More questions on DDNS behind two routers/multiple NAT?

[loveleeyoungae]

Hi,

My network setup is like this:

Internet
|
|
|
[WAN]
ISP PPPoE wireless router/modem----- for slow wireless-G devices, guests
DHCP: 192.168.1.1/255.255.255.0
No uPNP
DMZ the Asus N66U below
[LAN]
|
|
|
[WAN]
WAN IP: 192.168.1.2
Asus N66U with a USB hdd attached---------- main router for most devices, Smart TV, Foscam IP Camera
DHCP: 192.168.5.1/255.255.255.0
uPNP enabled
No DMZ

1. I did some searches on Google and know that DDNS configuration doesn't work behind multiple routers (a quick test on N66U confirmed that, when my No-IP host was updated with the private IP 192.168.1.2).
However, on the Foscam which has a very simple *nix-based web ui for management, there is a setting for DDNS beside the default enabled uPNP. And guess what, after I input my No-IP info in the Foscam, things worked right away! No-IP service was updated with my actual public Internet IP. And of course, I could control the Foscam and access the N66U web ui REMOTELY over the Internet and out of my home.

I guess there must be something here, because if things were that easy, advanced routers like the N66U should have already integrated the function, and people wouldn't have made so many complaints and questions on the complicated behind-multiple-routers DDNS setup. So, could anyone explain me on this situation?

2. With the temporary DDNS solution with Foscam, I setup the VPN server on the N66U with default Merlin settings (VPN Pool IP: 192.168.10.2-11).
Now when I connect to the VPN remotely, how could I access the USB hdd or other PCs in local LAN? Is the VPN IP of the N66U is 192.168.10.1? I tried to access that IP, but it didn't work.

FYI, in local LAN, from my Windows PC, I can access that USB hdd via the router local LAN IP \\192.168.5.1. Actually, I can even browse it in Network Places.

3. Without disabling DHCP or bridging any routers, how could I let the slow G devices access the devices connected to N66U, i.e. the foscam or a shared folder?

 

[sinshiva]

1.) some ddns client implementations like on the routers appear to tell the ddns service the IP of the wan interface while others use wherever they see the traffic originate from, ie. wget method

2.) openvpn uses static routes; use the regular lan ip to access devices

3.) those services will need be open to the 'wan' side (primary lan) you'll need to use iptables to achieve this, on the n66

 

[Deleted member 28123]

I worked on a similar setup not that long ago which included foscams too.. Here's what you need to do:

Step 1

[WAN]
|
|
|
[Main Gateway - Router/Modem]
ISP PPPoE wireless router/modem----- for slow wireless-G devices, guests
DHCP: 192.168.1.1/255.255.255.0
uPnP Enabled
No DMZ
Firewall enabled
Enable DDNS using whatever providers are available
Create static route with destination 192.168.5.0 netmask 255.255.255.0 and gateway 192.168.1.2
Reboot


[LAN]
|
|
|
[N66U Router]
WAN IP: 192.168.1.2
Asus N66U with a USB hdd attached---------- main router for most devices, Smart TV, Foscam IP Camera
DHCP: 192.168.5.1/255.255.255.0
NAT disabled (Apply only after finalizing the configuration of the Main Gateway - specifically the creation of the static route)
uPNP disabled
Firewall disabled
DDNS disabled
No DMZ configured
Reconfigure VPN to use the range 192.168.5.200 to 192.168.5.209
Reboot

Step 2
Setup port forwarding for foscams/devices/services for both subnets 192.168.1.1 and 192.168.5.1 on the Main Gateway - Don't forget to open up a port for the VPN service running on the N66U router using the ip 192.168.1.2 ie. foscam running on 192.168.1.10 port 20301 or foscam running on 192.168.5.10 port 20302

Step 3
Disable Foscams internal DDNS feature and configure whatever client you chose with the new DDNS service you had setup on the Main Gateway.

That's it - you should now be able to access both internal networks and their corresponding services whilst connected to either routers or via VPN. Your foscams should also be accessible using the DDNS hostname you opted for

 

[loveleeyoungae]

...

...

Thank you sinshiva and AtAM1!
Sorry for my late reply. I didn't want to make the thread cluttered up without making some more tests. I've also helped set a same network in my parents-in-law home.

1. So, may you explain why Merlin firmware doesn't implement this easy method? Is there any way to do it in my current setup? To me, it's obviously the easiest, so I'm a bit curious. How about the other routers/firmwares (I used to have a DDWRT-modded WRT54G but I never had a chance to try DDNS)?

2. I was surprised that the remote VPN PC (10.*) and local devices in N66U's LAN range (5.*) could have two-way access! It doesn't matter if the VPN pool ip set to 5.* range. Never thought that would work. More confusion here

However, dig the question a little deeper:
a. Before the router setup, I tried with Teamviewer (it has a VPN feature, don't know if its their own implementation or not). Whenever I created a VPN connection between 2 Windows PCs, they could see and browse their computer-names in Network Places. Both PCs had to have their firewalls turned off.
b. Now with this VPN via router setup, the remote and local devices can't see other computer-names in Network Places. But they still can connect by \\computer-names. And only the local devices need to turn off firewalls.

So, can we do anything to fix the computer-names and firewalls issues? Btw, were you recommending me to use OpenVPN? I don't know about the protocols, just tried the default one which is PPTP.

3. sinshiva's suggestion seems to be what AtAM1 pointed out in this line, right?
" Create static route with destination 192.168.5.0 netmask 255.255.255.0 and gateway 192.168.1.2"

First, I didn't change all as AtAM1 suggested, but only modified the following 2 settings: adding static route and disabling router firewall. And devices behaved like 2b - N66U's local devices need to turn off firewalls in order to get connected by the upstream devices.

Now things seem to work fine. Does AtAM1 suggestion have any advantages? E.g., I tried toggling the NAT feature but I didn't see any differences.

Below are some other issues that I may need to post in new threads, but they're related to this configuration, so I'll continue:

4. I'm a bit curious that the VPN connection can be established without turning off the router firewall, while we have to do the opposite for the upstream subnet devices to be able to connect the downstream subnet devices.

5. I created a VPN connection from my home N66U router (N1) to my parents-in-law N66U router (N2). I was surprised that my ISP router's LAN PC could ping the N2 without any static route set! It couldn't access the N2's hdd or web ui, though.