dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1034
blklein1948
join:2020-11-22
Bronx, NY

blklein1948 to NYsubscriber

Member

to NYsubscriber

Re: gs3100 lan connection to synology nas vpn via ipad

The issue I am seeing occurs when I turn wifi off on my phone/ipad, and use cellular network only. I then get a VPN ip and a cellular IP. I am wondering if the cellular network is the issue. Next chance I get to go out I will connect to a free wifi network (if I can find one) and try VPNing into my home.
NYsubscriber
join:2020-10-17
Syosset, NY
Alcatel-Lucent I-211M-L
Arcadyan FiOS-G3100
Arcadyan FiOS-E3200

NYsubscriber to blklein1948

Member

to blklein1948
said by blklein1948:

What exactly should the flow be.

That's my question as well. I think it would be best addressed by support at Synology. I am not sure what's Synology's default routing mechanism (I am acquainted to Fios products). You should change the forum perhaps. G3100 is performing the static routing as it should, then the issue really lies with the Synology and routing. Can you go over to Networking board to continue the conversation there?

It does not matter when you connect through a cellular network or public WiFi. As long as the client device is not within the LAN, the scenario should be the same. Once difference is that using the cellular network adds 64 NAT gateway between to translate IPv6 address to IPv4 address.
blklein1948
join:2020-11-22
Bronx, NY

blklein1948

Member

Good idea, I will ask Synology technical support the question to see if they have an answer.

Yesterday I was able to go out and try connecting via an outside wifi at a friend's. The VPN connected and did connect to a LAN. However to my surprise the local LAN was my friend's 192.168.1.xxx LAN, not my LAN at home. I am not sure whether I was using the VPN connection or just the wifi connection when viewing the LAN, probably the latter. I took some screenshots but I haven't saved them yet from my phone.
jamaicaplain
join:2014-11-07
Jamaica Plain, MA

jamaicaplain

Member

said by blklein1948:

However to my surprise the local LAN was my friend's 192.168.1.xxx LAN, not my LAN at home.

Is your LAN at home also 192.168.1.0/24? If so, that is not a good idea. When on your friend's LAN of 192.168.1.0/24, any traffic to a host with an IP in that subnet will travel at layer 2 within the LAN and never see the router for possible transport over the VPN. That is why it is advisable to not use such a common subnet (often the default on consumer routers) because of such collisions.

Better to use one within 10.0.0.0/8 or 172.16.0.0/12 or 192.168.XXX.0/24 where 30 <= XXX < 254 && XXX != 100 ie some random XXX unlikely to be used. But something in the first two subnet ranges is safer as long as again you avoid what others might choose. For example, I use 10.XXX.YYY.0/24 where YYY's are meaningful to my different subnets and XXX is a single random value like 173 or 229 or whatever. So I might use 10.173.1.0/24, 10.173.2.0/24, etc.
blklein1948
join:2020-11-22
Bronx, NY

blklein1948

Member

Thank you jamaicaplain. Your post reminded me when I had my old Zyxel router i was using 192.168.10.1 as its IP & gateway with all connections using DHCP with 192.168.10.xxx IP's. I recently switched to Verizon Fios with their G3100 router and it was setup by the Verizon tech with the LAN address of 192.168.1.x. With my Zyxel router once I setup the VPN it worked fine for many years, no issues. With the Verizon G3100 router, it was a problem setting it up right from the beginning. NYsubsciber helped me a lot until I was at least able to get the VPN connection working. I would love to try and change my current setup to use a 192.168.10.xxx network but that might cause some friction with my family. Also, I have Verizon TV, Phone and Internet, not sure how changing their LAN setup might effect my Verizon TV, Phone connections.
NYsubscriber
join:2020-10-17
Syosset, NY
Alcatel-Lucent I-211M-L
Arcadyan FiOS-G3100
Arcadyan FiOS-E3200

NYsubscriber to jamaicaplain

Member

to jamaicaplain
said by jamaicaplain:

any traffic to a host with an IP in that subnet will travel at layer 2 within the LAN and never see the router for possible transport over the VPN.

This depends on how the phone's NIC and VPN is setup. If the phone creates a virtual VPN NIC before the actual NIC, all traffic will be heading to the VPN tunnel and appear at other end of the VPN tunnel.
said by jamaicaplain:

Better to use one within 10.0.0.0/8 or 172.16.0.0/12 or 192.168.XXX.0/24 where 30 <= XXX < 254 && XXX != 100 ie some random XXX unlikely to be used

This solution would be difficult for LAN devices that are stuck at 192.168.1.0/24 or the OP has lots of static IP devices. You can resolve this issue by using static NAT or policy NAT at home network.
blklein1948
join:2020-11-22
Bronx, NY

blklein1948

Member

Is there any way to tell if my phone or Ipad creates a virtual NIC before the actual NIC?
NYsubscriber
join:2020-10-17
Syosset, NY
Alcatel-Lucent I-211M-L
Arcadyan FiOS-G3100
Arcadyan FiOS-E3200

1 edit

NYsubscriber to blklein1948

Member

to blklein1948
Did you consult Synology tech support? The key is how does Synology route between LAN1, OpenVPN and L2TP VPN.

