VPN to Synology, yanking out my hair

[LifelineIT]

Thanks again everyone for the replies.

The gateway is an SMC brand, SMCD3G model.
The telephony gateway is an Arris, TM604G/CT

Hoping that with your help I should have this knocked out today. I'll report back asap...2

I did see this which would indicate as Fremont said that I didn't finish setting it up. I also don't have a guaranteed static IP. Good times, I'll just have to get one.

 

[LifelineIT]

One last update. I just got off the phone w/ Comcast support. The DHCP that I can turn off is the only dhcp that they can turn off. I CAN edit the router IP that is being passed through, which is currently 10.1.10.1, assuming that perhaps I need to set this to the same 192.x block that the rest of my network is in?

Here's where I'm confused. When DHCP is off, it should be passing the public IP straight through to the router, right? I should not have to have a static IP for this, right?

 

[Markverhyden]

Correct. Turn off DHCP on the SMC and it passes though the public IP to what ever is plugged in, ie your router. Your router WAN port must be configured to look for DHCP. Having a fixed IP is the best way to go but you can also use Dynamic DNS. That is what I have. Nothing personal but I would not recommend you use DDNS. Get a fixed IP and you will have far fewer issues.

 

[LifelineIT]

Mark, thanks again, I owe you a beer or four.

The router IS configured to receive the IP dynamically, and it's not picking it up. So when you say "yes", do you mean that I need to set the gateway IP into the same range as the router? I feel like I shouldn't have to if it's just passing the ip straight through.

Working on the static IP, btw.

 

[YeOldeStonecat]

Yup double NAT.
I do lots of Comcast setups with my own routers behind them.
Leave DHCP enabled on the SMC gateway..doing it's normal 10.1.10.xxx range.

Question is...do you have a full block of public IPs on your account? You really want this package from Comcast if you want to set things up correctly.

What model Linksys router? I'd consider most of them a "downgrade" from Comcasts SMC gateway...I'd probably toss that and just run behind the SMC. But if you want to use you own router, what you do is take the first usable public IP from your block of IPs from Comcast...and static assign that to the WAN interface of your own router. Uplink that behind the SMC...plug a PC into the SMC, log into its web admin at 10.1.10.1, (user:cusadmin pw:highspeed)...go to firewall tab, and a check for "disable firewall for true static IP subnet". Now it will pass traffic direct to your additional public IPs on your own routers sitting behind it, it is not double NAT'ing that traffic. The WAN interface of your own router is indeed totally outside...public. Not sitting behind another NAT like you are now.

VPN traffic does not like NAT...it hates being molested by NAT...so it rarely can ever get working behind double NAT even if you do double port forwarding.

 

[LifelineIT]

Stonecat and all, thanks for your replies. I got the stupid thing, finally, and as I suspected I was being dumb. First, no, I do NOT have a static IP set. The device that I need to reach is a Synology, and they provide their own dyndns service, so for now I'm using that.

This is a small NPO office, what I've got is a netgear 3500 running routing functions with 3 more of the same device acting as access points elsewhere on the network. So..the netgear feeds a 32 port unmanaged switch (not mine, didn't put it in), and elsewhere down stream are more AP's and a lot of plugged clients. The intention is to run DDWRT or something at some point, but for now they're pretty bulletproof. We just got the new gateway when we switched over to comcast VOIP service. You're probably right that I SHOULD let the SMC box handle DHCP and set the Netgear as only an AP, one of these days I'll probably do that.

The "fix", such as it was, was to place the router (netgear) into the DMZ of the gateway (SMC), set the WAN IP of the router from "obtain automatically" to 10.1.10.10 (the assigned IP by the gateway), then turn off DHCP on the gateway, then do normal port forwarding as necessary inside the router, which was already set.

So far it appears that all is working well. I can't do anything from inside the LAN (it's connecting me to the gateway, as you would expect) but externally connections are working fine. I haven't had a chance to try VPN yet, but everything else is working. Fingers crossed.

 

[Markverhyden]

Something is still not correct. You should be able to get a DHCP public IP from the SMC on your Netgear WAN port. As I and other's have mentioned you do not want to be doing double NAT'ing if you are providing services to the outside world (VPN). I would call Comcast back and ask to speak to a supervisor. By the way those SMC's are no longer being sent out by Comcast, at least in my area. All of the new installs I've seen since last year have been Netgear's, FVS318's if I remember correctly.

 

[scandalist]

The DMZ method works and its something I've done in the past - placing the second router in the DMZ from the comcast box, forwarding the needed ports to the connected linksys or netgear and then double forwarding them again to the specific server. haha....

In your case if calling comcast and getting the thing bridged is too much of a hassle its easier to either ditch the Netgear and give full control to the SMC or place it an AP mode.

Keep in mind there are security risks in placing devices or servers in a DMZ

 

[YeOldeStonecat]

Lifeline..the static IP isn't for the "finding it from across the internet"...it's for the approach of properly setting the WAN interface of your own router to get the public IP address through the SMC gateway.

Although an added benefit of a static public IP is that you don't have to rely on the mickey mouse dynamic dns services approach which "usually..almost reliably" works. (but doesn't the time you really need it).

Comcast is rolling out the newer Netgear models over here also....no more SMCs, but the firmware is pretty much the same.
I'd ditch the residential Netgear router and just use the SMC, keep things properly single NAT'd.
If you need wireless, sling an access point off of it, or neuter the Netgear router and hang it on the network backwards.

 

[LifelineIT]

Got it, thanks all. I'll probably fix it properly next week after we get past this big weekend event. Thanks!