port forward second router

[loady]

Yep, me again..still trying to get my head around this port forwarding, my isp router is attached to my N66u by ethernet cable (via power lines), connection is fine, i can access the isp router from the n66u no problem, but not vice versa when connected to the isp routers wifi, i think it is a port number issue i am not understanding.

so my isp router internal ip address is 192.168.1.1 and that has issued the n66u a WAN ip of 192.168.1.20, but the LAN of N66u is set to 192.168.11.1, different subnet.

Where do i make the port forward to access the isp router from the N66u ?..external/internal host ports etc

 

[Grisu]

If you change your N66U to AP mode it would be in same subnet and all ok.
So you have to set port forward on ISP-modem router for whatever port you need to your N66U-WAN IP, and you need WAN access open on it too.

 

[loady]

If you change your N66U to AP mode it would be in same subnet and all ok.
So you have to set port forward on ISP-modem for whatever port you need to your N66U-WAN IP, and you need WAN access open on it too.

AP mode = disabled openvpn, hence router mode

 

[loady]

So you have to set port forward on ISP-modem for whatever port you need to your N66U-WAN IP, and you need WAN access open on it too.

Heres where im confused, you say, port I NEED...am i to set that port, i mean, what is the port for WAN ip of the N66u, where do i find/set it ?

 

[dave14305]

If you want to access your N66U Web GUI from the ISP Router subnet, you could enable "Enable Web Access from WAN" on the Administration System page of the N66U. You would want to access it at https://192.168.1.20:8443/ when connected to the ISP WiFi.

But only do this if you're sure the ISP Router is running a firewall and all that. You don't want the router GUI exposed to the public internet.

 

[ColinTaylor]

Heres where im confused, you say, port I NEED...am i to set that port, i mean, what is the port for WAN ip of the N66u, where do i find/set it ?

Ignore what @Grisu said because he misunderstood the question you were asking.

The reason you can't access devices on the 2nd LAN from clients on the 1st LAN is because the N66U is performing NAT on all the devices on the 2nd LAN. If you want to access devices on the 2nd LAN you have 2 options:

1) Create port forwarding rules on the N66U for every port on every device on the 2nd LAN that you may want to access. This is do-able if there's only a few specific devices that you need to access, like printers or servers. This is not a practical (or possible) solution if you want to access all the ports on all devices.

2) To create unrestricted access to all devices on the 2nd LAN from the 1st you need to do 3 things. a) Disable NAT on the N66U, b) Turn off the firewall on the N66U, and c) Create a static route on the ISP router that says 192.168.11.x is reachable via 192.168.1.20.

 

[Martineau]

Heres where im confused, you say, port I NEED...am i to set that port, i mean, what is the port for WAN ip of the N66u, where do i find/set it ?

Does this How to set up VPN Server via port forwarding on ISP router match your two-router setup?

e.g. in the diagram, the 'Root AP' router (192.168.1.1) represents your ISP's router, and 'Your Router' is your RT-N66U with WAN IP 192.168.1.20.

So if you want to access the OpenVPN Server which is hosted on the RT-N66U behind your ISP's router you need to create a port-forward rule on the ISP's router GUI which results in a rule similar to

-I virtual_server_chain -p udp -m udp --dport 1194 -j DNAT --to-destination 192.168.1.20

(assuming you wish to run an OpenVPN server on the default port 1194)

 

[Grisu]

Ignore what @Grisu said because he misunderstood the question you were asking.

Whats wrong, I didnt misunderstand his question?
He did not tell anything about VPN or othere needs to have N66U in router mode.

1.) So I offered him to use AP mode in the first sentence without need to forward anything.

2.) And if he wants to let it in router mode like it is now I wrote the second sentence, open WAN access on N66U and set needed port forwards (cant know which ports he want to use).
Of course you have to correct me that port forwarding has to be done on N66U - my mistake when I edited and forgot to replace ISP-modem to N66U.
This is the same you suggested him in your first option 1)

 

[ColinTaylor]

Whats wrong, I didnt misunderstand his question?
He did not tell anything about VPN or othere needs to have N66U in router mode.

1.) So I offered him to use AP mode in the first sentence without need to forward anything.

2.) And if he wants to let it in router mode like it is now I wrote the second sentence, open WAN access on N66U and set needed port forwards (cant know which ports he want to use).
Of course you have to correct me that port forwarding has to be done on N66U - my mistake when I edited and forgot to replace ISP-modem to N66U.

I'm sorry @Grisu I wasn't criticising you or your post. What you said about AP mode was absolutely correct. But you were unaware that he had already discussed that mode in another thread. Your second point described enabling WAN access to the N66U GUI from internet. I asked him to ignore this second point because that was not what he wanted to know and it would confuse him even more.

His question is confusing because it talks about "ports" so it sounds like a port forwarding question, but it isn't. He doesn't understand what's happening so he's "guessing" it's something to do with ports. What he really wants to know is why traffic is only working in one direction between his two subnets.

 

[Grisu]

Thanks for clarification - all ok!

 

[loady]

That's correct...guess what my other thread I have about slow internet traffic when connected to ovpn (Colin pointed out that all my traffic was going through VPN) , has resolved itself, I just rebooted all my routers as I left for the pub last night and today I could connect to ovpn on my phone and was getting blistering internet speeds, so would seem this router is up to the job for my specific needs...i e talked myself in to a new router though but I don't want to mess up this.current setup.

