DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

2860/2830 Port Forward over LAN-LAN VPN

More
18 Feb 2018 19:24 #90781 by ctjfb
I have 2 sites connected with LAN-LAN VPN - all works fine for traffic between sites.

I need to forward Internet traffic (ports 80/443/25 etc) from WAN interface on site A to a server on site B

As per Draytek article I simply set Port Forward to the IP address of the server on site B - but it doesn't seem to work.

Looking at the logs on Site A router I see entries for the Virtual Server connections from the WAN to the IP address on Site B but monitoring the LAN on site B with tcpdump shows no packets arriving. Connections simply tine out.

I've tried PPTP, IPSEC, GRE over IPSEC and L2TP for the WAN-WAN VPN all of which work perfectly between the site subnets, but no luck at all with the Port Forward traffic ...

Given that this functionality is described in a Draytek article, and the router is happy to accept a remote LAN IP address in the Port Forward screen I can only assume that its meant to work, and I'm just missing something .... I've also tried Open Ports, and DMZ setups on site A's router with the same results.

I'm more than a little puzzled at this point ...

Chris...

Please Log in or Create an account to join the conversation.

More
18 Feb 2018 20:26 #90783 by hornbyp
Replied by hornbyp on topic Re: 2860/2830 Port Forward over LAN-LAN VPN
Do you have a link to the Draytek article?

I have a 2860->2830 L2TP/IPSec VPN, so I thought I'd try a little experiment. When I logged onto the (remote) 2830n, I realised I'd tried this before (and failed).

I can send data out from the 2860n over the VPN (I do so for SMTP, as the 2830n end has a fixed IP). Like you, I can't get it come in via that route though :?

Please Log in or Create an account to join the conversation.

More
18 Feb 2018 20:31 #90784 by ctjfb
Draytek FAQ about port forwarding over the VPN ...
https://www.draytek.com/en/faq/faq-vpn/vpn.others/how-to-do-port-redirection-to-a-host-on-the-remote-network/

Please Log in or Create an account to join the conversation.

More
18 Feb 2018 20:39 #90785 by hornbyp
Replied by hornbyp on topic Re: 2860/2830 Port Forward over LAN-LAN VPN
Ta, I'll read it in a bit.

Please Log in or Create an account to join the conversation.

More
18 Feb 2018 23:25 #90787 by hornbyp
Replied by hornbyp on topic Re: 2860/2830 Port Forward over LAN-LAN VPN
OK - so there's nothing earth-shattering in that document...
...and it definitely doesn't work for the 2830n.

I tried adding some Route Policy entries - but they didn't do anything (and the 2830n doesn't have a 'Diagnose' option).

I also tried some "syslogging" Firewall rules - but couldn't get any of them to trigger.

A bit of a puzzle - which is about where I got to when I first tried it - and then forgot all about it :|

Please Log in or Create an account to join the conversation.

More
19 Feb 2018 08:30 #90790 by ctjfb
Glad I'm not the only one feeling puzzled ... And thanks for your help :-)

I'm pretty sure it's not an issue restricted to a particular model as I have also tried a 2820 and 2850 at either end ...

What I really need to know is if anyone else has this working, or a definitive answer that it should, then I won't give up trying ..

It's quite key to me as it's required as part of a circuit resilience strategy to get around 4G telco restrictions on incoming connections.

Chris

Please Log in or Create an account to join the conversation.

Moderators: Sami