1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help to access to bridge subnet that carries ISP to RV082 WAN

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by rbngan, Oct 16, 2013.

  1. rbngan

    rbngan LI Guru Member

    I have an ISP being delivered to us over a set (4 devices) of bridged Ubiquity Devices. So the IP coming into the WAN port of the RV082 is a public IP (20.20.20.1-4) riding on a private IP (55.55.55.5). My problem is I can't get access to the private IP to manage the devices. (all ips are fake)

    The set up is now ISP bridge (20.20.20.x) to RV082 WAN (55.55.55.5 to RV082 LAN (20.20.1.1) to UT box external (20.20.1.20)

    Prior to this I had a Untangle box where the RV082 was. So the bridge subnet (20.20.20.1-4) was delivering the public IP (55.55.55.5) to the external nic of the Untangle box. All I had to do on the Untangle box was add the private IP (20.20.20.20) as an alias to the external network and I had access to the private bridge devices.

    Ive scratched now for several days and all I can find is "don't use Alias on the RV products" and use One-To-One Nat.

    I've tried adding one-to-one nat rule of 20.20.1.20 => 20.20.20.1 in the RV082 and it works for me to get access to the bridge devices. The problem is the rest of the network looses internet connection. It appears that the 1to1 nat is forcing all network traffic to the bridge network which is not connected to the internet. I must be missing a link or need to add another rule somewhere but cannot figure this out.

    How can I have access to the bridged network (20.20.20.x) carrying the ISP and continue to route my network traffic through the ISP IP set in the RV082?
     
  2. Sfor

    Sfor Network Guru Member

    I'm not sure if I do understand your network structure, but all I can think of is the situation, when the bridge device management IP is not in the same subnet as the RV082 WAN port is.

    If you do have the RV082 WAN2 port unoccupied, it should be possible to set it staticaly to be in the same subnet as the bridge device. By setting the RV082 in dual wan Load Ballance mode, and sending all traffic except the bridge subnet to WAN1 (through protocol binding) it should be possible to manage the bridge from the LAN side of the RV082. Hovever it will not work through VPN created with RV082.
     
  3. rbngan

    rbngan LI Guru Member

    Thank you! Yes I think we are on the same page on my problem. I've attaching a raw connection schematic. It is very raw and the Vlaning is not in place yet. At this time the issue lies after with the WWW traffic on subnet 55.55.55.5 is coming in over the UB-NB devices 14 to 11 that are configured on subnet 20.20.20.x to pimary WAN port of the RV082. In the past I would manage it by remotely starting an RDP session to the LAN network and them log into the Bridged devices from the LAN side. Your suggestion seam so to provide the same management option.

    If i understand your suggestion, you are saying leave WAN port two physically unoccupied but configure it in dual WAN Load Balance mode with the 20.20.20.x subnet. This sounds like a good suggestion. I will have to take a look at this and make sure I get the protocol bindings set up correctly as I've never worked with that before. I have remote access to the RV082, however, since I am 140 miles away from the site do you see any risk of locking myself out of the RV082 when setting the protocal bindings?
     

    Attached Files:

  4. Sfor

    Sfor Network Guru Member

    I do not think it is risky. The protocol binding does not affect the VPN traffic, as far as I know. But, my experience is comming from the RV082 v1 and v2 series. The v3 are very different.
     
  5. rbngan

    rbngan LI Guru Member

    I must not understand the way to set up the protocol binding to get the transparent bridge subnet to respond. I can not even ping the transparent bridge from the RV082. Here are my settings (again IP are not my real IPs):

    WAN1 Setup: Static IP
    Specify WAN IP Address: 55.55.55.5 (incoming public IP from ISP sent over transparent bridge 20.20.20.x)
    Subnet Mask: 255.255.255.0
    Default Gateway Address: 55.55.55.77 (Set by ISP)
    DNS Server: 66.67.77.1 (Set by ISP)

    WAN2 Setup: Static IP
    Specify WAN IP Address: 20.20.20.20 (Transparent bridge subnet with .20 for WAN2 port)
    Subnet Mask: 255.255.255.0
    Default Gateway Address: 20.20.1.1 (RV082 LAN IP)
    DNS Server: 0.0.0.0

    x Load Balance (Auto Mode)
    Protocol Binding
    All Traffic [TCP&UDP/1~65535]->20.20.1.1~254(0.0.0.0~0.0.0.0)/WAN1
    All Traffic [TCP&UDP/1~65535]->20.20.1.1~100(20.20.20.20~20.20.20.14)/WAN2 (20-14 is ranch of Transparent Bridge devices - I also tried this on WAN1 with no success)

    Here are the rule options I have:
    Service: options to select port traffic
    Source IP: 20.20.1.__ to __
    Destination IP: __:__:__:__ to
    XX:__:__:__
    Interface: WAN1 or WAN2
    Enabled: x

    Can you see were I'm off in my protocol rules? I was thinking of maybe it should be but the rules require the ending set of destination IPs start with the same as the beginning destination IP:
    All Traffic [TCP&UDP/1~65535]->20.20.1.1~254(0.0.0.0~20.20.20.19)/WAN1
    All Traffic [TCP&UDP/1~65535]->20.20.1.1~100(20.20.20.20~20.20.20.14)/WAN2
    All Traffic [TCP&UDP/1~65535]->20.20.1.1~254(20.20.20.15~255.255.255.255)/WAN1
    So maybe this:
    All Traffic [TCP&UDP/1~65535]->20.20.1.1~254(20.20.1.1~20.20.1.254)/WAN1
    All Traffic [TCP&UDP/1~65535]->20.20.1.1~254(20.20.20.20~20.20.20.14)/WAN2
    and that did not work. changed send rule to WAN1 and still not ping response or management access to transparent bridge devices.

    Any help on understanding and setting these rules up would be appreciated.
     
  6. Sfor

    Sfor Network Guru Member

    The protocol binding rules are used by finding the first applying one. So, in case:
    All Traffic [TCP&UDP/1~65535]->20.20.1.1~254(0.0.0.0~0.0.0.0)/WAN1
    All Traffic [TCP&UDP/1~65535]->20.20.1.1~100(20.20.20.20~20.20.20.14)/WAN2
    The second rule will never be used, as the first one will always be taken.

    Unluckily, the RV082 v1 and v2 are not able to set priority of the protocol binding rules. The only possible action is to remove the rules, then to enter them back in correct order.

    As for the pinging on the WAN ports. If the network service detection function is enabled, router will take over all ping responses from provided hosts and will not pass them further. It means if the router is pinging the transparrent bridge IP because of the network service detection function, the responses from this IP will not be passed back to the pinging device. The RV082 seems to think these are responses to the ping queries sent by the network service detection function.
     
  7. rbngan

    rbngan LI Guru Member

    I see, that makes sense. I reversed the rules:
    All Traffic [TCP&UDP/1~65535]->20.20.1.1~100(20.20.20.20~20.20.20.14)/WAN2
    All Traffic [TCP&UDP/1~65535]->20.20.1.1~254(0.0.0.0~0.0.0.0)/WAN1

    Dang, still can't access the transparent bridged. Are these rules correct now?
     
  8. Sfor

    Sfor Network Guru Member

    The rules seem to be correct. How do you try to access the bridge devices?

    RV082 will not let the traffic incoming through VPN to go out through WAN ports. It is necesary to use some sort of a proxy server placed in LAN in such a case.
     
  9. rbngan

    rbngan LI Guru Member

    I'm trying to access by RDPing into a server, then opening a web browser and entering the IP address of the transparent bridge device. I'm trying to access it from the LAN side.
     
  10. rbngan

    rbngan LI Guru Member

    Sfor. Thank you for all your help. I was able to sort of solve my connection problem without using the RV082 What I was trying to do was connect the RV082 to the Transparent Bridge and it was not working. After I created a One-to-One NAT policy for my one server to access the bridge devices, I changed the gateway on the bridge devices to my RV082 LAN IP and I now have connection from the LAN side on all devices but my server does not have internet connection as it appears to be looking for it through the bridge devices. As soon as I turn the 1to1 NAT rule off, I lose connection to the devices from the LAN. So I put in a rule 20.20.1.254~254=> 20.20.20.254~254 which is a non-existing device and now my server has internet connection and I have LAN connection to the Transparent bridge devices. Not sure why having the rule to one server effects all the network connections.

    Are there any security issues with creating a One-toOne NAT rule like this?

    (Correction to above: I stated NAT -to-NAT and should have stated One-to-One NAT )
     
    Last edited: Oct 19, 2013
  11. Sfor

    Sfor Network Guru Member

    I'm not sure what the Nat to Nat policy is. So, I'm unable to answer your question.

    As for the One to One NAT RV082 function, I have never used it.
     

Share This Page