cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1209
Views
0
Helpful
2
Replies

RV180 using NoIP DDNS from behind NAT router

pdaggus-2015
Level 1
Level 1

I have an RV180 and an RV180W at two sites - with the aim of setting up a VPN between the sites.

I am pleased to see that NoIP is now supported - so I was looking forward to automating my working configuration so I no longer need keep track of IP addresses.

To my dismay it did not work.

Closer inspection showed that NoIP recorded the IP address of the DDNS domain name as 192.168.x.x - in other words, the input side of the edge router.

My configuration at one of the sites has to put the RV180 on the LAN side of the edge router - because reconfiguring the cable router is not an option. However the network supplier has no issue with recoding the router to put the RV180 LAN port in the DMZ so, according to the Cisco documentation, there should be no issue.

Indeed if I manually set the VPN tunnel IP address to the WAN (internet facing) IP address then all does work fine.

I checked with NoIP and the issue is that the Cisco implementation of the DDNS update client chooses to send NoIP its 'WAN' address rather than leave the parameter blank. If the IP address parameter is supplied in the update request then NoIP uses the supplied parameter. If no IP address was specified, the more usual way, then NoIP would read the Internet source IP from the HTTP handshake and would find the real internet-facing IP address - which is exactly what we want. Cisco's implementation supplies the WAN port IP address - which causes the problem.

The question is why it is not sufficient to leave out the IP address and let NoIP use the source IP. What is the use in a VPN scenario of setting a perimeter network IP address which can never be found on the internet by definition.

If there is a reason that is not obvious - then why not /and option to use the box WAN address OR to not specify an IP address so that the DDNS provider is left to work out the true internet IP address?

My configuration works fine as long as I externally set the DDNS lookup value. What I want to do is for the RV180 to do what it says it does and set the internet address correctly.

Is this a Cisco firmware issue - or is there a way of forcing the update system to do what is needed?

 

2 Replies 2

cchamorr
Level 5
Level 5

Hello, 

Im sorry you are having issues with your device.

Unfortunately, this is not an issue or a firmware problem, this is just the way that it was designed to work from the beginning because, normally, a VPN behind an edge router is not supported.

With that being said, I'm not sure how NOIP works but on a case when I needed to have that same feature and I was using DYNDNS, what I had to do was to remove the configuration from the router and just setup the address directly on the DYNDNS website and this worked for me.

i know this is not a fix but I thought it could work as a workaround.

I hope this helps.

Hi - thanks for the response.

I am not sure why you say that VPN behind a NAT firewall is not a supported configuration. It is covered in the documentation - indeed there are instructions how to configure the firewall to pass through the required ports / protocols. I have my system set up with the RV180 in the DMZ configuration - which is one of the suggested configuration options.

There is no reason why a VPN will not work across a NAT router. The only issue is over IP connectivity. I regularly use VPN services to other offices from my computer from behind a firewall.

The issue I was reporting was not the working of the VPN - but rather the way that the RV180 firmware handles DDNS, specifically for NoIP.

You are correct that I can drive NoIP directly from a computer behind the firewall and simply disable DDNS in the RV180. It works but it is not a fix.

If the firmware in the RV180 simply sent the login request to NoIP then NoIP would use the originating IP address to populate its DNS tables - which is what happens when you manually access NoIP from a computer. However the RV180 chooses to specifically send its WAN IP address rather than omit the IP address. As a result, NoIP receives a 192.168 private IP address that is of no use.

Ideally the NoIP configuration page should have a tick box 'send WAN IP y/n?'. If set to No then the firmware should simply send the login and account data without sending the WAN IP.

More simply - just don't send the WAN IP address at all. I cannot see why you would ever want a router to do a DDNS update to an IP address other than the internet address it was connected to.

So - back to my suggestion. Please, Cisco, modify the NoIP DDNS update firmware so it either allows the option of or defaults to not sending the WAN IP address explicity. Let NoIP figure it out.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: