OpenVPN+port forward

Technical Support for Routers
1

Hi All,

I’m experiencing a very strange issue with my GL-AP1300. I’ve tried to put together a basic schematic of my network.

img3
img3829×260 3.86 KB

Essentially I have a opened a port on my FFT box and set up the pass through to the intended device - all works well.

However, as soon as I connect OpenVPN via the AP1300 GUI, the port is no longer reachable from the internet, even though I’ve tried setting up the policy to exclude the intended device’s IP.
I also tried activating a guest network on the AP1300 (effectively removing the Mesh Router from the scheme) but still no luck.

What am I doing wrong?

2

Are you connecting to an OpenVPN service provider, such as NordVPN, IPVanish, PureVPN, etc? If so, then enable port forwarding with the provider, but not all of them offer port forwarding.

3

Yes, and my provider doesn’t support it. But if I choose not to use VPN with the guest wifi, why would that matter? I was under the impression that feature is meant to bypass the VPN on the main wifi, whether it’s connected to the VPN or not

4

So for example the GL-iNet VPN Policies tutorial states:

Use VPN for guest network : Turn on/off use VPN for guest network.

Why would that result in the port being closed anyway?

5

Can explain in more detail what specific settings you made on both the FTTH and GL-AP1300?

The VPN Policies are for outbound traffic.

6

The VPN Policies are for outbound traffic.

That explains it all then! How do I then stop using the VPN for this specific device?

Can explain in more detail what specific settings you made on both the FTTH and GL-AP1300?

I just forwarded a port from FTTH box to GL-AP1300, and then GL-AP1300 to forward to the Mesh router, and then Mesh router to the intended device. All the same and with the correct WAN/LAN IPs. On the GL-AP1300 Firewall page, I set up wan as External Zone and lan as Internal Zone

But when I use the alternate set up, the device connects to GL-AP1300’s guest wifi where I thought it was going to bypass all in/outbound traffic

7

With the Guest wifi setup, you can try port forwarding from GL-AP1300 directly to the target device, not to the Mesh router.

8

Done. But that doesn’t work for inbound traffic

10

I used the same setup as you but I used MT1300 to test.

Once I enable vpn policy and do not use vpn for the client (XE300) and I can access XE300 from the WAN IP.

image
image916×764 29.3 KB

11

The only difference is that I’m using the client’s IP rather than the client’s MAC address. Does it make a difference?

Also, does it make a difference if I use the guest network or not? The VPN policy should work anyway, right?

12

You should select “MAC Address” based and select the device with the correct mac address.

You should not select “Domain/IP” based because it is the target IP, not source IP.

Not sure about guest wifi but it should be OK. It just on one guest zone and you should set up port forward correctly.

13

I did a successful test on my GL-MV1000W Brume:

  1. Set up a simple web server on a target device connected to Brume on Port 8080
  2. Did not set up Guest wifi
  3. Added VPN Policy to not use VPN for the target device’s MAC address and tested that the target device is not going through VPN
  4. Added Port Forwarding from Brume WAN to the target device LAN over TCP Port 8080
  5. Successfully accessed web server device via URL http://a.b.c.d:8080 where a.b.c.d is the WAN IP of Brume

From the Internet, you would access via the FTTH WAN Public IP, so it should forward to you GL-AP1300, then should forward to the target device.

14

You may be doing triple-NAT through FTTH box, GL-AP1300 and Mesh router. Can you bridge the Mesh router?

15

You may be doing triple-NAT through FTTH box, GL-AP1300 and Mesh router. Can you bridge the Mesh router?
Yes, that’s exactly what I believe is going on

16

I think that’s the part not working for me.

  1. Did not set up Guest wifi

I think the issue in my case is that if I set up the “do not use VPN with” policy in the GL-AP1300 with the Mesh router’s MAC address, all devices connected to the Mesh router will not have VPN, which is what I want to avoid (i.e. VPN should not be used exclusively for the intended device where I’m running the webserver

17

Any advice on how to proceed?

18

Based on your current setup, you cannot do that easily.

You may need to connect the device that you want to port forward directly on AP1300, not your mesh router. Then use vpn policy.

19

You may need to connect the device that you want to port forward directly on AP1300, not your mesh router. Then use vpn policy.

That’s no problem, but I already tried to do that (see my second post in this thread)? It didn’t seem to work. To clarify, what you’re suggesting is:

  1. set up port forward from FTTH to GL-AP1300 LAN address
  2. Activate guest wifi on GL-AP1300
  3. set up port forward from GL-AP1300 to device LAN address (based on IP assigned in the guest network)
  4. set up VPN exclusion for guest wifi

Is that correct? If so, can you please tell me exactly how to execute 3)? I tried both WAN as well as guest zone but both had the port closed as soon as OpenVPN was activated

Thanks!

20

I did a successful test using the Guest wifi:

The Guest wifi subnet defaults to 192.168.9.x, so I added Port Forwarding from the router WAN to the target device LAN IP address 192.168.9.220 over TCP Port 8080.

I set the VPN Policy to not use VPN for the Guest network, which was a bit fiddly until I was sure the target device is not going through VPN.

I was then able to access the simple web server on the target device from the WAN.

21

The Guest wifi subnet defaults to 192.168.9.x, so I added Port Forwarding from the router WAN to the target device LAN IP address 192.168.9.220 over TCP Port 8080.
I set the VPN Policy to not use VPN for the Guest network, which was a bit fiddly until I was sure the target device is not going through VPN.

Thanks! Like this?

img
img1580×338 61.6 KB