Can I route from incoming WAN1 to outgoing WAN2 on a Vigor 2820n?

[Chris Green]

I have a Draytek Vigor 2820n with standard ADSL on WAN1 and a Plusnet
Hub One (with its own phone line) on WAN2.

I would like to be able to get at the Plusnet Hub One's web
configuration from 'outside'. It doesn't allow this by itself (or at
least don't think it does, please tell me if it does) so I was
thinking would it be possible to route a connection coming in on WAN1
to connect to the Plusnet Hub One on WAN2.

Currently I have external configuration of the Vigor 2820n enabled
using a high numbered port so I know I can connect a browser from
outside to the 2820n. I have added a NAT port redirection rule to
connect port 50081 from outside to the IP address of the Plusnet Hub
One on WAN2 and I have opened the firewall for this port. However it
doesn't work. Does NAT redirection only work to LAN IPs? Is there
maybe something else I can do to get what I want?

--
Chris Green
·

[R. Mark Clayton]

If you do this, you will become part of the internet proper and any old traffic will flow through your node.

I would expect Draytek would have modified the spanning tree algorithm to prevent tromboning like this.

[Andy Furniss]

Guessing:

Use the lan-ip of the hub one.
Redirection rule should be to port 80.
firewall rule should be for lan-ip of hub one port 80.
I guess firewall rule for 50081 already exists.

[Andy Furniss]

R. Mark Clayton wrote:

> I would expect Draytek would have modified the spanning tree algorithm to prevent tromboning like this.

Do those words actually mean anything?

[Graham J]

Yes - it may be slang but it's a very effective description of the
situation.

--
Graham J

[Andy Furniss]

Chronos wrote:

> On Tue, 25 Apr 2017 14:28:08 +0100 Andy Furniss <spam@spam> wrote:
>
>> Use the lan-ip of the hub one. Redirection rule should be to port
>> 80. firewall rule should be for lan-ip of hub one port 80. I guess
>> firewall rule for 50081 already exists.
>

> I suspect the HubOne will refuse to respond to an external IP, which
> really is as it should be for a consumer level device. NAT redirect
> packets still contain the source IP.

Good point - but then it may just firewall on interfaces, so there's a
chance - I (thankfully) don't have one to test.

If it were the case, then depending on what the vigor lets you do
(CLI?), it may be possible to snat the incoming connection onto the
vigors lan address.

[Andy Burns]

Graham J wrote:

> it may be slang but it's a very effective description of the
> situation.

I used to use 'tromboning' to describe incoming voice calls that were
patched to an outbound voice call instead of setting up a divert ...
until someone pointed me to urban dictionary's definition, now I say
'hairpinning' instead.

[Graham J]

Yes, but you would need help from a computer on the "inside"

Consider:

The 2820 creates a LAN of the form 192.168.A.0 with the router itself
probably at 192.168.A.254

The Plusnet router creates a LAN of the form 192.168.C.0 with its own
address probably being 192.168.C.254 and this connects to the Vigor WAN2
port. The Vigor WAN2 port will get its IP from the Plusnet router via
DHCP - suppose it is 192.168.C.1

A computer on the 192.168.A.0 network can talk to the Plusnet router
because the Vigor router provides a static route from its LAN to WAN2 -
it will show that:

Plunet router IP 192.168.C.254 routed via WAN2 192.168.C.1
All traffic for IP 192.168.C.0-255 is delivered to the WAN2 port.

So from "outside" you could set up a VPN or whatever to give you access
via WAN1 to the computer on the "inside", and from that you could open
its browser on the Plusnet router's management page. The limitation of
a VPN is that the originating node knows only about the public IP
address of your WAN1, and the LAN address (192.168.A.0) of the "inside"
network that it tunnels into. It cannot know about a totally different
private LAN of the form 192.168.C.0

A better way to achieve this would be to get a VDSL router that allows
management from the internet.

[Andy Furniss]

Now hairpinning I have heard of.

Still not so sure about the spanning tree algorithm bit. I would really
associate that with "proper" routing done by ISPs.

[Andy Furniss]

Andy Furniss wrote:
> Chronos wrote:
>> On Tue, 25 Apr 2017 14:28:08 +0100 Andy Furniss <spam@spam> wrote:
>>
>>> Use the lan-ip of the hub one. Redirection rule should be to
>>> port 80. firewall rule should be for lan-ip of hub one port 80. I
>>> guess firewall rule for 50081 already exists.
>>
>> I suspect the HubOne will refuse to respond to an external IP,
>> which really is as it should be for a consumer level device. NAT
>> redirect packets still contain the source IP.
>
> Good point - but then it may just firewall on interfaces, so there's
> a chance - I (thankfully) don't have one to test.

Looking at Graham Js post that wouldn't work anyway - I guess the HubOne
wouldn't know how to return to the remote IP other than sending it to
it's default wan route.

> If it were the case, then depending on what the vigor lets you do
> (CLI?), it may be possible to snat the incoming connection onto the
> vigors lan address.

Maybe still a chance with this if you could snat onto the address handed
to the vigor by thr HubOne.

[Andy Furniss]

So if the vigor allowed CLI iptables access you could snat on to the
WAN2 port address and avoid the need for another device. Maybe I miss
something - but it's not going to be a starter if the vigor doesn't
allow that sort of control anyway.

[Andy Burns]

Andy Furniss wrote:

> Still not so sure about the spanning tree algorithm bit. I would really
> associate that with "proper" routing done by ISPs.

Well spanning tree is a protocol used on switched (not routed) networks,
so not likely to encounter it on the WAN interface of anything.

[Graham.]

I think I've seen footage of Royal Family doing it round a campfire in
1949
--

Graham.
%Profound_observation%

[Andy Furniss]

Ugh yes, I thinking of BGP and similar - totally different things.

[Chris Green]

The Hub One is on a different LAN (the LAN which is the 2820n's WAN2).

--
Chris Green
·

[Chris Green]

Only 'any old traffic' on the specific port I let through surely.

--
Chris Green
·

[Chris Green]

Graham J <gra...@invalid.com> wrote:
> Chris Green wrote:
> > I have a Draytek Vigor 2820n with standard ADSL on WAN1 and a Plusnet
> > Hub One (with its own phone line) on WAN2.
> >
> > I would like to be able to get at the Plusnet Hub One's web
> > configuration from 'outside'. It doesn't allow this by itself (or at
> > least don't think it does, please tell me if it does) so I was
> > thinking would it be possible to route a connection coming in on WAN1
> > to connect to the Plusnet Hub One on WAN2.
> >
> > Currently I have external configuration of the Vigor 2820n enabled
> > using a high numbered port so I know I can connect a browser from
> > outside to the 2820n. I have added a NAT port redirection rule to
> > connect port 50081 from outside to the IP address of the Plusnet Hub
> > One on WAN2 and I have opened the firewall for this port. However it
> > doesn't work. Does NAT redirection only work to LAN IPs? Is there
> > maybe something else I can do to get what I want?
> >
>
>
> Yes, but you would need help from a computer on the "inside"
>

In the long[er] term this may be possible, there are at least three
'always on' systems on the 2820n's LAN. One is a Raspberry Pi that
already provides DNS (using dnsmasq) so it could do some routing as
well.

> Consider:
>
> The 2820 creates a LAN of the form 192.168.A.0 with the router itself
> probably at 192.168.A.254
>

The 2820n is at its default address on its LAN - 192.168.1.1.

> The Plusnet router creates a LAN of the form 192.168.C.0 with its own
> address probably being 192.168.C.254 and this connects to the Vigor WAN2
> port. The Vigor WAN2 port will get its IP from the Plusnet router via
> DHCP - suppose it is 192.168.C.1
>

The Plusnet router is at a LAN address of 192.168.13.254.

> A computer on the 192.168.A.0 network can talk to the Plusnet router
> because the Vigor router provides a static route from its LAN to WAN2 -
> it will show that:
>
> Plunet router IP 192.168.C.254 routed via WAN2 192.168.C.1
> All traffic for IP 192.168.C.0-255 is delivered to the WAN2 port.
>

Yes, it's alread set up like that so that computers on the 192.168.1.0
LAN can see the Plusnet router at 192.168.13.254. It's set up as part
of the load balancing on the 2820n, it sets a default route out of
WAN2 for anything on 192.168.13.9.

> So from "outside" you could set up a VPN or whatever to give you access
> via WAN1 to the computer on the "inside", and from that you could open
> its browser on the Plusnet router's management page. The limitation of
> a VPN is that the originating node knows only about the public IP
> address of your WAN1, and the LAN address (192.168.A.0) of the "inside"
> network that it tunnels into. It cannot know about a totally different
> private LAN of the form 192.168.C.0
>

A VPN seems overkill for such an apparently simple requirement....

> A better way to achieve this would be to get a VDSL router that allows
> management from the internet.

Yes, I'm beginning to think that myself. I'm looking at one of the
TP-Link VRnnn series.

--
Chris Green
·

[R. Mark Clayton]

Thanks.

