NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

jixxer's avatar
jixxer
Aspirant
Jun 03, 2024
Solved

RBR750 port forwarding stopped working

Port forwarding seemed to have stopped working on my router for my VPN server using port 51820. It is on the latest FW V7.2.6.31, it was working after update but suddenly stopped and hasn't worked si...
  • jixxer's avatar
    jixxer
    Jun 05, 2024

    FURRYe38 CrimpOn 

     

    Seems like something changed on my ISP where they were giving me a private IP instead of public. 

     

    Solution

    Set DMZ and PF on modem to router, then PF from router to brume. 

     

    Thanks for all the help! 

CrimpOn's avatar
CrimpOn
Guru - Experienced User
Jun 03, 2024

Port forwarding relies on internet devices connecting with the correct public IP address (which is why the OpenVPN server bundled into Orbi routers requires creating a DDNS URL which the router keeps synchronized with any changes that the Internet Service Provider (ISP) made to the public IP address.

 

Can you verify that devices attempting to connect are being directed to the current public IP address of the router?

 

Which VPN server has been deployed on the LAN?

 

jixxer's avatar
jixxer
Aspirant
Jun 03, 2024

CrimpOn 

 

I'm running a WIREGUARD server through a gl-inet brume 2 router which is connected to NG router on the WAN port and using DDNS. 

 

 

 

 

  • FURRYe38's avatar
    FURRYe38
    Guru - Experienced User
    Jun 03, 2024

    What happens if you put this "gl-inet brume 2 router" IP address it gets from the RBR into the RBRs DMZ as a quick test? 

  • CrimpOn's avatar
    CrimpOn
    Guru - Experienced User
    Jun 03, 2024
    jixxer wrote:

    I'm running a WIREGUARD server through a gl-inet brume 2 router which is connected to NG router on the WAN port and using DDNS. 

    I am confused.  The  brume 2 supports both OpenVPN and Wireguard VPN in both Client and Host mode.  The Client mode (for both VPN protocols) bundles every device on the LAN side into a VPN tunnel directed to one of these VPN providers:

     

     

    The brume 2 supports VPN Host mode for both OpenVPN and Wireguard.  Wireguard Host listens on port 51820 while OpenVPN Host listens on port 1194.  Since the brume 2 is connected directly to the Internet Service Provider (ISP), there is no reason to implement port forwarding on the Orbi router, which is connected on the LAN side of the brume 2.

     

    That leads to the important question: What 'mode' is the RBR750 in? ('router' or 'access point'?)

     

    If the Orbi is in 'access point' mode and the brume 2 public IP address matches the IP returned by DDNS, then Wireguard Host should function correctly.

     

    If the Orbi is in 'router' mode, I do not understand how Wireguard Host can connect with any device on the Orbi LAN.  In 'router' mode, the Orbi uses Network Address Translation (NAT) to make it appear that every device on the Orbi LAN has the same IP address (the WAN address of the Orbi router).

     

    So:

    1. Are we absolutely certain that the WAN IP address of the brume 2 matches the IP returned by DDNS, and
    2. What 'mode' is the RBR750 now in?

     

    • jixxer's avatar
      jixxer
      Aspirant
      Jun 04, 2024

      CrimpOn 

       

      The Orbi is the one directly connected to the ISP not the brume thats why PF is needed for the brume to access the WIREGUARD server.

      • CrimpOn's avatar
        CrimpOn
        Guru - Experienced User
        Jun 04, 2024
        jixxer wrote:

        The Orbi is the one directly connected to the ISP not the brume thats why PF is needed for the brume to access the WIREGUARD server.

        My bad. Should have realized that "on the WAN port" is ambiguous.  With the brume WAN port connected to one of the Orbi LAN ports, what is connected to the brume LAN port?

         

        The brume User Guide is pretty specific. (https://docs.gl-inet.com/router/en/4/interface_guide/wireguard_client/ )

        • The Wireguard Client mode, which bundles all devices on the brume LAN side into a tunnel to one of the Wireguard servers, does not require (a) a public IP address or (b) port forwarding. That is because the Wireguard Client is opening the tunnel.
        • The Wireguard Server (Host) is the feature that requires public IP and port forwarding because a client device on the internet somewhere is attempting to open a VPN tunnel to the server running on the brume.

        If it has been confirmed that the public IP address produced by the DDNS provider matches the public IP address on the Orbi router, then it might be useful to perform an experiment to determine whether the Orbi router is actually performing port forwarding.  For example, forward that port 51820 to some other device on the Orbi LAN that will respond to internet connections.  My "go to" devices are:

        • An Epson printer which has a simple web interface. (port 80)
        • A Raspberry Pi running Pi-Hole (also port 80)

        Change the port forwarding rule to external port 51820 to internal port 80 on the LAN IP address of the target device.

        Using a device not on the Orbi LAN (smart phone with WiFi disabled is quick and easy), open a web browser to:

        If the test device responds, then the Orbi port forwarding process is working.

         

        What is the primary purpose for running the Wireguard server?