NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
RBR50 - VPN assigns IP address to different subnet
HI Everyone, I have the Orbi RBR50 w/ FW v2.3.5.30. The issue I'm having is when I connect via VPN (openvpn ios app), the IP address assigned is on a different subnet. (ie: my internal addresses a...
Well, aside from my understanding of the English language not matching that of Netgear, I have one other idea.
The default LAN subnet mask on the Orbi is 255.255.255.0 (a "Class C" subnet of up to 254 devices).
There is nothing preventing a subnet mask of 255.255.0.0 (a "Class B" subnet of 65,000 devices).
If that one change is made and the Orbi restarted, the IP address currently being given to the VPN would be in the same LAN subnet.
(I find it strange that in my case, my DHCP range is 192.168.1.x and VPN gave my device 192.168.2.x. In your case, the DHCP range is 192.168.88.x and VPN gave you 192.168.89.x Maybe VPN simply "adds one" to the DHCP range?)
Well I tried the 255.255.0.0 subnet. rebooted/ refreshed the dynamic dns and vpn settings/ rebooted/ redownloaded the vpn file for ios.... no joy.
Without changing the internal 192.168.88.x address (only the subnetmask to 255.255.0.0) Openvpn for ios showed my vpn ipaddress as 10.1.0.0.
Changed internal ip addresses to 10.0.0.x with subnet of 255.255.0.0. Did all the reboots/ refreshes/ redownloading of vpn files....... iosOpenVPN gives ip address of 10.1.0.0.
Yes it does look as if vpn "adds one" to DHCP range, effectively placing you on another subnet, which cannot access devices on the main lan if they are set to "block" via access control..........sigh
Ok, If an official netgear rep/engineer could chime in on this, it would be helpful. An ability to set the ipaddress of the VPN clients would be great. Or at least stop +1 the DHCP range placing you on a different subnet. This does not play nice with "Access Control" feature of Orbi. (I have read that you can do this in openvpn server. Not really applicable in Orbi owner's case But to be able to do this from the router would be appreciated.
So in my case, the only option I have is to "allow" access to my cams, but block all ports. My last question is if I block all ports (tcp/upd) is this essentially the same as using "block" in access control?
CrimpOn, thank you so much for taking the time to help! Thank you ekhalil for helping as well! I really appreciate it.
EDIT:
" (I have read that you can do this in openvpn server. Not really applicable in Orbi owner's case But to be able to do this from the router would be appreciated.)"
For clarity: I read that you can configure openvpn server to specify ipaddress of connecting vpn clients. Though not at all applicable to Orbi owners, a similiar feature, I think would be beneficial to us Orbi users.
Bay510 wrote:So in my case, the only option I have is to "allow" access to my cams, but block all ports. My last question is if I block all ports (tcp/upd) is this essentially the same as using "block" in access control?
I am probably missing the point somehow. If the cameras are set to Allow, that means that the cameras can access the internet, and once they open a connection to someplace, that connection can be used for two-way communication. It does not mean that someone on the internet can open a connection to the camera from outside.
Go ahead, try it. The Orbi has a public IP address. Open a web browser and try to get through the Orbi to one of the cameras. The Orbi is doing "NAT" so that each time a device on the Orbi LAN opens a connection, it gets assigned a port number by NAT. Until the device opens a connection, the router has no mechanism to connect something on the outside to it.
There are only three ways a connection can be opened from outside: (1) using VPN, (2) by "opening a port" to a specific internal IP address, and (3) by putting one device in the DMZ.
Thank you for all your help CrimpOn! I appreciate the explanation. My concern with securing the cams is to block them from being able to establish outbound connections to the internet entirely. Basically to secure against any back doors that the cams may contain and/ or prevent them from broadcasting and exposing themselves to attack. At the same time, I need to be able to access them from my network and when away from my network (VPN). That's why I was attempting to do this at the router, not the cams themselves.
So I set up "Block services" on the router to block all TCP/UDP ports for the ip address range of my cams. I set accesss control to "allow" for the ip address range of my cams. Doing this I am able to VPN in and directly access the ip address of my cams. So for what its worth this method seems to work.
One strange note is that when I logged into my router today, all my reserved ip addresses were gone, as well as the block services rules I had set up. Had to set them up all over again. This is the part that is a little disconcerting, I have no idea how that happened, seems random and if it was random, I am worried about truly securing my cams with Orbi.
Thank you ekhalil for your help! I appreciate the explanation. Yes I agree that the issue is with "Access Control". My confusion is really in how it works/ implemented. Seems if you are on the same subnet as a blocked device, you can access it. However, if you are not on the same subnet you cannot. If access control just blocks all ports then I have even more confusion as I have set up a rule to block all ports for my cams, yet when i vpn in and am on a different subnet I can now access the cams by ip address.
My networking knowledge is limited, I'll admit (I know enough to be dangerous :) ) I do google/ read alot for my understanding of things, but this has me scratching my head.
Again, THANK YOU BOTH!!!!! for taking the time to help, trouble shoot, explain things. I really do appreciate it!