The key problem:

When G3100 directs 10.0.0.1 bond packet to Synology, Synology throws the packet back to G3100.

Synology should route 10.0.0.1-bond packet from LAN1 interface to L2TP VPN interface. Let switching do the rest.

Synology created the 10.0.0.1/248 subnet, therefore it should know: since I created this subnet, I must have access to this subnet.
blklein1948
join:2020-11-22
Bronx, NY

blklein1948

Member

I did start a support ticket with Synology but have not heard back yet. Regarding your post, I do have a lot of static IP devices so it would be a pain to try and redo everything. But I will look into your suggestion of Static NAT, will read and see what it does, how it works and how it can be implemented. But it is interesting to me that my Zyxel with the 192.168.10.xxx LAN worked.
NYsubscriber
join:2020-10-17
Syosset, NY
Alcatel-Lucent I-211M-L
Arcadyan FiOS-G3100
Arcadyan FiOS-E3200

NYsubscriber to blklein1948

Member

to blklein1948
said by blklein1948:

Is there any way to tell if my phone or Ipad creates a virtual NIC before the actual NIC?

Eh....
You need to consult either a Google or Apple developer (not easily accessible to end-consumer unfortunately. Why do I mention this at all...I guess FYI.)

From your situation, more likely than not, the VPN NIC is in a parallel fashion with the built-in NIC. So you need to change your home IP network addresses (adverse effects uncertain), use static NAT (Synology may not support), OR assign secondary IP addresses to the devices that you want to access through the VPN (may not be possible)...
blklein1948
join:2020-11-22
Bronx, NY

blklein1948 to NYsubscriber

Member

to NYsubscriber
I especially like your question #3 about Synology creating the 10.0.0.1/248 connection, it should know how to access it.
blklein1948

blklein1948 to NYsubscriber

Member

to NYsubscriber
What do you mean "assign secondary IP addresses"? Sounds interesting to me.
NYsubscriber
join:2020-10-17
Syosset, NY
Alcatel-Lucent I-211M-L
Arcadyan FiOS-G3100
Arcadyan FiOS-E3200

NYsubscriber to blklein1948

Member

to blklein1948
Do you have a spare Linux box or a PC running 24/7? I guess you used a Synology for this purpose...

With a computer, you can build a VPN router, assign as many IPs on it as you want, and create as many subnets as you want.

The problem right now is that consumer devices are getting "smarter" and customizability becomes less an option. We need to devote too much efforts and workarounds to get something work.
NYsubscriber

NYsubscriber to blklein1948

Member

to blklein1948
Click for full size
said by blklein1948:

What do you mean "assign secondary IP addresses"? Sounds interesting to me.

You see a Windows machine allows you to configure multiple IP addresses. That is, the PC is accessible through either IP. When you at your friend's house, just use the secondary 172.x.x.0/24 to get away the entanglements of 192.168.1.0/24 on your friend's LAN. Windows is also capable of multiple gateways, multiple routes, and decide what interface to use.
NYsubscriber

NYsubscriber

Member

My second point is that using a PC or a Linux box to serve as a VPN router gives you immense flexibility.
blklein1948
join:2020-11-22
Bronx, NY

blklein1948 to NYsubscriber

Member

to NYsubscriber
Understood. Unfortunately I do not have another WIN computer to use.
Sorry if this is a stupid question, but in your example how does 172.10.10.2 know how to reach 192.168.1.1? To me it seems close to what's happening with the Synology.
blklein1948

blklein1948 to NYsubscriber

Member

to NYsubscriber
As I said, I do not have a WIN or linux box. But I did notice one thing on my Synology (see the attachment). Under Networking setup it does have a LAN2 which is currently disconnected. Opening the settings up shows what I probably had with my Synology connected to my Zyxel router, the
192.168.10.2 network. Could this be the LAN I use for my VPN devices? I do not recall how I set this up with my Zyxel, I think the LAN ports on the ZYxel can be designated LAN1 or LAN2. Not sure if the G3100 has the same designations.
NYsubscriber
join:2020-10-17
Syosset, NY

NYsubscriber

Member

This can be solution though. Give me some time to think.
blklein1948
join:2020-11-22
Bronx, NY

blklein1948

Member

FYI, I just checked on Synology website and my Synology DS220+ does have 2 GB LAN ports. Believe it or not, did not know that. Of course, I do not know how they mesh with one another so more reading for me.
NYsubscriber
join:2020-10-17
Syosset, NY
Alcatel-Lucent I-211M-L
Arcadyan FiOS-G3100
Arcadyan FiOS-E3200

NYsubscriber

Member

»community.synology.com/e ··· t/108896
Can you try disable the Multiple Gateway setting? Honestly, this setting is out of context. Is it referring to multiple gateways from the perspective of the Synology?
blklein1948
join:2020-11-22
Bronx, NY

blklein1948

Member

It was already disabled (not checked).

The reply from Synology support follows. I am studying it to understand.

"Generally on the destination client device itself there needs to be a static route itself for it to access any device on the remote network's local subnet that is not connected to the Synology VPN Server. (VPN Server creates its own subnet to connect with, the 10.X.X.X network). See step 4 here »www.synology.com/en-us/k ··· r_Mac#t4

For connecting to the NAS itself, instead of its local ip, you generally would connect by the Dynamic IP assigned to it under DSM > VPN Server > L2TP/IPsec > Dynamic IP address."
NYsubscriber
join:2020-10-17
Syosset, NY
Alcatel-Lucent I-211M-L
Arcadyan FiOS-G3100
Arcadyan FiOS-E3200

NYsubscriber

Member

Alright, we are not testing from VPN client to LAN resource yet. We are only testing from LAN to VPN clients. Can you describe to the support that Synology is unwilling to route 10.0.0.0/29 to the VPN subnet?

Also, static route should be done through DHCP option 121, do they support it? You can't configure static routes on phones directly.
NYsubscriber

NYsubscriber

Member

Give the support the image where you did trancert and the TTL runs out and the packet was discarded.
blklein1948
join:2020-11-22
Bronx, NY

blklein1948

Member

I replied and attached the tracert image and am awaiting their reply. I am starting to think the issue is that I VPN connect with my phone/ipad but each device is not using the VPN.
NYsubscriber
join:2020-10-17
Syosset, NY

NYsubscriber

Member

Did the folks at Synology reply? I am curious at what their answer is going to be.
blklein1948
join:2020-11-22
Bronx, NY

blklein1948

Member

Not as of 10 minutes ago. I am curious too.
blklein1948

blklein1948 to NYsubscriber

Member

to NYsubscriber
Click for full size
Click for full size
Here is something interesting. I had a doctors appointment today and while waiting I figured I would try and use their free wifi. So I successfully VPN connected with my phone. I ended up connecting to the 192.168.1.1 network with internet access. But of course the network was my doctor's network, not my home network. I was able to see all the resources on my doctor's 192.168.1.x network. I have attached a screenshot from my phone network phone app.
I then disconnected from the wifi and used cellular. I successfully VPN connected but did not have any network or internet access. See the 2nd attachment for the screenshot from my phone's network app. I am wondering if this could this be an IPV6 along with routing/default gateway issues.
blklein1948

blklein1948 to NYsubscriber

Member

to NYsubscriber
Here is their reply. I haven't had a chance to investigate this, probably tomorrow evening. Let me know if you have any insights.

For these devices, can you check the following for us for the VPN connection.

First, see if these devices can access the NAS' own VPN IP address (the one in the VPN Server settings) as well as its usual LAN IP address. It sounds like it can, but it's not clear if it's just making the link or if the client device can access the NAS' resources using that same IP address.

It may be worthwhile trying to ping one of the active VPN client addresses from a device on the NAS' LAN (or even the NAS itself via SSH) to see if it can be reached.

-

Second, make sure your network environment isn't blocking/restricting the traffic. In some cases you may need to add an explicit firewall exception for your VPN subnet to the local LAN, as your network security may block it. I.e. You may need to make an exception that allows traffic on the 10.0.0.X subnet to go to the 192.168.1.X subnet, and vice versa (for replies). Even if the tunnel can connect, the network security may still filter traffic going through the tunnel without appropriate exceptions.

Similarly, you should check to see if the DSM firewall is enabled, as if it is this might also filter traffic between the VPN subnet and the LAN without appropriate exceptions. If there isn't an explicit need for the DSM firewall, disabling it would be a good idea.

--

Third, I'd recommend testing to see if this happens with non-mobile device clients to see if it's limited to just them. Such as a PC on an external network joining the VPN to verify whether this behavior occurs for Windows or Mac devices, or if it seems limited to mobile clients.

--

Fourth, if you are connecting via a domain name/DDNS address, try connecting via the WAN IP address of your NAS' LAN and see if there is any change in behavior. If your domain name/DDNS address isn't routing correctly, it could affect how the VPN traffic is being directed back to the NAS.
blklein1948

blklein1948 to NYsubscriber

Member

to NYsubscriber
Attached is the Synology Log for the connections described in my previous post.
NYsubscriber
join:2020-10-17
Syosset, NY
Alcatel-Lucent I-211M-L
Arcadyan FiOS-G3100
Arcadyan FiOS-E3200

NYsubscriber

Member

Ok. Synology’s reply is, well, beating around the bushes... (I don’t mean to discredit anybody). From your tracert, the support should be able to tell that the G3100 and Synology are tossing packets at each other, that is: G3100 routes 10.0.0.2-bond packer to Synology, Synology routes the same packet back to G3100, then repeat until the TTL is reduced to 0. We are interested in why the Synology not routing the VPN-bond packet to the VPN subnet. If this is a firewall issue on Synology, the packet would be dropped at arrival, not “irresponsibly” kicking the packet around.