VPN to Synology, yanking out my hair

L

LifelineIT

Member
Reaction score
24
Location
Fairmont, WV
Greetings. I've got a 14TB Synology DS412+ installed and working perfectly on the LAN. I cannot VPN, either PPTP or OpenVPN.

Network heirarchy looks like this, comcast did half of it:

Demarc => UPS/Surge Protect => Comcast Modem w/ 3 telephone lines => Comcast Business Gateway => Wireless Router (performing DHCP) => 32 Port Unmanaged Switch=> Wifi Repeaters and rest of wired LAN.

The issue is that I cannot get VPN to work, period. I use the ddns provided by synology and it forwards correctly and initiates the handshake, but it says that TLS key negotiation failed. Every time.

I swear that it has to be that Comcast Business Gateway. Users are in the Synology, with permissions to vpn as well as read/write in the storage folders. That part is fine, I've checked it a hundred times. It will start, ask me for my login/pass, and then fail. Every time.

Port forwarding is set in the wireless router that does DHCP. I've even tried putting the Synology in the DMZ, no change. Yes, UDP but also set to BOTH.

Earlier I logged into the Business Gateway and noticed that it was trying to do DHCP, so I thought maybe it was confusing itself, so I turned that off, which nuked the device and comcast had to give it a fresh IP remotely. (10.1.10.1, if anyone cares). Then I realized it has options for port forwarding, so I went there, and added the synology....no joy, it says bad subnet, because it's looking for the 10.x series. So I click "connected devices" and the only one that shows up is the wireless router. So I think...well hell, I'll put it in the DMZ and let it negotiate it's own traffic. So I do...and no change. TLS can't authenticate.

I've tried from the same lan. I've tried from other machines in other buildings. I've had friends try from other states. Pinging the ddns name @ port 1194 fails. I've tried NOT using the DDNS name, using the direct IP, and still fail.

At this point I'm starting to think that Comcast is killing the traffic, when we first signed up they tried to upsell me on their in-house VPN service.

Any suggestions or recommendations would be appreciated. This is not a client, this is me.
 
LifelineIT said:
I wondered about that. Here's my firewall settings page. I'm guessing it's the first one that's nailing me, isn't it?

Edit: unchecking that did nothing. I also went to "true static IP Port Management" and checked "disable all rules and allow all inbound traffic through", and that also hasn't changed anything.
Click to expand...

Yep, that was what I meant. You wanted them disabled. Just could not remember whether they needed to be checked or unchecked. I know from many other situations that there is a lot of undocumented mangling. And nobody at Comcast can do anything advanced if you are using their box as a router as well as a modem.

But there must be something else going on as I have setup VPN before with Comcast and never had any problems. But that has been with MacMini servers. Have you looked at the various logs?
 
From what I can tell there aren't any usable logs because the connection doesn't seem to be initiating.

The comcast gateway says there is one connected device with the IP 10.1.10.10, which is the router. The router says that its WAN IP is 10.1.10.10 but that it's LAN IP is 192.168.1.1. If I type in the former I get a timeout, if I type in the latter I get the router login page.

The gateway will not let me turn on any forwarding for any other IP's save for the 10.1.10.10.

I currently have all possible ports forwarded to the Synology inside the router, plus a few more. The synology-assigned DDNS (nwvcil.synology.me) resolves fine and shows me no errors, but it's just updating a remote server w/ the local IP. I also cannot connect to their "quickconnect" feature which is supposed to require no forwarding at all. (http://QuickConnect.to/nwvcil) I can FTP/SSH/whatever from the LAN, but I cannot do it outside the LAN.

I suspect that my issue is that 10.1.10.10 IP, but I'm a little over my head here.

Here are all the gateway settings that could possibly matter, if anyone is interested in having a look, let me know.
 
I'm just taking a pot-shot at this, but I wonder if you need to add a route in the router to get from the one subnet to the other?
 
I suspect that you are correct and that was my thought as well, I'm just not sure about how to do that. I'm not sure if that's a Static Route or if it's a 1-1 NAT, or neither, or what my values would be. I'm not too proud to admit that this is outside my scope. It's the office where I do my day job.

Thanks.
 
You are double NAT'd. Major no-no if you want to provide services to the outside world. You need to turn set it up so the Comcast modem forwards the public IP to your router.

Technically you can use PAT to route in a double NAT'd environment for VPN. But I've never done that.
 
That's what I thought. I've never dealt with one of these gateway devices before and I really don't understand what it's purpose is.

Can you explain to me, like I'm 5, how to do that? I hate asking like that.

I'm thinking it should be as easy as setting up a static route on that page.
 
I think you can also call comcast and get them to put the gateway in bridged mode, in which case it will act like a plain old modem.

Technibblers, whatcha think?
 
FremontPC said:
I think you can also call comcast and get them to put the gateway in bridged mode, in which case it will act like a plain old modem.

Technibblers, whatcha think?
Click to expand...

Hah. Already did. Denied. Also asked if I could swap it for a standalone modem...and nope. I'll call again and see if I can get a different service rep. This one didn't know what "dhcp" was when I asked her a question. Suppose I should have escalated to tier 2, eh?

Thanks all.
 
