×

Introducing the Orbi 970 Series Mesh System with WiFi 7(BE) technology. For more information visit the NETGEAR Press Room.

Orbi WiFi 7 RBE973
Reply

Re: RBR50 - VPN assigns IP address to different subnet

Bay510
Guide

RBR50 - VPN assigns IP address to different subnet

HI Everyone,

I have the Orbi RBR50 w/ FW v2.3.5.30.  The issue I'm having is when I connect via VPN (openvpn ios app), the IP address assigned is on a different subnet.  (ie: my internal addresses are 192.168.88.x / when I connect with VPN the address assigned to the VPN client is 192.168.89.2.  Is there any way to change this address so that it will be on the same subnet as the rest of my network?  I am having issues conecting to other devices on my network from vpn client. 

 

Thanks.

Model: RBR50|Orbi AC3000 Tri-band WiFi Router
Message 1 of 23
ekhalil
Master

Re: RBR50 - VPN assigns IP address to different subnet

Unless you have configured special rules to not allow communication between subnets this should work and you should be able to reach all your network.

On the bottom of the VPN configuration page on the web GUI there is setting for access options. Please see attched snapshot. What do you have set there? Please try changing this and see if this will give you any improvement.

Message 2 of 23
CrimpOn
Guru

Re: RBR50 - VPN assigns IP address to different subnet

I agree with @ekhalil .  When I use VPN, the computer that is "coming in" always gets an address in a different subnet, but it also is able to reach all of my devices.  If you have a specific situation that isn't working, please describe it.

Message 3 of 23
Bay510
Guide

Re: RBR50 - VPN assigns IP address to different subnet

Thanks for the replies CrimpOn and ekhalil.  My specific situation is that I have IPCams that are assigned static address and I have blocked them from internet access via "Access Control".  When I am connected to my network via wireless/ wired, I can go to their IP address and access them.  When I access my network via VPN, the VPN client being on a different subnet, cannot access the cams. If I turn off blocking via "Access Control"  then the VPN client can reach them.  I do not want to do this method as it does not secure the cams.   Is it possible to reserve/ change the ipaddress issued to the VPN client so that it will be on the same subnet?

 

Thank you for taking your time and helping on this.

Message 4 of 23
CrimpOn
Guru

Re: RBR50 - VPN assigns IP address to different subnet


@Bay510 wrote:

My specific situation is that I have IPCams that are assigned static address and I have blocked them from internet access via "Access Control".


Please explain which "Access Control" is being used to block cameras from internet access.  (On the Orbi web interface?  Using the Orbi "app"?  On the camera?)

 

Thanks

 

Message 5 of 23
ekhalil
Master

Re: RBR50 - VPN assigns IP address to different subnet

Are the static IP addresses of the camera within the DHCP range that you set in the web GUI under >> ADVANCED >> Setup >> LAN Setup?

If not please use addresses within the range and do address reservation in Orbi instead of setting static IP addresses in the cameras.

It's possible that Orbi differenciate between addresses within the set DHCP range and those outside.

Message 6 of 23
Bay510
Guide

Re: RBR50 - VPN assigns IP address to different subnet

I only use the direct Orbi web interface.   Advanced\ Security\ Access Control.  No blocking is done on the camera side, I am doing everything from the router.

 

Thanks

Message 7 of 23
CrimpOn
Guru

Re: RBR50 - VPN assigns IP address to different subnet

So, all of the cameras are "Allowed" and you have checked the "Block new devices from connecting"?

Message 8 of 23
Bay510
Guide

Re: RBR50 - VPN assigns IP address to different subnet

Yes, the static IP addresses are within the range.  ie: internal network is 192.168.88.1 (router gateway) Cams are 192.168.88.201 - 192.168.88.210.  I configured a static IP in the cams, for each cam.  I then did address reservation for each cam in Orbi webui.  So the cams are on the internal network, I just blocked them using orbi webui access control - Deny. 

Message 9 of 23
Bay510
Guide

Re: RBR50 - VPN assigns IP address to different subnet

No, all cams are set to "block"  The setting for "allow all new devices to connect" is set to true.  

Message 10 of 23
CrimpOn
Guru

Re: RBR50 - VPN assigns IP address to different subnet

This is where I am lost.  I do not see "Deny" on the Access Control page anywhere.

Message 11 of 23
Bay510
Guide

Re: RBR50 - VPN assigns IP address to different subnet

Sorry, very unspecific of me/ poor choice of words.  I meant "block" from the access control page.  (as there are only Block and Allow).

 

Thanks

Message 12 of 23
ekhalil
Master

Re: RBR50 - VPN assigns IP address to different subnet

WHat setting in VPN page do you have for the following:

 

Clients will use this VPN connection to access           All sites on the Internet & Home Network            Home Network only            Auto

 

Have you tried to change this setting?