The one last thing that needs addressing is not being able to access router 2 from router 1 if that works then I would also be able to access router 1 through ovpn

 

[Martineau]

The one last thing that needs addressing is not being able to access router 2 from router 1

You probably need a rule on Router2 to allow Router1's subnet access

e.g. Try

iptables -I INPUT -s 192.168.xxx.0/24 -j ACCEPT

 

[loady]

You probably need a rule on Router2 to allow Router1's subnet access

e.g. Try

iptables -I INPUT -s 192.168.xxx.0/24 -j ACCEPT

Do i SSH into router with putty and enter that ?, if it doesnt work how would i undo it

 

[Martineau]

Do i SSH into router with putty and enter that ?,

Yes - PuTTY is fine or you can use a more feature-rich SSH client such as Xshell or MobaXterm.
P.S. Don't forget to replace 'xxx' with the actual subnet number!

if it doesnt work how would i undo it

You can issue the 'delete' command

iptables -D INPUT -s 192.168.xxx.0/24 -j ACCEPT

or, since the rule isn't permanent (if it works, you will need to add it to the 'firewall-start' script) simply reboot the router.

Use the following command to check the rules

iptables  --line -t filter -nvL INPUT

 

[loady]

Yes - PuTTY is fine or you can use a more feature-rich SSH client such as Xshell or MobaXterm.
P.S. Don't forget to replace 'xxx' with the actual subnet number!


You can issue the 'delete' command

iptables -D INPUT -s 192.168.xxx.0/24 -j ACCEPT

or, since the rule isn't permanent (if it works, you will need to add it to the 'firewall-start' script) simply reboot the router.

Use the following command to check the rules

iptables  --line -t filter -nvL INPUT

didnt work, still no access to router 2 from router one

 

[Martineau]

didnt work, still no access to router 2 from router one

This configuration works for me.

By default Router2 has access to Router1 GUI.

With the firewall rule, Router1 has access to Router2.

On Router2, Rule 1 shows my admin device connected to Router1 is able to logon to Router2's GUI and use WinSCP and Xshell to browse the filesystem and issue commands.

iptables  --line -t filter -nvL INPUT 

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1    88596 9996K ACCEPT     all  --  *      *       192.168.1.0/24         0.0.0.0/0           
2        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1194
3     2279  301K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1195
4       12  1008 INPUT_PING  icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
5        0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            multiport dports 500,4500
6        0     0 ACCEPT     esp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
7        0     0 ACCEPT     ah   --  eth0   *       0.0.0.0/0            0.0.0.0/0           
8        0     0 ACCEPT     udp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0            multiport dports 500,4500
9        0     0 ACCEPT     esp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           
10       0     0 ACCEPT     ah   --  ppp0   *       0.0.0.0/0            0.0.0.0/0           
11   3811K 4027M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
12     310 30342 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
13   1587K  395M PTCSRVWAN  all  --  !br0   *       0.0.0.0/0            0.0.0.0/0           
14   24200 3687K PTCSRVLAN  all  --  br0    *       0.0.0.0/0            0.0.0.0/0           
15   24200 3687K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            state NEW
16       0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            policy match dir in pol ipsec state NEW
17   1564K  392M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            state NEW
18   23488 3216K OVPN       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW
19       7  2331 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
20       0     0 INPUT_ICMP  icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
21   23470 3213K logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0

NOTE: I normally use Router2's OpenVPN Servers for remote admin access.

 

[ColinTaylor]

didnt work, still no access to router 2 from router one

Can you confirm that router 1 is your ISP router and router 2 is the N66U.

Are you talking about accessing router 2 (i.e its GUI) or the LAN devices behind router 2?
How exactly are you trying to "access" them/it?

Did you read my post #6?

 

[loady]

Can you confirm that router 1 is your ISP router and router 2 is the N66U.

Are you talking about accessing router 2 (i.e its GUI) or the LAN devices behind router 2?
How exactly are you trying to "access" them/it?

Did you read my post #6?

Yes, router 1 is ISP and router 2 ñ66u, so, if I am downstairs and connected to R1 WiFi on my laptop, I can't access R2, if I am upstairs and connected to R2 which has pc attached by ethernet I can access R1

Remotely via R2 ovpn server I can access R2 obviously, but can't access R1

 

[ColinTaylor]

OK as you haven't actually answered 3 of the 4 questions I asked I'm going to have to guess.

I assuming you're talking about accessing the routers' GUI interfaces. I'm also assuming you didn't do any of the things I talked about in post #6.

1. "if I am downstairs and connected to R1 WiFi on my laptop, I can't access R2"
Enable Web Access from WAN on Router 2 and access it using its WAN address, e.g. https://192.168.1.20

2. "Remotely via R2 ovpn server I can access R2 obviously, but can't access R1"
This requires a change to the VPN server. The server needs to push a route for 192.168.1.1 to the client otherwise the client will send the request to the internet. You can confirm this is the problem by temporarily changing the VPN server so that all the clients traffic goes through the VPN.

 

[loady]

2) To create unrestricted access to all devices on the 2nd LAN from the 1st you need to do 3 things. a) Disable NAT on the N66U, b) Turn off the firewall on the N66U, and c) Create a static route on the ISP router that says 192.168.11.x is reachable via 192.168.1.20.

i will do that, currently i up/downgraded the router to johns fork, now im back at slow internet speeds whilst connected to the ovpn server, i need to trawl through my posts to find the rule that solved it