scargill,

Feel free to take this with a pinch of salt... but...

What are your actual requirements here? Forwarding all ports (or apply DMZ) seems like overkill to me.

Routers/modems that are supplied by ISPs are typically abysmal for more advanced usage. I haven't had my hands on the Plus One, but I suspect it's no different.

I think I saw in the thread that you have a TP-Link? That could (with sufficient knowledge) probably be flashed to run a variant of DDWRT (an open-sourced modem/router), which would both provide the VDSL connection to Plusnet (so long as your TP-Link supports VDSL) and provide VPN etc.

As to your specific problem, I'm assuming you only really care about your employers VPN.

Talk to the Network Operations team at your employer, given you require inbound connections to reach some network endpoint, I'm assuming you require some variant of IPSec (which typically calls back on port 19080 TCP). As a general rule, you should only expose the ports you require, and your employer should be able to assist you with this.

Putting the DrayTek in to DMZ (by either mechanism mentionned in this thread) will probably also work, but is much more risky (what if the DrayTek has remote management enabled and default passwords?).

Once you're armed with more information, post back here as to your exact requirements - I'm fairly sure you won't need a static IP for the DrayTek, and you probably won't need bridged mode either. But feel free to correct me if I'm wrong.

Ok so not in order - I don't have any employers. I want to be able to vpn into my UK home when I am overseas in the summer for 6 months.

So, start at the beginning - start of this year went from Plusnet broadband (great, reliable) to Plusnet super fast broadband and got the Plus One. It dropped out from time to time.  So I bought the TP-Link (which is Plusnet compatible and does VDSL2)  - because my Drayteks can't do VDSL2. Spent the summer fighting with Plusnet as to why the almost daily dropouts.  So - back to the UK now.. Sorting where the problem is will take weeks minimum hence I don't want to buy another modem.

They've sent me another Plus One to narrow down the problem - I think likely the broadband but they're convinced the router - hence the new one - it is up and running.  But it is basically a toy, no throttling, no bandwidth monitoring, no VPN server - all stuff that the Drayteks do well.  The 2830 is meant for high speed networks so fast enough but does not do VDSL2 - but it has a WAN2 port.  So I  thought it would be good to just pass everything from the Plus One to the Draytek. But people in here say the Plus One can't simply act as a pass-through modem - which I don't understand as if that is the case why have the ability to pass all ports through with the DMZ menu item.

So ideally what I'm after is the Draytek as 192.168.0.1 - feeding fixed and dynamic addresses out to the rest of the network... it would be best if the Plus One is on another subnet as there is no use for it other than pulling in the broadband.  I'm just concerned that port redirection and vpn will work properly on the Draytek when used this way. With other services and other modems this is definitely possible. A pal on Virgin with their modem has done the same.

I don't plan to put the DMZ on the Draytek - the idea was to put it on the Plus One and simply pass everything over to the WAN2 port on the Draytek with that set to PPOE ?? And ass for passwords etc on the Draytek - that's not a problem I know Drayteks like the back of my hand

OK, so you should be aware of the ports you require connections to (I also allow VPN inbound to PN IP address, likely for the same reason, and also allow SSH inbound etc and have had my own discussions with PN over this).

Again, I haven't laid my hands on the Plus One, so I'm not sure if it can do this, but....

1. Configure the DrayTek to completely ignore DHCP, manually set the IP of WAN2 to a static address within the same subnet as the Plus One.
2. Configure the DrayTek firewall appropriately for your usage, secure, but permit/forward whatever services you require. You sound familiar with them, so easy enough.
3. Either:
   1. Add the DrayTek to the Plus One DMZ following the limited webpages that the Plus One has (this will let the DrayTek do the heavy lifting of what traffic to route where). Or,
   2. Setup individual port forwards in the "Games" settings of the Plus One, where the Plus One forwards to the DrayTek (either by IP or MAC - my Thomson provided by PN configures port forwarding by MAC for obvious reasons).
4. Configure any port forwarding on the DrayTek as you require, or setup inbound VPN services if your DrayTek supports it.

If you're not sure of the ports you need to listen on, feel free to describe your situation a more (what device/software accepts VPN etc?).

Probably off topic... My PN connection stops accepting inbound connections periodically (specifically SSH), I'm convinced this is faults within the PN network, trying to get someone to investigate this within PN is like trying to plat fog.

Hi RedTela

I'm slightly ahead of you - and slightly behind.  I put the Plus one as 192.168.2.1 and set up to talk to the Draytek as 192.168.2.30 and set the DMZ accordingly.

In the Draytek I told it to go to 192.168.2.1 - not as PPOE but as fixed address.

And all of that works perfectly - except....

I can access ports redirected on the Draytek to internal kit - but only from the outside. I could always use external addresses before but not now... but If I go outside - I can get into internal stuff so that's all working.

EXCEPT for SSL.   So using the original setup - or indeed the Plus One, my SSL Raspberry Pi (not a self-cert) worked a treat - with this intermediate step - the SSL won't work - just can't get through - now one could argue the Draytek has VPN and remote management but following their instructions I've put that on another port address....strangely enough - in Spain - I have a simply wireless modem then feeding a Draytek (different model) and that won't do SSL....

So there is no doubt the Plus One can DMZ straight to the Draytek and it works - and port redirection works..

But that leaves the two questions - why does this configuration stop me accessing the external addresses from within the network when I could before... and more importantly, why can't I pass SSL on port 443 over.