Comcast rep: "Can ya hold for a minnit"?

LL: Sure.

Comcast rep to the next cube: Hey, wutz de "HCP"?

Other rep: "I dunno. Just tell 'im no, you can't do it."
 
LifelineIT said:
Hah. Already did. Denied. Also asked if I could swap it for a standalone modem...and nope. I'll call again and see if I can get a different service rep. This one didn't know what "dhcp" was when I asked her a question. Suppose I should have escalated to tier 2, eh?

Thanks all.
Click to expand...

Is this a consumer account? For those accounts Comcast is notorious for not doing anything other than making sure the EU can surf with a computer plugged into their box. If it is a business account ask to speak to a supervisor. They will not do anything about your router but they will make sure a public IP is being passed through.

From my experience if you turn off DHCP on the Comcast box it usually passes the DHCP public IP to the LAN side regardless of whether it is Consumer or Commercial. Note I said usually.

This will cause some down time for the site. Log into the Comcast box and disable DHCP. Make a note of the IP address scheme for the LAN side. Once saved unplug the power and coax. Leave it unplugged for a few minutes. This should clear any MAC address binding on Comcast's side. Make sure you have a computer with DHCP enabled. Hook up the computer to the LAN side, connect the coax and then the power. Give it a few minutes then check the IP on the computer. You should have a public IP. If so then things are good.

Repeat unplugging the power and coax of the Comcast box. Make sure the WAN port on your router is set to DHCP. Connect a patch cable from the WAN port on the router to the LAN side of the Comcast box, I always use the first port. Hook up the coax first and then the power to the Comcast box. Wait a few minutes. Log into the router and you should have a public IP on the WAN side.

From there you have to make sure you have the proper ports forwarded, etc, etc to the Synology box. Be careful. You are dealing with the keys to the kingdom here.
 
Fremont---not sure and won't be back in that office until tuesday. I will find out though.

Mark-
Thanks so much for your written out assistance. I feel about 94% better because I actually did ALMOST all of those things. I'm fine to kill the network for up to an hour or so, especially because the phones are upstream of this gateway.

I turned off DHCP and it nuked the network, hard. I was confused because the box came back online and showed all lights normal and working. I did plug in a laptop to port 1, a laptop with DHCP on. It DID say it was connected. It did NOT have an internet connection. Wildly, when I looked at properties, it had NO gateway listed or public IP, and it's local IP was something totally wacky. How's that for nutters?

I did all that before I came here, heh. I also could NOT find the gateway, it was as though there was no DNS at all. 10.1.10.10 would not resolve. 10.1.10.1 would not resolve. 192.168.x would not resolve.

I did power it down, although only for about 2 minutes. When I couldn't even find the stupid thing, that's when I called comcast. She reenabled DHCP and it brought the network back up in about 10 seconds. I asked her what the IP was and she didn't know what I was talking about.

I'll try all this again next week when I'm back in the office, I guess if I nuke it again it'll give me a good reason to call comcast back and ask them to bridge it, again.

Again, thanks. You've made me feel immeasurably less stupid. Oh---and I'm way familiar w/ forwarding and triggering and all that good stuff, I'm just unfamiliar with these additional devices. They came in and ripped out what I had when my boss decided to switch to Comcast for voip...including our shiny new modem and my ups system. The connections they clearly crimped for the install are unjacketed to probably 3-4 inches behind the connector. Real sweet setup. Lulz.
 
"Wildly, when I looked at properties, it had NO gateway listed or public IP, and it's local IP was something totally wacky. How's that for nutters?"

Windows will assign that address when it can't find a DHCP server. So you need to know the address of the beast to put it on the same network. Seems you should be able to assign an address to the gateway that's in the network/subnet of the router, when you turn off dhcp and before you save/restart? Port 1 of the gateway should go to Port 1 of the router in this case, methinks.

Mark?
 
I'm running VPN at multiple locations with Comcast business class Internet without issue. While your Comcast modem can do DHCP it will allow a 3rd party router be plugged in and handle DHCP and will pass all traffic without making any changes within the Comcast gateway/modem. I was given the SMC gateway/modem at all my locations with Comcast business class service. Do you have a static ip?

I'm running an Untangle router at 3 locations with the Comcast modem plugged into the external Wan on Untangle router and static ip settings programmed into untangle, no changes made within Comcast modem and all services work including VPN within untangle.

You have something else going on.
 
The double Nat is your issue here. The solution is to bridge one or the other...failing that I have had great success putting the second router into a dmz and forwarding the ports accordingly like you normally would from the linksys.
 
You must log in or register to reply here.

Similar threads

HCHTech
Permission Hell
Replies
12
Views
482
Sky-Knight
Sky-Knight
HCHTech
Comcast Business Service - What am I looking at?
Replies
4
Views
505
Markverhyden
Markverhyden
thecomputerguy
Can I use a UDM-Pro as a controller ONLY?
Replies
1
Views
115
phaZed
phaZed
thecomputerguy
How to access a DVR remotely without opening ports?
Replies
12
Views
395
YeOldeStonecat
YeOldeStonecat
thecomputerguy
Which Unifi VPN should I be using here?
Replies
5
Views
661
Sky-Knight
Sky-Knight
Back
Top