cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2563
Views
0
Helpful
13
Replies

RV016-Dual WAN & Secure connection problem

arhinelander
Level 1
Level 1

I'm having trouble setting up my RV016 to allow secure connections to our server. I've searched the forums and read lots of posts and it seems that protocol binding is the answer, but I can't get it to work.

We have a dual-WAN setup with 5 static IPs on our slower connection (a cable modem, WAN 1) and a dynamic IP on our faster (FIOS, WAN 2). I'm using One-to-One NAT to send all traffic coming in on one static IP (on WAN 1) to our server's internal static IP. We're using intelligent load balancing and (per a post I read) I've turned off Network Service Detection on both WANs. 

When I try to SSH from outside to the server, I do get through: I get a password prompt and, if I enter the wrong password I am re-prompted for the password. But when I enter the correct password the connection hangs. When I unplug WAN 2 I can connect on SSH with no problem.

I've tried setting up protocol binding as follows: I created a service for SSH (TCP/22~22) and added it for WAN 1. I remembered to enable it. I've played with various IP address ranges, but nothing works (that's where I'm a little out of my league). Here are some of what I tried:

  • server internal IP to all: 10.10.10.10~10.10.10.10(0.0.0.0~0.0.0.0)
  • internal subnet to all: 10.10.10.2~10.10.10.254(0.0.0.0~0.0.0.0)

In many posts I've read that protocol binding has solved people secure connection trouble. What am I doing wrong?

Thanks,

Alex

1 Accepted Solution

Accepted Solutions

Hi Alex, I think one thing you should really consider is the DMZ to see if it localized to a dual-WAN issue or not. If the problem follows with both WAN up in the DMZ I'd agree there is something possibly not operating correctly.

Another argument may be, if you're kind of thinking somehow the load balance is messing things up, bind ALL SERVICE for the server to one specific WAN, don't leave it limited to just the one port. That may also give some insight, especially if the server works as expected.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

View solution in original post

13 Replies 13

arhinelander
Level 1
Level 1

PS- My firmware is up to date: v4.2.2.08

From where are you accessing those servers? From the LAN or over the WAN?

you/computer -> router -> server?

server -> router -> you/internet ?

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

My issue is with enabling remote management of our server.

I have no trouble SSHing to the server from our LAN: The server IP is 10.10.10.10, and when I have a 10.10.10 IP I'm good. But when I'm remote (i.e. offsite, from the WAN) I can't access the server to manage it.

I have no need to SSH from the server out to the WAN, and have not tried to do so.

~Alex

Your problem is not load balaning if you are remote to the server trying to access over the WAN. The load balance mechanism is for egress traffic only, not ingress.

So if you're at home and try to reach the server over the internet then there's a different issue.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

OK, and thanks, Tom. But given that

  1. I can SSH from my laptop to my server from my LAN with both WAN1 and WAN2 plugged in,
  2. I can SSH from my laptop to my server from outside my LAN with only WAN1 plugged in, and
  3. I cannot SSH from my laptop to my server from outside my LAN with both WAN1 and WAN2 plugged in,

have you got any idea of what the issue could be, and how I can solve it?

Regards,

Alex

Are you making a port forward to a specific WAN or creating a fail condition when removing one of the WAN from the scenario?

Or covnersely, the series of events. Did you create your port forwarding with only 1 WAN active or did you create them with both WAN active?

What happens if you have both WAN up and working and let's say your current forwarding uses WAN 1. Delete that forward and change it to WAN 2. Does that work?

Another idea, did you try access with each WAN by themselves? Do they both work as expected?

What happens if you put the server in to a DMZ? Or a 1-1 NAT?

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

I do not have any port forwarding set up for the server, instead I use 1-1 NAT (see the second paragraph of my original post for details of our setup).

I have not tried moving the server to a DMZ and am reluctant to make major changes since this is the sole server (web, file server, DNS, DHCP, LDAP) for our school (250 students, 50 staff).

~Alex

Hi Alex, that's peculiar, I'll admit. I keep re-reading what you're saying and I don't spot anything abnormal.

Do your server have to use a different method instead of SSH such as Telnet or HTTP?

If so, do those services hang?

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Hi Tom, and thanks for sticking with this.

I see this behaviour from any SSH/SFTP client I've tried to connect to my server: a Mac using either Terminal or Filezillla, a PC using PuTTY, an iPhone using ServerAuditor. The server is not configured to accept unsecured telnet or FTP connections, so I haven't tested them.

The server is a new Mac Mini running 10.9, which I know has had some firewall issues. I might suspect the server, but given that the issue can be created/mitigated simply by plugging in or unplugging the cable from the fibre modem at the WAN2 port of the router I don't see how the server can be the cause.

I'm stuck, and certainly appreciate any guidance.

Alex

Hi Alex, I think one thing you should really consider is the DMZ to see if it localized to a dual-WAN issue or not. If the problem follows with both WAN up in the DMZ I'd agree there is something possibly not operating correctly.

Another argument may be, if you're kind of thinking somehow the load balance is messing things up, bind ALL SERVICE for the server to one specific WAN, don't leave it limited to just the one port. That may also give some insight, especially if the server works as expected.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

I tried binding ALL TRAFFIC from 10.10.10.10 (server IP) to 0.0.0.0 (anywhere) to WAN1, and it's looking good so far. I'll continue testing and update. THANKS, TOM!

This solution (binding all traffic from the server to WAN 1) is solid: it works fine and has been tested by several remote users. I'm not overjoyed at pushing all outbound server traffic out over our slower connection, however (1.5 Mbps up vs. 30 Mbps up on our fibre).

I was hoping I could get by by just binding port 22 to WAN 1. When I netstated I saw that 22 was the only port being used on the server end, but the remote end was using high-number 'ephemeral ports'. When I tried creating a port binding for 22 and another for the high numbers (49152 to 65535), however, the connection failed again. I can't think what it is that SSH needs that is being bound with ALL TRAFFIC that isn't being bound with TCP22 & TCP49152~65535. What could it be???

Another idea might be to create a binding that ties specific protocols important for the server to WAN 2. That is, bind HTTP, HTTPS, Apple File System, SMB to WAN 2. Do you have any sense if that would shift that traffic successfully over to the faster connection? 

~Alex

Alex, I somehow feel the problem is inverted. I somehow feel like your server has an external web dependency that has to do with the proper authentication hence the solution met.

For your idea to work, you'd first need to identify which services such as authentication are needed. Otherwise the bind all rule may conflict with binding specific to WAN 2.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/