RT-N66U Acces Point or Double Nat?

[ColinTaylor]

@grifo Your situation is not the same as @rsnhakan 's as he is only concerned about a perceived increase in latency.

That said, if I understand what you are doing correctly you don't need any iptables rules at all. All you need to do is create a static route on your ISP router so that it knows how to find your 192.168.10.0/24 network.

 

[grifo]

Hi Colin, I already added to the ISP router a route for the Asus LAN's subnet but the issue is that the Asus router is doing NAT and firewalling between the ISP router's LAN (eg. Asus' WAN) and its LAN (it thinks the ISP's router's LAN is the Internet) so I think NAT translations and/or firewall rules are also needed. Using the WAN interface on the Asus to connect to the ISP router's LAN is the only way to get DDNS and the OpenVPN server to work.

Edit: And I do want to keep the Asus' firewall on for everything but the services I need and open those ports with iptables. The firewall part is working OK (I can ping the Asus LAN from the ISP router LAN) it's the NAT part that I can't get working.

 

[ColinTaylor]

Hi Colin, I already added to the ISP router a route for the Asus LAN's subnet but the issue is that the Asus router is doing NAT and firewalling between the ISP router's LAN (eg. Asus' WAN) and its LAN (it thinks the ISP's router's LAN is the Internet) so I think NAT translations and/or firewall rules are also needed. Using the WAN interface on the Asus to connect to the ISP router's LAN is the only way to get DDNS and the OpenVPN server to work.

Edit: And I do want to keep the Asus' firewall on for everything but the services I need and open those ports with iptables. The firewall part is working OK (I can ping the Asus LAN from the ISP router LAN) it's the NAT part that I can't get working.

Using the port forwarding options in the Asus' GUI should be sufficient without the need for manual iptables rules. (I was assuming that you had already set that up).

 

[Noble]

I run in same situation when my isp gave me a router/modem without Wi-Fi connected to fiber optic, and i cant change any settings inside their router/modem cant access to their admin panel, when i connected my asus to their modem/router as AP, i realised that i only can connect 4 devices at once no more, so the only sollution is to hack into their modem/router admin panel and change it to act as bridge mode and settup PPPoE in my assus, i finaly get everything running smoothly


Sent from my iPhone using Tapatalk

 

[grifo]

Using the port forwarding options in the Asus' GUI should be sufficient without the need for manual iptables rules. (I was assuming that you had already set that up).

I tried creating port forwarding rules for VNC via the GUI but it didn't work so I went for the nat-start script after reading this also to allow the connections only from specific devices, which would be ideal, but it doesn't work either, perhaps because a double port forward is required. If anyone has a suggestion for the second iptables nat rule that may get it to work.

 

[grifo]

I run in same situation when my isp gave me a router/modem without Wi-Fi connected to fiber optic, and i cant change any settings inside their router/modem cant access to their admin panel, when i connected my asus to their modem/router as AP, i realised that i only can connect 4 devices at once no more, so the only sollution is to hack into their modem/router admin panel and change it to act as bridge mode and settup PPPoE in my assus, i finaly get everything running smoothly


Sent from my iPhone using Tapatalk

I can get admin access to the ISP router and could put it in bridge mode but then I'd lose the voip service as the sip account credentials aren't shared by the ISP.

 

[Noble]

I can get admin access to the ISP router and could put it in bridge mode but then I'd lose the voip service as the sip account credentials aren't shared by the ISP.

Then try social engineering with the call center, explain that you have everything set to default and you need the credential, you can also pretend that you are dumb and you don't have any connection，they will send the tech guy to your home, with a cup of coffee and delicious cookies you will be able to get the credential from him or let him input then on your own router.


Sent from my iPhone using Tapatalk

 

[grifo]

Then try social engineering with the call center, explain that you have everything set to default and you need the credential, you can also pretend that you are dumb and you don't have any connection，they will send the tech guy to your home, with a cup of coffee and delicious cookies you will be able to get the credential from him or let him input then on your own router.


Sent from my iPhone using Tapatalk

They won't do it, it's the only way they have to prevent losing control of the CPE's by everyone ditching their routers. There's talk on local forums with people trying to extract the credentials from the routers to no avail.

 

[grifo]

In the end I got it working with the GUI port forwarding rules, I don't know why it didn't work on Friday, I must have been doing something wrong. I've also configured the OpenVPN server which was the easiest of all and it works great. DDNS is also working now. Very happy overall. Thanks everyone for your input, this is a great forum.