manage DDWRT router behind 2 routers from internet

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
kenza750
DD-WRT Novice


Joined: 03 Jan 2012
Posts: 5
Location: Netherlands

PostPosted: Fri Jun 14, 2019 17:18    Post subject: manage DDWRT router behind 2 routers from internet Reply with quote
All,

First of all I would like to say hello to everybody on this beautiful forum Very Happy

For some time I am playing around with DDWRT in my home-setup. PFA the layout of my devices and connections.

At this point I would like to be able to manage the 2 DD-WRT devices from outside my LAN. I managed to do this for the EA6900 router, but I can not achieve to gain access to the GUI of the second EA6400 which is behind the EA6900.

What I did so far:
1. in EA6900: I enabled web GUI https port 443
2. in AVM: added port forward 443 to the EA6900 (WAN IP: 192.168.0.100)
3. This enables me to access the GUI of the EA6900 from outside my LAN.
4. in EA6400: enabled web GUI https port 444 (just +1)

BUT now....how do I get to the GUI of the EA6400?? I disabled the WAN-port on the EA6400 but I assigned it to the switch, so basically I now have 5 LAN ports available on the EA6400. LAN-IP of the EA6400 is 10.0.0.2.

So what must I configure (and where) to have access to the second DD-WRT device? I was thinking I should forward p444 in the EA6900 to the LAN-IP of the 6400, right? Well, this doesn't work Sad I also tried to forward p444 in the AVM router, but I can only forward it to the EA6900.

What am I doing wrong??

(Just some extra info: I wanted to remove the AVM-box from my network, but this one is required to get access to the internet; provider does not give the configuration. Basically the AVM is just to provide access to the internet. Al of my devices like pc's NAS, phones etc are connected to the DD-WRT devices; the EA6900 is the unit which handles all traffic, ip-addresses, wifi etc). EA6400 is just an extra AP to cover my third floor.
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8022

PostPosted: Fri Jun 14, 2019 17:37    Post subject: Reply with quote
You need an additional port forward on both the AVM and EA6900 to the EA6400. Also, make sure the EA6400 has a gateway IP of 10.0.0.1 on its LAN side.

Frankly, you'd be better off in most cases to configure OpenVPN server on the EA6900, and then you could gain access to *anything* on the 10.0.0.x network, and even use your home network as a gateway to the internet when you're on the road. Traditional (old school) port forwarding is not recommended these days.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
d0ug
DD-WRT Guru


Joined: 31 Jul 2015
Posts: 724

PostPosted: Fri Jun 14, 2019 21:34    Post subject: Reply with quote
Hint:

Unless you actually need the separate subnets. Do not connect your routers LAN port to WAN port. Connect them all up via lan ports. Set your EA6900/EA6400 IPs to 192.168.0.2 and 192.168.0.3. Now everything on your home network will be on the same subnet and solve plenty of headaches. You'll just setup port forwards to everything at the AVM router

Another option, If you can put the AVM router into bridged mode, this will pass your real public IP out though the AMV's LAN port. You can then connect your EA6900's WAN port to the AVM, The EA6900 will get your real WAN ip on its WAN port and you can do all your forwards from the EA6900 completely ignoring that the AVM even exists.

This is how I am currently setup. I have 3 WRT1200AC routers in my home.

I have an ARRIS cablemodem/router provided by the cable company in bridge mode. The primary WRT1200AC that does all the routing has its WAN port connected to the ARRIS and that WRT1200AC has my public WAN IP. The other two WRT1200ACs in the house are just used as access points/switches. Their LAN ports connect to the LAN ports of the primary WRT1200AC that does all the routing.

I don't do port forwards to remote admin my stuff though. I have gone the route of running OpenVPN server on the primary WRT1200AC. Once my laptop or phone connects to the OpenVPN server, I can remotely access/admin everything on the LAN as if I were attached to the LAN at home.