Message 13 of 23
CrimpOn
Guru

Re: RBR50 - VPN assigns IP address to different subnet


@Bay510 wrote:

Sorry, very unspecific of me/ poor choice of words.  Allow).


I feel like Alice falling down the rabbit hole.  All this time, my understanding has been that "Block" means (a) a device can connect and get an IP address, but (b) it cannot communicate with any device on the local network or connect to the internet.  i.e. "Block" means (literally) "Block".  (I pulled up the "Help" information at the bottom of the Access Control page, and that's what it looks like to me.) If my understanding were true, then those cameras would be totally unreachable.

 

Message 14 of 23
ekhalil
Master

Re: RBR50 - VPN assigns IP address to different subnet


@Bay510 wrote:

........ When I am connected to my network via wireless/ wired, I can go to their IP address and access them.  When I access my network via VPN, the VPN client being on a different subnet, cannot access the cams. ........


Thinking about it, it might really be the way this functionality should work.

If you block internet access for a client it will not be reacheable from internet, so I assume the VPN client is still considered to be an external access even though it has an internal IP address.

This does not have anything to do with the subnet that the VPN client belongs to, seems to me.

Message 15 of 23
Bay510
Guide

Re: RBR50 - VPN assigns IP address to different subnet

When I first set up the VPN I had the "Clients will use this VPN to access: All sites on the internet and home network."  I then tried the  "home network only setting"  I rebooted the router after switching choices, redownloaded the VPN file for smart phone, set up openvpn with the new profile, no joy....    

 

After more work on this, I keep coming back to the fact that when you connect via VPN, the ipaddress issued to the vpn client, (which is on a different subnet), prevents one from connecting via direct ipaddress to devices that are "blocked" via access control. 

ie: 192.168.89.2 (VPN Client) cannot reach 192.168.88.202 (if access control is set to "block" for this IP address)

 

The same device that is "blocked" via acccess control (192.168.88.202) is reachable by ipaddress if I am physically connected to the network or if I am connected wirelessly to the network (No VPN). On same subnet.

ie: 192.168.88.20 (computer connected to Orbi via ethernet cable) or 192.168.88.10 (computer connected to Orbi wireless) can connect to 192.168.88.202 (access control is set to "block")

 

Now, If I "allow" the device via access control, I can reach it by ip address when I am connected via VPN. 

ie: 192.168.89.2 (VPN client) CAN reach 192.168.88.202 (Access control set to "allow")

 

It seems to me that allthough "Access Control" is only supposed to allow/ block internet access for the specified device while allowing local access, If you are not on the same subnet you cannot access a device that is "blocked" 

 

 

Please let me know if you think my assessment is off or there is something I'm missing.  I really do appreciate all the help on this!

 

Message 16 of 23
Bay510
Guide

Re: RBR50 - VPN assigns IP address to different subnet

Interesting, my understanding is that if you VPN into your network, than its as if you are locally connected to that network.  At least one should be on the same subnet as other devices, I would think.  Please correct me if I misunderstand.

 

Thank you for your help!

Message 17 of 23
CrimpOn
Guru

Re: RBR50 - VPN assigns IP address to different subnet

Well, aside from my understanding of the English language not matching that of Netgear, I have one other idea.

The default LAN subnet mask on the Orbi is 255.255.255.0 (a "Class C" subnet of up to 254 devices).

There is nothing preventing a subnet mask of 255.255.0.0 (a "Class B" subnet of 65,000 devices).

If that one change is made and the Orbi restarted, the IP address currently being given to the VPN would be in the same LAN subnet.

(I find it strange that in my case, my DHCP range is 192.168.1.x and VPN gave my device 192.168.2.x.  In your case, the DHCP range is 192.168.88.x and VPN gave you 192.168.89.x  Maybe VPN simply "adds one" to the DHCP range?)

 

Message 18 of 23
Bay510
Guide

Re: RBR50 - VPN assigns IP address to different subnet

Well I tried the 255.255.0.0 subnet. rebooted/ refreshed the dynamic dns and vpn settings/ rebooted/ redownloaded the vpn file for ios.... no joy. 

 

Without changing the internal 192.168.88.x address (only the subnetmask to 255.255.0.0) Openvpn for ios showed my vpn ipaddress as 10.1.0.0. 

 

Changed internal ip addresses to 10.0.0.x with subnet of 255.255.0.0.  Did all the reboots/ refreshes/ redownloading of vpn files....... iosOpenVPN gives ip address of 10.1.0.0.   

