1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Having trouble getting DynDNS to work behind two routers

Discussion in 'Networking Issues' started by _cashel, Sep 18, 2005.

  1. _cashel

    _cashel Network Guru Member

    I have a wireless network stretching across two buildings with a Dlink DI-624 acting as the main router and a WRT54G flashed w/ the latest Alchemy software running as a client/bridge in the second building. I have a server setup with a dynamic DynDNS service behind the second router.

    Here's my problem. My server can connect to dyndns and update the ip address fine, but I cannot access my dyndns hostname through a web browser or SSH. What's odd is that I can ping my hostname and receive a response, but when I try to ping the ip address the hostname is attached to, I get a reponse timeout error. I've tried forwarding ports and enabling DDNS on both routers, neither of which work. I know this has something to do with the server being behind TWO routers, but I don't have a clue on how to go about fixing it.
     
  2. 4Access

    4Access Network Guru Member

    I'd suspect the problem is with the port forwarding configuration. There's a number of ways to set things up when you've got a device behind two routers.

    Below is an example of all the options I can think of for opening port 80 listed in decending order of preference. (This assumes you've left the WRT in gateway mode.)

    1. Forward port 80 on the D-Link to the WRT, then forward port 80 on the WRT to the Server's IP
    2. Forward port 80 on the D-Link to the WRT, then configure the server as the DMZ device in the WRT.
    3. Configure the WRT as the DMZ device in the D-Link, then forward port 80 from the WRT to the server
    4. Configure the WRT as th DMZ device in the D-Link, then configure the server as the DMZ device in the WRT.

    If you've put your WRT in router mode instead of gateway mode and configured a static route on your D-Link that points to the LAN subnet on the WRT, you'll want to forward port 80 in the D-Link directly to the IP address of the server.

    Regardless, which method you select you can use the ShieldsUP! port scanner to see if port 80 & 22 are opened properly. (Server must be running during tests.)

    Good luck!
     
  3. _cashel

    _cashel Network Guru Member

    Hi, I tried each of the configurations you listed, and none of them seem to work. I also ran the ShieldsUp test, and the ports I tested (80, 22, 23) were reported as Stealth. Is this good or bad in my case? They passed the solicited and unsolicited tests and failed the ping reply (which would be a good thing for me would it not?). Any more ideas?
     
  4. 4Access

    4Access Network Guru Member

    You actually need to be "failing" the ShieldsUp tests for ports 80, 22, 23 since that means they are open and responding to traffic.

    To help determine if the problem is with the D-Link or the Linksys try the following:

    1. Forward ports 80, 22, 23 in the D-Link to the IP address of a computer connected directly to the D-Link router.

    2. Make sure all software firewalls (including the built-in XP SP2 firewall) are disabled on the computer you are forwarding the ports to.

    3. Rerun the ShieldsUp test from the computer you forwarded the ports to. If the results are still Stealth then the problem is somewhere between the D-Link and your ISP. If the results are "Open" OR "Closed" then the D-Link is functioning properly and we'll need to figure out what the configuration problem is with the WRT.

    BTW just for reference, are you running the WRT in Router or Gateway mode? (Setup > Advanced Routing)
     
  5. _cashel

    _cashel Network Guru Member

    I have the WRT running in gateway mode. I did what you said and was able to get the computer running on the dlink router to fail the tests (the ports say closed). I had to allow the ports in the windows firewall. I'm still passing the unsolicited test though.

    I enabled DMZ on the DLink for the WRT and forwarded the ports on the WRT to the server, and now the server fails the test the same way the other computer is failing it, which is weird because I swear I tried this method already.

    I still cannot access the server through puTTy, nor can I access it via the hostname in the browser. Does this have something to do with the ports being 'closed' rather than open? This can't be an ISP issue because I have been able to connect to this server via SSH (using a DynDNS hostname) and host public Teamspeak servers while it and another were on the same router connected directly to my dsl modem.
     
  6. 4Access

    4Access Network Guru Member

    Yes, the ports need to be Open for things to work... The fact that the ports are closed instead of open says to me one of two things.

    1. The ports are forwarded properly but for some reason the server isn't actually accepting connections on the designated ports. To determine of this is the case simply connect to the designated services on the server from another computer on the LAN. If you can open the website or ssh connection successfully from another computer on the LAN then the problem is most likely related to the port forwarding. See step 2.

    2. Port forwarding might be mixed up and actually forwarding the traffic to another computer on your network. Test this by simply unplugging the server from the network (or shutting it down) and then running the port scan tests @ grc.com from another computer on your LAN. If the results are still Closed when the server is disconnected from the network then port forwarding is messed up. Double-check your port forwarding configuration. If the tests return Stealth when the server is disconnected and Closed when the server is connected then the problem is something on the server itself.

    I know this might not be all that helpful in solving the problem (what ever it may be) but at least it should allow you to determine exactly where the problem lies.

    Another thing you could consider depending on your level of knowledge is installing a packet sniffer such as Ethereal on the server and monitorning exactly what happens when you run the ports scans or better yet, what happens when you try to connect to the server from the internet.
     
  7. ByteMeHtd14

    ByteMeHtd14 Network Newbie Member

    If you want to access a router from the WAN port you must first allow WAN access to the GUI in administration settings. If you ping and get a reply, then the DDNS is working, but you need to open a VPN linkup on your machine and access the GUI of the router by it's internal LAN address. Again, this means that you'd be able to access the router as if you were INSIDE the main network, a much safer alternative to opening WAN access to the gui. By default, WAN access is DISABLED, and when ENABLED you must also set other options that limit who can access the router.
    For instance:
    I've set up several routers with DynDNS names, and have left the WAN access off. I run a mac, so creating a VPN is easy through network settings. I open and Connect the VPN (it uses the DynDNS URL address and a port of my own selection--this port is forwarded to the second router or server with the dyndns set up on it-- for the address to link to, and I allow it to update once a day, since the router reboots to drop any internal log or error data that builds; the VPN uses only the last 10 addresses of my routers subnet mask--IE for 192.168.1.x I use 242 to 251 to allow a few on the very outside for static use later) and then I use the router's LAN address in my browser and viola, I get the gui. I can make changes as if inside the network (like I'm plugged right into the router and sitting next to it), and I can access everything from scanner\printer to storage and media to the Computers themselves for quick RDC or VNC for assistance. Cheap, easy, and functional.

    Process:
    First, forward a port from ISP router or modem to your internal device that will be your VPN and your dyndns. Since you can ping the WAN all you want and get an "I'm Here and connected" message when something is connected to that address, ping is not an acceptable test. You want to see your router or server GUI (graphic user interface). We have the port open, and all traffic should go to the router you have behind your ISP or primary equipment. Now you need to set up a method for seeing the router and services from the outside.
    Option A is to set up WAN access, but is unsecure, unencrypted, dangerous.
    Option B is to set up a VPN, using any server you wish (I use a simple PPTP with auto encryption or 128bit; not enterprise grade, but better security than WAN access). Next, you add users to the VPN and start the service. Set up your DYNDNS service, make the connection, and check it by going outside your network, setting up a VPN client on your computer using settings from PPTP on router, and add the port number to the end of your dyndns URL for the connection address. Ta-da. You now access the router through the LAN address of the router, masking the actual address of the connection, and you can do everything the guy sitting right next to it can do.
     
  8. Toxic

    Toxic Administrator Staff Member

    I think your 9 years too late. the posts are 2005. I'm pretty sure the issue is now forgotten.
     

Share This Page