As eibgrad said, it really is not recommended to expose the router's admin pages to the internet. Too much risk of an exploit or weak password giving someone access to your whole network. If you ever actually monitor access to your exposed ports, you'll see that they are being hammered 24/7 by script kiddies/bots trying to make their way in. I even got to the point now that no ports are forward except for what is absolutely necessary, since I can VPN in then from there hop to anything inside my network.

I run my own web and mail server at home, so at this time the only port forwards I have open are 80/443 so people can access my public website and port 25 so I can receive incoming email. My pop/imap servers for accessing the mail are only accessible once on the VPN. I just leave the VPN running all the time on my phone so I can check my mail from the android mail app.

Another benefit of running your own VPN server at home and having an always connected VPN on the phone. I can connect to ANY public wifi no matter how sketchy or unsecured it might be. All my internet browsing/app usage on the phone travels safely over the encrypted VPN to home, and then from there routes out to the internet.

Another tip. A lot of wifi captive portals are poorly configured only capturing/redirecting the web traffic till you login. I have connected to many public wifi with a captive login portal, as soon as the VPN connects the captive portal goes away and I just use the wifi without even logging in. The rare one I have encountered that actually blocks all traffic till you login just means tunning off the VPN to login to the captive portal, then turn the VPN back on
kenza750
DD-WRT Novice


Joined: 03 Jan 2012
Posts: 5
Location: Netherlands

PostPosted: Sat Jun 15, 2019 8:20    Post subject: Reply with quote
@eibgrad/d0ugh: thanks for your reply and suggstios to improve the setup.

My initial thoughts were to put the AVM into bridge mode, but I'm also using a DECT telephone which connects to the AVM (which has built-in dect baasestation). I do not know whether this functionality will be lost when I'll put the AVM into bridge. I will search on that.

Secondly, OpenVPN is what I also want to run. That's one of the reasons why I decided to put the EA6900 running DDWRT Smile.

@d0ugh: you mentioned "running your own VPN server at home"...Do you mean you have a subscription with a VPN-provider and using that account to configure the DDWRT OpenVPN?

Regarding the different subnets: I prefer to just have only 1 subnet, but because I want the EA6900 to handle all the routing, I decided to put everything behind the AVM into a seperate subnet. Ideally I want to completely remove the AVM (but the provider does not want to share the config to configure my own router) OR put it into bridge mode.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3515
Location: Netherlands

PostPosted: Sat Jun 15, 2019 12:56    Post subject: Reply with quote
Set the WAN IP of the EA 6900 in the DMZ of the Fritzbox so that everything is forwarded to the EA6900 and you do not have to port forward on the Fritzbox

Are you running a modified CFE on the EA6900 or have taken other measures to circumvent the 32 K bug?

If not see my signature for EA6900 info

_________________
Routers: Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
kenza750
DD-WRT Novice


Joined: 03 Jan 2012
Posts: 5
Location: Netherlands

PostPosted: Sat Jun 15, 2019 20:25    Post subject: Reply with quote
Thx EGC. DMZ is a good suggestion to make it easier. Didn’t think of it.
At this moment I am trying to find a way to setup my ea6900 to replace the AVM. I have found a topic of another person on some forum who managed to configure his own router in a way that it can replace the providers AVM (configuring VLANS and Vendorclass etc).

@32kb NVRAM bug: I followed your install guide to install dd-wrt on my EA6900. I used your second method to mitigate the bug (quote):

“The second method removes empty NVRAM variables. You can remove the empty NVRAM variables by telnetting into your router (the login username is always: root) and execute the following two commands:
for line in `nvram show | grep =$ `; do var=${line%*=}; nvram unset $var; done
nvram commit

You can set the first line: “for line in `nvram show | grep =$ `; do var=${line%*=}; nvram unset $var; done” without the quotes in your startup script at the Administration/Commands tab so that after a reboot your NVRAM size stays low.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3515
Location: Netherlands

PostPosted: Sun Jun 16, 2019 9:51    Post subject: Reply with quote
You should be fine, but keep an eye on your nvram usage
_________________
Routers: Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum