Can't access subdomains for work website when connected to router

haynlyn · 2022-05-09T17:52:40.434Z

I’m very new to networking, routers, and GL.iNet, so my question may be a bit naive and I may be providing more info than necessary.

I’m using my Beryl router as a travel router, where I intend on using it under different networks. On it I’ve set up a WireGuard VPN client, which allows for me to access most websites while under my work laptop (and while under my work VPN). However, I cannot my subdomains for my company website while connected to the router, regardless of VPN state.

This seems like a DNS problem to me, so I’m going to try to start there in solving it; however, I’d appreciate any guidance on what to look out for, and whether this will be an issue I need to deal with once (as opposed to every new network I use my Beryl under) and if this will be an issue with the VPN on as opposed to off. I don’t think these will be problematic, but again, I’m naive.

Thank you!

smiths · 2022-05-10T18:46:54.682Z

Hello haynlyn,

Are these Work domains “internal”. I.E you need to reach them over over your work VPN, or could I browse to them from my home?

Is the work VPN setup on your router, or on your laptop?
I am thinking some sort of DNS problem, i.e. you need to use the DNS server supplied by the Work VPN to resolve their names?

Alternatively…
If these are internal IP addresses, I wonder if your work VPN is assuming it is going to be the default gateway (on the laptop), and does not push out the static routes, so when your default gateway is say the Wireshark VPN you can only get to the top level of the Work VPN.

Hope the above makes sense, just need a bit more info to help debug.
Simon

nano · 2022-05-10T21:36:10.452Z

I will put in my two cents, to get cnames working I had to add hostnames for my sites since they are hosted behind the firewall on a box locally:
Using luci

Network>Hostnames> create an entry:
yourcname.yourhost.com linked to internal device/web server.

Also:
Network>DHCP and DNS>Advanced> Uncheck filter private

haynlyn · 2022-05-11T03:28:05.785Z

Hey Simon - thank you for your response.

Correct, these work (sub?)domains are internal - you can access www.company.com right now, but not dashboard.company.com without the work VPN which is set up on the laptop.

Connected to the main router and without the work VPN on, I see through ipconfig that the Default Gateway and DNS servers are 192.168.1.1 and that NetBIOS over Tcpip is Enabled.

I was instructed by another person to restore the router to factory settings, which I did since I hadn’t made many changes at this point. Reconnecting the work laptop to the Beryl without my WireGuard VPN and running ipconfig, I see that the Default Gateway is 192.168.8.1 and the DNS Servers read 10.1.2.8 then 10.1.2.9 then 192.168.8.1, with NetBIOS over Tcpip still Enabled.

As such, I still cannot connect to these subdomains, so I don’t think it’s an issue of my WireGuard VPN.

Thank you again, and let me know what else I can provide!

haynlyn · 2022-05-11T03:36:45.873Z

Hmm. I’ll give this a shot. So, per my other comment, I would have dashboard.company.com as the line/entry? I would need that to point to the IP address for each such subdomain, then, although I don’t yet know if I can even connect to the sites per their addresses alone. I’ll try that out in the morning.

nano · 2022-05-11T15:22:16.260Z

Without too much info about your network, or your knowledge we can only take a guess at how to go about this, my guess was using the hostname to service entry and unchecking filter-private.

This is how it works on my network since I also host many sites and want to access them without using a port. I will spare you the technical headache of my setup, and try and simplify a basic example:

Usually if you want to access your local site it requires a local IP and a port number. When you try to perform a query to your Web Server behind your firewall it won’t let you reach it by DNS name because it is blocked by default as a security measure upstream.

So let’s say you run your company Web server behind the firewall locally @ 192.168.1.x and you want to access the main page/service which is usually port 80/443 you would put in http://192.168.1.30:80 or https://192.168.1.x:443 That should work regardless when on site. Your outside IP will also work as long as you are port forwarding that service like http://youroutsideIP:80 or https://youroutsideIP:443

Now if you are hosting this with an A record on a web host like Godaddy it will have a dns entry for your website at that static outside IP address: youroutsideIP = yourwebsite.com.
If you have cnames that are being redirected to other ports of that site, then you would have them located at something like http//:192.168.1.x:9670 points to a cname http://service1.yourwebsite.com
^This example assumes that the Web Server is doing redirects with something like nginx, which let’s you define the ports of the service being redirected.

This is all well and good if you can access the main site page locally, but if you can’t get there with the DNS name from inside then that means the firewall is blocking the upstream WAN entry loopback, or there is a port forwarding issue to the outside world.

wcs2228 · 2022-05-11T15:22:59.325Z

With your laptop connected over the work VPN, can you look up and post the internal IP addresses for:

the VPN network interface on your laptop and the DNS servers
www.company.com
dashboard.company.com

I do not work for and I do not have formal association with GL.iNet

haynlyn · 2022-05-11T21:19:29.161Z

Hi,

For the first part, with the work VPN on, there are two possibly relevant entries under ipconfig with DNS Servers: Wireless LAN adapter Wi-Fi (aka W), which I believe is always present, and Ethernet adapter Ethernet (aka E), which is the work VPN itself.

For W, the DNS Servers are: 10.1.2.8, 10.1.2.9, and 192.168.1.1
For E, the DNS Servers are: 10.1.2.8, 10.1.2.9, 10.200.2.8, and 10.201.2.8; its IPv4 Address is 10.1.7.114(Preferred)
I think it’s worth noting that the Windows IP Configuration entry has DNS Suffice Search List as harvestpro.local

I don’t feel comfortable providing the IP addresses for www.company.com or for subdomain(s).company.com; however, I ran nslookup on those (sub)domains and received IP addresses (possibly worth noting that I didn’t get a response on command prompt but had to hop onto WSL). These are the same that I see from dnschecker.org. I assume that these aren’t the internal IP addresses because I was able to find them from the website. If that’s correct, how can I find them? Otherwise, what am I looking to do with them?

haynlyn · 2022-05-11T21:39:44.910Z

Well, I was able to find IP addresses for the subdomains through running nslookup. I can try doing the CNAME with that, but I would have to also guess on the ports, right?

Also, I’m still not sure why this isn’t an issue under the main router but only on the Beryl (which is serving as a repeater for the network in the main router, which I forgot to mention initially).

This is a lot of info to digest, so forgive me.

haynlyn · 2022-07-05T13:55:01.198Z

I’m still struggling with this. If anyone can provide help I would greatly appreciate it.

alzhao · 2022-07-12T10:58:28.686Z

@hilll can you follow this case?

alzhao · 2022-07-12T11:00:21.422Z

Does your subdomain use local IP addresses?

If yes, can you turn “DNS rebind protection” off in custom dns section in the router?

hilll · 2022-07-12T11:34:22.505Z

OK, I follow this case

hilll · 2022-07-13T08:47:07.684Z

can you offer the “company website”, we can visit it, not use wireguard ?

haynlyn · 2022-07-13T12:47:02.164Z

I imagine they do since I need a work VPN to access it, but I’m honestly not sure if that means it. However, turning off the DNS rebinding attack protection helped fixed it! Thank you

alzhao · 2022-07-13T13:12:40.413Z

Thanks for confirming this.

The subdomain links to a private IP address and the dns rebind protection rejected that.