never had a problem accessing any of the different applications using their specified portnumber outside my local network.

Hope I explained myself abit better now Smile
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5789
Location: Netherlands

PostPosted: Fri Mar 06, 2020 14:46    Post subject: Reply with quote
Your port forwarding seems fine.

The solution:
Disable the "CVE 14899 Mitigation" (second radio button in the GUI), reboot after saving and applying

If that does not work you will get your money back Wink

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
mac913
DD-WRT Guru


Joined: 02 May 2008
Posts: 1537
Location: Canada

PostPosted: Fri Mar 06, 2020 15:29    Post subject: Reply with quote
egc wrote:
But maybe my holiday has given me brain damage... Sad


It's okay, it's not permanent damage. I go through it all the time Wink

_________________
Home Network on Telus PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway WiFi 3xWireGuard - DDWRT r43652 Std
WHR-HP-G54 - Internal Routing - DDWRT r35531 std-special
2x E3000 - Gateway Wired IPTV - DDWRT r35652 Mega
E3000 - TRAVEL Wireless Client WireGuard(+25Mbit/s) - DDWRT r43516 Mega

Off Site 1

R7000 - Gateway, WiFi & WireGuard - DDWRT r43652 Std
WRT610Nv1 - Client Bridge - DDWRT r33679 Mega K2.4

Off Site 2

R7000 - Gateway & WiFi - DDWRT r43217 Std
E2000 - Wired PVR Blocker - DDWRT r35531


YAMon 3.4.6 | DNSCrypt-Proxy V2
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 5789
Location: Netherlands

PostPosted: Fri Mar 06, 2020 15:42    Post subject: Reply with quote
mac913 wrote:
egc wrote:
But maybe my holiday has given me brain damage... Sad


It's okay, it's not permanent damage. I go through it all the time Wink


thanks mac for the reassurance Very Happy

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard server setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Wireguard client setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324624
Wireguard Advanced setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324787
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
TheLuffe
DD-WRT Novice


Joined: 27 May 2017
Posts: 8

PostPosted: Fri Mar 06, 2020 17:12    Post subject: Reply with quote
egc wrote:
Your port forwarding seems fine.

The solution:
Disable the "CVE 14899 Mitigation" (second radio button in the GUI), reboot after saving and applying

If that does not work you will get your money back Wink


Tried disabling the mitigation fix, but no dice. I also tried factory resetting the router, just in case I had configured something wrong a long time ago. After that I only setup the VPN connection and it's firewall commands, but when I try to access my NAS externally it still only returns a blank, white page. I suspect it might not have anything to do with dd wrt and my router but something with my NAS. Its just so weird that it works fine, when the VPN connection is setup through the NAS.

Thanks for the suggestions though! Smile
grc
DD-WRT User


Joined: 11 Jul 2018
Posts: 86

PostPosted: Fri Mar 06, 2020 18:12    Post subject: Reply with quote
Is Fibermodem in bridge mode? Or is there an another DHCP server running? Maybe you have to put the WRT3200ACM-IP to DMZ (Demilitarized Zone) on Fibremodem.
TheLuffe
DD-WRT Novice


Joined: 27 May 2017
Posts: 8

PostPosted: Fri Mar 06, 2020 20:58    Post subject: Reply with quote
grc wrote:
Is Fibermodem in bridge mode? Or is there an another DHCP server running? Maybe you have to put the WRT3200ACM-IP to DMZ (Demilitarized Zone) on Fibremodem.

I made a map of my network, see below:


It's really stupid, but I can't check the model of the Nokia, because it is screwed into the wall, and the fiber optic line is fixed to the wall aswell. This means I cant even check if the modem is configurable through a webportal, because the model number is probably on the back side of the modem which is faced up against the wall.

Anyyways the plot thickens and I found an old ASUS N56U router ann tried setting it up as the primary router with DHCP enabled and disabled it on the WRT3200ACM. The network now looks like:



And.... it works! With this configuration I can get external access to the NAS again. Besides doing the physical hardware changes, I set the WAN setup to Static IP in dd wrt like this(before it was just set to Automatic - DHCP):



So I guess it has something to do with the WAN port/settings on the WRT3200ACM?
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum