Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4868
Views
0
Helpful
2
Replies

UPNP over VPN

itadminasf
Level 1
Level 1

‎08-18-2011 02:10 PM

I have 2 RV042 linked up with gate-way to gate-way vpn. This works great.

The router A has a public static WAN IP address, the router B has a private NATED WAN ip address.

I have UPNP rules on the router A to allow any computer outside the VPN to access ressources under router A's subnet. This works great also.

UPNP rules like, redirect port 80 to IP address A.x  . It works.

When i tryed, on router A to do a rule like: redirect port 90 to IP B.y, it does not work.

Goal is: I want to access ressources under the router B subnet, from outside the VPN.

As router A has a public IP and not B, i need to use router A as a gate-way to access router B ressources.

What does i need to do to achieve this, normal UPNP rules does not seam to work.

____________

More Ip info:

Router A, LAN ip: 192.168.64.1, mask: 255.255.255.0

Web server x, LAN ip: 192.168.64.2 <- linked to router A LAN

Router B, LAN Ip: 192.168.69.1, mask: 255.255.255.0

Web server y, LAN ip: 192.168.69.3 <- linked to router B LAN

From outside, http://WAN_A:80 -> i see web pages from server x.

From outside, http://WAN_A:90 -> does not work.

UPNP Rules in router A

port TCP 80 public  -> port 80 private -> 192.168.64.2

port TCP 90 public  -> port 80 private -> 192.168.69.3

___________

More informations:

Port 80 and 90 are not bloked by my ISP.

If I swap ports, i mean if i redirect port 90 to web server x, and port 80 to web server y:

http://WAN_A:90 -> i see web pages from server x.

http://WAN_A:80 -> does not work.

____________

Thank you for your help and have a nice day!

Labels:
0 Helpful
2 Replies 2

itadminasf
Level 1
Level 1

‎08-19-2011 05:25 AM

More information, again:

If I connect my computer on the vpn, using pptp VPN connection with router A as gateway, I can access the web y server pages.

I get an IP address like 192.168.64.101, and http://192.168.69.3:80 displays web pages from web server y.

Again, the goal here is to have access to the ressources under router B without being obligated to be inside the VPN connection, or under the LAN of any router.

Forgot to mention, the 2 router are Cisco RV042.

Thank you very much and have a nice day.

0 Helpful

itadminasf
Level 1
Level 1
In response to itadminasf

‎08-22-2011 01:54 PM

An IT guru gave me the answer, I'll post it here for anyone who needs it.

Feel free to post comments.

The probleme is, from the router A point of view, redirecting port to devices over the VPN, it's an attack.

When we ask http://WAN_A:90 ,the router A sees a query from the WAN, that try to access LAN ressources, but that needs to be redirected to the WAN. This should not happen, so the router A blocks the query and does not redirect.

So here is what can be done with the RV042:

SRC    DEST    REDIRECT TO   VALID

LAN     WAN    WAN                 OK (from LAN to WAN)

WAN   LAN      LAN                  OK (normal UPNP setup)

WAN   WAN    WAN                 OK*

WAN   LAN      WAN                NO (That is problem we want to resolve)

LAN     LAN     WAN                 OK (VPN)

* WAN WAN WAN OK explanations:

I try to rediect port 80 to https://supportforums.cisco.com, and it works. That mean you can do UPNP toward WAN ressources and it works, with Cisco RV042 routers.

Here is the solution:

Connect the internet port of a 3rd RV042 router (name it router D), to the router A LAN port.

Router D WAN adress is : 192.168.64.4, mask: 255.255.255.0

Router D LAN address is not important as you won't connect his LAN port. BUT, it's LAN address must not conflict any LAN address inside your VPN. So it may be: 192.168.255.254, mask: 255.255.255.254.

In the router A, enter DMZ host: 192.168.64.4 (router D WAN address)

In touter A, removes any UPNP rules.

In your router D, enter the UPNP rules you just removed form router A, ex:

port TCP 90 public  -> port 80 private -> 192.168.69.3

And it works!

WHY?

When we ask http://WAN_A:90, router A see an outside query, port 90, not maped, redirect it to the DMZ (192.168.64.4), OK.

Router D see a WAN query, that access WAN ressources, so foward it to WAN (192.168.69.3) (WAN WAN WAN OK).

Router A see a LAN query that goes to the LAN (VPN), so it redirect it to the VPN gateway (WAN), OK.

Voilà!

In conclusion, to do UPNP over VPN, you need an extra router, so the redirected queries seams to come from inside the network.

Have a nice day.

0 Helpful
Customers Also Viewed These Support Documents