Basically if you let any port route to any other port (default in public networks) then traffic will come in on one WAN and go back out the other if the algorithm that does this allows it.

You may have a genuine reason to want to do this (e.g. avoid repressive country censorship), but it would be hard to prevent normal traffic ending up doing this as well.

Tromboning is more of a voice term. It means the analogous calls coming in on one line going out on another. It has genuine use, e.g. for home workers, but is also commonly associated with toll fraud, so in a similar way most PABX's prohibit any incoming call from becoming outbound to prevent this.

[Stephen]

Routing needs a few different bits to do this.

The 2820 needs to route IP between the ports
Traffic needs to arrive at 1 port with an address the 2820 will use to
forward to the other

to get the 2nd part to work the ISPs would need to treat the 2820 as a
path to somewhere besides your home network - unless you can
advertise routes to the ISPs using BGP etc and they are set up to pay
any attention to that not much is going to happen.

>I would expect Draytek would have modified the spanning tree algorithm to prevent tromboning like this.

The 2 interfaces each need to run with a separate IP address and their
own NAT from the internal network.

Spanning tree is a layer 2 protocol used to subdue a loop, so even if
it is set up on each WAN link, there should not be a local layer 2
connection on the 2820 and there wont be one between 2 different
ISPs....
Stephen Hope stephe...@xyzworld.com
Replace xyz with ntl to reply

[Stephen]

On Tue, 25 Apr 2017 16:13:33 +0100, Chris Green <c...@isbd.net> wrote:

>Graham J <gra...@invalid.com> wrote:
>> Chris Green wrote:
>> > I have a Draytek Vigor 2820n with standard ADSL on WAN1 and a Plusnet
>> > Hub One (with its own phone line) on WAN2.
>> >
>> > I would like to be able to get at the Plusnet Hub One's web
>> > configuration from 'outside'. It doesn't allow this by itself (or at
>> > least don't think it does, please tell me if it does) so I was
>> > thinking would it be possible to route a connection coming in on WAN1
>> > to connect to the Plusnet Hub One on WAN2.
>> >
>> > Currently I have external configuration of the Vigor 2820n enabled
>> > using a high numbered port so I know I can connect a browser from
>> > outside to the 2820n. I have added a NAT port redirection rule to
>> > connect port 50081 from outside to the IP address of the Plusnet Hub
>> > One on WAN2 and I have opened the firewall for this port. However it
>> > doesn't work. Does NAT redirection only work to LAN IPs? Is there
>> > maybe something else I can do to get what I want?
>> >
>>
>>
>> Yes, but you would need help from a computer on the "inside"
>>
>In the long[er] term this may be possible, there are at least three
>'always on' systems on the 2820n's LAN. One is a Raspberry Pi that
>already provides DNS (using dnsmasq) so it could do some routing as
>well.

You can try setting up something as a "bastion host" - a box you can
get to remotely that can connect from inside the LAN

Try using inbound SSH into something that believes in a command line,
then you have a local session from the LAN to wherever you want to get
to.....

[R. Mark Clayton]

Why - aren't they just equivalent interfaces to the internet?

[Chris Green]

I already have ssh access to a system on the LAN. I *could* then run
a browser via X but in my experience this is impossibly slow except in
a real emergency.

> Try using inbound SSH into something that believes in a command line,
> then you have a local session from the LAN to wherever you want to get
> to.....
>

As above, too slow.

--
Chris Green
·

[Stephen]

On Wed, 26 Apr 2017 01:59:14 -0700 (PDT), "R. Mark Clayton"

Well no - a home network doesnt use simple routing since you only get
at most 1 IP address from your ISP.

Each ISP works in isolation to the other.

and ISPs are pretty careful to make sure a misconfigured customer
doesnt cause traffic to flow thru a relatively tiny link

that would cause all the other customers to complain / leave / raise
chaos on social media / get them in trouble with the Internet
exchanges and regulators......

allowing their core routing to be borked by an individual consumer is
like the water company trying to divert the Thames via a drinking
straw :)

[Graham Murray]

Chronos <use...@chronos.org.uk> writes:

> On Tue, 25 Apr 2017 14:28:08 +0100
> Andy Furniss <spam@spam> wrote:
>

>> Use the lan-ip of the hub one.
>> Redirection rule should be to port 80.
>> firewall rule should be for lan-ip of hub one port 80.
>> I guess firewall rule for 50081 already exists.
>

> I suspect the HubOne will refuse to respond to an external IP, which
> really is as it should be for a consumer level device. NAT redirect
> packets still contain the source IP.

Not if you set up SNAT as well as DNAT.