 

Yes it does look as if vpn "adds one" to DHCP range, effectively placing you on another subnet, which cannot access devices on the main lan if they are set to "block" via access control..........sigh

 

Ok, If an official netgear rep/engineer could chime in on this, it would be helpful. An ability to set the ipaddress of the VPN clients would be great.  Or at least stop +1 the DHCP range placing you on a different subnet.  This does not play nice with "Access Control" feature of Orbi. (I have read that you can do this in openvpn server.  Not really applicable in Orbi owner's case  But to be able to do this from the router would be appreciated.

 

So in my case, the only option I have is to "allow" access to my cams, but block all ports.  My last question is if I block all ports (tcp/upd) is this essentially the same as using "block" in access control?

 

CrimpOn, thank you so much for taking the time to help!  Thank you ekhalil for helping as well!  I really appreciate it.

 

 

Message 19 of 23
Bay510
Guide

Re: RBR50 - VPN assigns IP address to different subnet

EDIT:

 

" (I have read that you can do this in openvpn server. Not really applicable in Orbi owner's case But to be able to do this from the router would be appreciated.)"

 

For clarity: I read that you can configure openvpn server to specify ipaddress of connecting vpn clients.  Though not at all applicable to Orbi owners, a similiar feature, I think would be beneficial to us Orbi users.

Message 20 of 23
CrimpOn
Guru

Re: RBR50 - VPN assigns IP address to different subnet


@Bay510 wrote:

So in my case, the only option I have is to "allow" access to my cams, but block all ports.  My last question is if I block all ports (tcp/upd) is this essentially the same as using "block" in access control?


 

I am probably missing the point somehow.  If the cameras are set to Allow, that means that the cameras can access the internet, and once they open a connection to someplace, that connection can be used for two-way communication.  It does not mean that someone on the internet can open a connection to the camera from outside.

 

Go ahead, try it.  The Orbi has a public IP address.  Open a web browser and try to get through the Orbi to one of the cameras.  The Orbi is doing "NAT" so that each time a device on the Orbi LAN opens a connection, it gets assigned a port number by NAT.  Until the device opens a connection, the router has no mechanism to connect something on the outside to it.

 

There are only three ways a connection can be opened from outside: (1) using VPN, (2) by "opening a port" to a specific internal IP address, and (3) by putting one device in the DMZ.

Message 21 of 23
ekhalil
Master

Re: RBR50 - VPN assigns IP address to different subnet


@Bay510 wrote:

Interesting, my understanding is that if you VPN into your network, than its as if you are locally connected to that network.  At least one should be on the same subnet as other devices, I would think.  Please correct me if I misunderstand.

.....


Since blocking internet access on a device is what made a VPN client not being able to access it, this is very clear that this has nothing to do with the subnet of the VPN client but with the Access Contol.

I think what you can do is, instead of blocking the cameras in the Access Control (blocking all ports towards internet), you can instead just block certain services (ports) for those devices. You can do this in the web GUI under >> ADVANCED >> Security >> Block Services.

Select the common services like FTP, telnet, ..... to block. 

 

Message 22 of 23
Bay510
Guide

Re: RBR50 - VPN assigns IP address to different subnet

Thank you for all your help CrimpOn!  I appreciate the explanation.  My concern with securing the cams is to block them from being able to establish outbound connections to the internet entirely.  Basically to secure against any back doors that the cams may contain and/ or prevent them from broadcasting and exposing themselves to attack.  At the same time, I need to be able to access them from my network and when away from my network (VPN).  That's why I was attempting to do this at the router, not the cams themselves. 

 

So I set up "Block services" on the router to block all TCP/UDP ports for the ip address range of my cams.  I set accesss control to "allow" for the ip address range of my cams.  Doing this I am able to VPN in and directly access the ip address of my cams.  So for what its worth this method seems to work. 

One strange note is that when I logged into my router today, all my reserved ip addresses were gone, as well as the block services rules I had set up.  Had to set them up all over again.  This is the part that is a little disconcerting,  I have no idea how that happened, seems random and if it was random, I am worried about truly securing my cams with Orbi. 

 

Thank you ekhalil for your help!  I appreciate the explanation.  Yes I agree that the issue is with "Access Control".  My confusion is really in how it works/ implemented.  Seems if you are on the same subnet as a blocked device, you can access it.  However, if you are not on the same subnet you cannot.  If access control just blocks all ports then I have even more confusion as I have set up a rule to block all ports for my cams, yet when i vpn in and am on a different subnet I can now access the cams by ip address. 

 

My networking knowledge is limited, I'll admit (I know enough to be dangerous 🙂 )   I do google/ read alot for my understanding of things, but this has me scratching my head. 

 

Again, THANK YOU BOTH!!!!! for taking the time to help, trouble shoot, explain things.  I really do appreciate it!

Message 23 of 23
Top Contributors
Discussion stats
  • 22 replies
  • 6650 views
  • 2 kudos
  • 3 in conversation
Announcements

Orbi WiFi 7