Here's something that might help. I'm remoting in now from a machine I have in Spain (I'm in the UK but I can access that as an external source bia tightvnc)

I have both 443 and 1880 coming into my Raspberry Pi here... if I SSL (https:) on port 1880 - no problem - I get the nice green secure connection - but if I try 443 - it won't have it - SAME in Spain - as I have EXACTLY the same issue in Spain - and now - similar setups, this is sounding more like an issue with DMZing port 443 - or the Drayteks doing something to port 443 -  if anyone has any ideas - this could solve 2 issues at once - sorry the problem is mutating as it goes along...

This sounds a lot like WAN<->LAN filtering.

If I have read your post correctly, external services work perfectly well (save for SSL), but you cannot test internally when accessing the DrayTek from 192.168.2.0/24 ?

If so, for the internal tests, you're on the DrayTek's LAN, trying to access services on it's WAN connection, and for security reasons, the DrayTek has chosen to block you.

On a 2860 (I use them often) you have a few of options, but I don't know if the 2830 supports them:

1. Setup a VLAN on the 2830 that includes WAN and LAN ports, I won't detail the specifics as you're familiar with DrayTek's, but the VLAN would not encounter the same filtering.
2. Configure port forwarding on the LAN interfaces to point to the same destinations as port forwarding on WAN2.
3. Enable WAN<->LAN traversal without any VLAN/port forwarding changes.

I've also just pulled the 2820/2830 user manual, check out page 8 (Access internal website on real world IP) for SSL issues - you'll likely need to enable NAT traversal.

It's also a possibility that your non-self-signed certificate specifies port and you're now listening on a different port (on the DrayTek). Check logs on the DrayTek to confirm SSL is being forwarded to the Pi, and check VPN logs on the Pi. OpenVPN would definitely log complaints that the SSL certificate didn't match, but the statements aren't explicit in their meaning.

EDIT: Another possible workaround (not solution) for you, set the 2830 as your DNS server, tell it that the external addresses resolve to internal IPs - somewhat similar to setting up an internal DNS zone file. That way, you'll never come from LAN and try to access WAN services. There's a distinct possibility that the Plus One is also performing WAN<->LAN filtering. EDIT#2: This will likely break SSL, if the certificate has been properly generated for a secure connection!

Thanks for this - things have changed SLIGHTLY due to my incompetence. I had not enabled the 443 redirection - so this is no longer (probably) a Plusnet issue.

So. Spain: wireless black box to Draytek 2830 -  can't do external addresses looking in. Can't do SSL on 433.

Spain: wireless black box to Draytek 2830 -  can't do external addresses looking in. Can't do SSL on 433. This SSL is self cert.

Britain: Plus one to Draytek 2830 - can't do external addreses looking in (COULD when I was just using Plus One or originally a TPLINK) but the SSL DOES work. THIS SSL is proper job.

Armed with this info if you have any insights would LOVE to hear from you - sorry for any confusion.

Clarify for me, by "external address" - are you using domain name lookup, or direct by IP (and I assume IP is correct, either manually or by DNS)?

Certainly - please do see my note about solving the SSL in the UK - clearly not a Plusnet issue.. but common to both installations is this external address thing.

So - let's say I have a Raspberry Pi serving up a web page - I can access it as 192.168.x.x

If I point one of my subdomains at it - and put a port redirect in the router to the Pi... I can access it with the external address just as you could from your location.

For some time in Spain I've had this double situation with a wireless internet (in the hills) and a Draytek and since then that use of external addresses has never worked. So here we are this morning  with my normal router attached to Plusnet (changed as we have a reliability question - is it the router or the connection.. etc) no problem - subdomain.mydomain.com in the browser.... works a treat. NOW with the Plus One DMZing to the Draytek I have the same situation as I have in Spain - I can no longer use the external addresses.  Other people can - just not me.

And I simply don't understand WHY.

The situation your last post describes, is LAN<->WAN filtering.

From the UK (inside your house - assuming the PN IP is your home), you're presumably connected to either a LAN interface on the 2830, or a LAN interface on the Plus One, or a wLAN interface on either 2830 or Plus One.

In such a case, the following happens:

1. Your computer resolves subdomain.mydomain.com, obtains IP as configured in domain management DNS (I suspect, the PN IP? If 192.168.2.0/24, you need to change domain settings with the provider portal).
2. You attempt to access IP on the specified port.
3. Coming from a LAN (or wLAN) interface, protection mechanisms on either the 2830 or Plus One block you (rightly so, in my opinion).

So, from the UK, what happens if you try to access the service on the 192.168.2.0/24 IP address, rather than using subdomain.mydomain.com? Note: If you're trying to use a properly generated SSL certificate, this will fail due to SSL negotiation (the provided name differs from the name in the certificate).

Forgive me for this, but from the description I have so far, I'm tempted to think that subdomain.mydomain.com resolves to some address within 192.168.2.0/24 (specifically, the Pi's address). In such case, the connection will not work from Spain (but will happily from the UK).

Maybe I've drunk too much whisky this evening though...

I'm at risk of boring the pants off people here by repetition... sorry... so:

UK - SSL works a treat - my incompetence. Only issue is - this address problem - UK has the "proper" certificate but otherwise set up for that the same as Spain (self-Cert).

Spain - SSL on that port is not having it - any other port just fine... but Amazon won't wear any other port for ECHO... but this morning before I adopted the dual modem setup - I could access the external address looking back in no problem - now with dual modems - I have exactly the same issue as Spain. Any external addresses looking into my systems I cannot access

Generally- before I adopted the dual modem setup (and I think it's the same in Spain but it was a while back) - I could access the external address looking back in no problem - now with dual modems - I have exactly the same issue as UK Spain. Any external addresses looking into my systems I cannot access locally..

Does that make sense?