Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Ivkosky]

Dear all


I am having an issue with my DIR-300 rev B 2.04, as it is not forwarding any of the two VPN ports. I am getting quite desperate here. All other ports (such as 80, or 5000) are being forwarded just fine, even the FTP port. I am trying to set up my new Synology NAS station to be a VPN server so that I can access the files in the same manner as I would do on LAN. As for now, the settings for the VPN server are the following (I would prefer the PPTP connection):

Dynamic IP address: 10.0.0.0 (I kept the default)
Maximum connection number: 3
Authentication: MS-CHAP v2
Encryption: Maximum MPPE (128 bit)
MTU: 1400 (kept the default)
Use manual DNS: unchecked

I would be very grateful for your help.

Regards,
Ivan

P.S.: In addition, I am not able to forward port 5001 either - maybe that will help to diagnose the problem...

[FurryNutz]

Is uPnP disabled?

[Ivkosky]

Is uPnP disabled?

Thanks for your response. If you meant uPnP on DIR-300 (I have it under Advanced->Advanced Network), then yes, it is enabled (the tick box is checked).

[FurryNutz]

Disable uPnP and test again?

[Ivkosky]

Disable uPnP and test again?

I have disabled it and none of the forwarded ports were working (even the previously functional 80 and 5000). I have also noted that the MTU in the router is set for 1500, so I have changed the MTU in the Synology box to that value as well, but failure again.

Please note that I have the same issue with 5001 port as well - it is marked as failed all the time after testing too... I am therefore not able to connect to the server using HTTPS, but just HTTP, which is a bit unlucky as well.

Any other thoughts would be much appreciated!

[FurryNutz]

What Hardware version is your router? Look at sticker under router.

What region are you located?

Has a Factory Reset been performed?

What ISP Service do you have? Cable or DSL?
What ISP Modem Mfr. and model # do you have?

[Ivkosky]

I have a hardware version B1, firmware version 2.04. I am located in the Central Europe.
I have reset the router recently, because somebody else was configuring it and I couldn't find out the password to get into the router.
I have a cable connection - optical cable, which brings TV and telephone services to the house as well.
The ISP Modem is Motorola, but I don't have anything else written on the box. It is a similar model to this one:

http://www.motorola.com/Video-Solutions/US-EN/Products-and-Services/Voice-and-Data-Consumer-Premise-Equipment/DOCSIS-Modems-Gateways-and-eMTAs/Cable-Modems/Motorola_SURFboard_SB6120_US-EN

But not exactly this one - I have more led icons. I guess these are for telephone links.

[FurryNutz]

Maybe one of these?
http://www.motorola.com/Video-Solutions/US-EN/Products-and-Services/Voice-and-Data-Consumer-Premise-Equipment/DOCSIS-Modems-Gateways-and-eMTAs/Digital-Voice-Modems

Look at the any stickers on the ISP modem for a part number or a model number?

If this modem has a built in router, it's best to bridge the modem. Having 2 routers on the same line can cause connection problems.
Double NAT
To tell if the modem is bridged or not, look at the routers web page, Status/Device Info/Wan Section, if there is a 192.168.0.# address in the WAN IP address field, then the modem is not bridged.

If the modem can't be bridged then see if the modem has a DMZ option and input the IP address the router gets from the modem and put that into the modems DMZ.

Let us know about this...

[Ivkosky]

Thanks a lot for your answer and your time spent on this - I appreciate it a lot!

Unfortunately, as I mentioned, there is no sticker or anything on the Motorola modem. However, purely from the visual comparison, I guess I have the SBV5122 model:

http://www.motorola.com/Video-Solutions/US-EN/Products-and-Services/Voice-and-Data-Consumer-Premise-Equipment/DOCSIS-Modems-Gateways-and-eMTAs/Digital-Voice-Modems/SBV5122_US-EN

I don't think it has a built-in router, but I am not an expert in this area. The following is written in the Status->Device Information->Internet section on my D-Link router page:

...

Not sure I understand this... Any ideas?

[FurryNutz]

Thats a good sign. The DIR-300 is getting a public IP address and the ISP modem doesnt' have a router built in. Just need to establish that there isn't a double NAT condition here.

Have you reviewed this? http://forums.dlink.com/index.php?topic=52476.0
Try setting a Firewall rule to ALLOW instead of DENY Along with using Virtual Server.

[Ivkosky]

Thanks for the hint. While looking at the firewall options, I have come across the DMZ and tried to put the LAN IP address of the server to that "zone". And success! I have all the ports working (i.e. 1723, 443, 5001). Now, obviously, this setting represents a security risk and therefore I would be grateful if you could let me know what the problem was and how I can overcome it by using the firewall settings... Thanks a lot!

[FurryNutz]

I think by looking at the example picture in the link about setting up Firewall Rule, this should help you by setting up 3 rules, one for each port number needed, I believe, that you need to ALLOW and not DENY.

So you would start with the first rule for the first port,
NAME: Port443 and Port1723 and Port5001
Select LAN drop down
Local IP address range: input the PC or range of PCs that you want to include into this range. If your only using one then input the same PC IP address in both boxes.
Protocol: BOTH? Does this have this option? If not you need to find out what protocol those 3 ports are using and select appropriately, TCP or UDP. I'm hoping there is a BOTH option.
Schedule: Try Never or Always. Shouldn't matter.
Action: ALLOW
Select WAN drop down
Remote IP address range: I think a * will do here. Not fully sure about this setting however I presume that the range needs to be a global range.
Port Range: Enter 443, or 1723 or 5001 into both boxes.

Do this process for each port you need.

Select the check mark box to the left side to make sure the rule gets enabled then select Save Settings. A reboot will probably be needed.

[Ivkosky]

Ok, I think the issue is finally solved! What a triviality... I haven't noticed that right next to each row in the port forwarding rules there is a small tick box, which has to be ticked, so that the appropriate firewall settings of a router are put automatically to the firewall page of the router and applied... :lol:

However, probably thanks to temporary applying the DMZ rule and making some of the router info public (in one of my posts above - now deleted...), I got attempts for logging in from six IP addresses over night, all of which got blocked by the server (after 5 attempts in less than 5 minutes). Hope this won't continue... Any hints on how I can foster the security settings of a router?

And thank you so much for all your help!!! I appreciate it a lot. This thread has been a great journey and I have learnt a lot so far...

[FurryNutz]

Glad you got it working. Those pesky little check boxes are over looked sometimes.

Keep SPI or any Firewall settings Enabled. This routers Firewall is different from some of the other DIR series. You can customize Firewall rules here where others do not have these options or more of a limited feature set. You should be good to go. Should only allow those ports for your connections that are needed and thats it.

Enjoy.

[Ivkosky]

FurryNutz


Thanks again for all your help. I have tried the VPN from outside of LAN and it is indeed working, for 60s or so... :lol: Not sure what's going on, but I get disconnected after few seconds every time I try to connect. Within those few seconds I can open my mapped network folders and everything seems to be working, but the stability is very poor, or I dare to say - it is not usable at all...

I get a feeling that this is not an issue of the router, but rather the Synology NAS itself and therefore I am afraid I would have to ask somewhere else. Anyway, the whole effort was for nothing if I actually cannot use it, so I do hope I will sort it out somehow.

Thanks again!
Ivan

P.S.: Interestingly enough, I have spotted that the router does not list the IP address of the Synology, although other active PCs are listed in the drop-down menus for the port-forwarding (when selecting an IP address for a particular rule). I haven't spotted it before, because I have inserted the IP address manually. Could this indicate something?