Port forwarding Windows Client using a VPN

[manners]

I have done extensive searches on this but I can't find anything but do excuse me if this is covered elsewhere.

I'm running Merlin 378.55 on a n66u and have port forwarded some ports to a windows 8 machine on my LAN. This all works fine until I have the windows 8 machine connect to a VPN via windows in built VPN PPTP client. After that trying to hit the forwarded ports via the n66u just doesn't work. Whats weird is that internally on my LAN other machines can hit the windows 8 machine on the open ports even when the windows 8 machine is connected to the VPN. I assumed that if the ports can be accessed locally then then the port forwarding from n66u is as though the requests are coming for the local lan and it simply nat's them back out to the remote client.

Any thoughts or am I missing something?

Thanks in advance.

 

[Deleted member 27741]

Your pptp address range is on the same subnet as the dhcp range, correct? I assume the IP address of the windows 8 machine is constant (assigned ip under dhcp server)? The pptp vpn is server is the n66u I assume. I think I am confused as to where the pptp server is!

Ok, I think I get it. The pptp server is outside your LAN and you can't access the forwarded ports? I am always thinking of the router as the vpn server.

 

[manners]

The PPTP is an external company (PIA) the Windows 8 machine has a constant assigned IP by the n66u. The Windows 8 machine establishes the PPTP connection to PIA via the windows client and then the port forwarding breaks.

 

[Deleted member 27741]

I think this may be expected behavior, unfortunately. There is probably a way to get it working. When you connect to the PIA, in network and sharing center what connection is first, the PIA connection or your home network?

Under the network sharing center PIA pptp properties/networking/IPv4/properties/advanced/ip settings do you have use default gateway on remote network checked? If that option is NOT checked, your internet data can travel outside the tunnel, making the VPN worthless as internet security/anonymity/encryption.

 

[manners]

If this is how it is meant to work then so be it. I wonder if I can find a workaround though. In answer to your question the PIA connection seems to be first:

 

[Deleted member 27741]

Again, if you don't have use default gateway on remote network checked, your internet data can travel outside the vpn tunnel, leaving the vpn unused. There is really no reason to use a vpn for internet (web browsing) protection without that option checked.

That aside, I think there is a possibility you can get local stuff working if you increase the metric of the PIA vpn. Again go to the PIA pptp properties/networking/IPv4/properties/advanced/ip settings and uncheck automatic metric. Then put a ***EDIT HIGH*** number there for the interface metric. I think this may get your port forwarding working, but may also possibly compromise your internet the same way having the default gateway unchecked does.

To check, go to speedtest.net and check the ip address/location while connected to PIA. If it is your local ip address, PIA is not being used, if it is the PIA address/location your internet data should be going through the PIA tunnel.

 

[manners]

All my internet traffic is going via PIA. I'm not sure why the gateway would matter? As I understand it my Windows 8 machine has two NICs now (albeit the PPTP is virtual) - one connected to the VPN and one connected to the LAN lets say with IP 192.168.1.10. Whilst it doesn't have access to get out to the internet through the NIC with the IP 192.168.1.10 it can talk to any other machine on my internal LAN on the 192.168.1.0/24 network, including the Asus on 192.168.1.245. The Asus can ping the Windows 8 machine on 192.168.1.10 but when the Asus is receiving incoming requests from the internet, on port say 8900 it doesn't seem to forward them to 192.168.1.10.

 

[Deleted member 27741]

I know this is a secondary issue to your OP, but I am just trying to help you out here! I am telling you (you can choose to believe what you wish) if you do not have use default gateway checked internet data can travel through either your router or through the vpn tunnel. Not secure. I am amazed that PIA does not do a better job of telling people this, but those who do not check that option are blissfully surfing away possibly paying for a service they may not actually even be using. I suggest you use empirical data here.

Regarding your OP, I suggest you try raising the metric of the PIA with the aforementioned caveat check the tunnel.

 

[manners]

Sorry - I do really appreciate your help and its definitely worth noting the possible PIA leaks. Use default gateway on the remote network is checked and I have a VPN checker software running which kills any apps using the internet if the VPN drops. I'm happy to give the lowering of the metric a go - I always thought these metrics affected traffic leaving the windows machine and the routes it takes whereas the problem I'm, having is why the machine isn't receiving incoming requests from the asus or why the asus isn't forwarding the requests. Basically the machine is running a little web server which I can't access externally currently.

Thanks again.

 

[Deleted member 27741]

Oh yeah? Well I am sorry for telling you to LOWER the metric number when you should in fact RAISE it (in post six, corrected). If you run cmd.exe as administrator and type route print you will see the routing table. The table is processed bottom up and the LOWER (smaller number) metric gets higher priority. So increase the metric (bigger number) on the PIA until you see the metric of that interface ip is numerically higher on the routing table. I say to use the routing table because it is the end all- the actual number you input as the metric in the settings will be modified by the os to some extent and the routing table gives you the real deal.

 

[manners]

I actually found a different workaround - I set up the n66u as VPN server. I now connect to the n66u via vpn from my remote location and get a lan IP which means I can then hit the windows 8 box as a local client. Thanks for your help.

 

[Deleted member 27741]

Great! I am a bit interested for my own knowledge to know if messing with the metric helps, so let me know how that works if you ever try it .