Unable to reach LAN IP

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Unable to reach LAN IP

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Unable to reach LAN IP
Unable to reach LAN IP
2023-03-11 10:49:44
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.1

My webserver connects to LAN port.

 

I am able to send packets out from my webserver but external traffic is unable to reach my webserver.

 

My LAN devices are able to access internet.

 

I think it is not a firewall issue as the set up is working good with the old router, a Cisco which needs to be in Router mode instead of Gateway mode.

 

Is there such function in ER605 where instead of Gateway mode, it operates on Router mode?

  0      
  0      
#1
Options
7 Reply
Re:Unable to reach LAN IP
2023-03-11 13:34:45

  @Addy28 

 

I am assuming your internet connection has a public static IP.  If it starts with 10. or 192.168 then it very likely doesn't and you'll need to go deeper than the ER605

 

If you do have a public IP on your WAN interface of the ER605, then you just need to go into the NAT settings and 'port forward' your webserver ports (typically 80 and 443) to the local private IP of your webserver...which should be 'fixed', so you also need to set a Reserved IP entry on your DHCP server to make sure the webserver always gets the same internal private IP.

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#2
Options
Re:Unable to reach LAN IP
2023-03-12 01:19:43 - last edited 2023-03-12 01:20:31

  @d0ugmac1 

Thank you for the reply!

For context,

Router
WAN IP is 118.202.5.x
LAN IP is 118.202.6.1x

Webserver is 118.202.6.2x

Webserver is able to send out emails, but not able to receive email.
I can access my websites internally but not from public.

Wasn't able to ping my router (LAN) and webserver IP.

For DHCP server, I should use the one on the router or current one is good?
My current DHCP server is on 192.168.x.x
 

  0  
  0  
#3
Options
Re:Unable to reach LAN IP
2023-03-12 03:08:43

  @Addy28 Need a little more context around why you are using public IP's for your LAN.  In general I was expecting your entire LAN to be private IP's ie 192.168.2.X.

 

If you don't 'own' the IP block you are using for your webserver, then people looking for it will go to router that DOES own those IP's.  It's like your house is in Paris, but you use London addresses for all the rooms in your house.  Google will send visitors to London proper, not Paris, in order to get to those 'addresses'.

 

Typically you only own whatever IP your ISP gives you, let's say that's 118.202.5.99...then that is the IP that the rest of the world needs to use to reach your server(s).  Let's now say that your LAN is 192.168.6.X and your webserver is 192.168.6.66.  You now want to forward ports 80 and 443 from the WAN to the LAN, so that 118.202.5.99port80 gets mapped to 192.168.6.66port80 (and same for port 443).

 

I'm sure I've horribly misunderstood what you're trying to do...so maybe a diagram would be useful?

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#4
Options
Re:Unable to reach LAN IP
2023-03-12 17:53:55 - last edited 2023-03-12 17:59:23

  @d0ugmac1 

 

Here you go

The thing is I am unable to ping 118.201.bb.1 and 118.201.bb.2

Able to hit 118.201.aa.1 and 118.201.aa.1

As such, I should port forward 118.201.bb.1:80 to 118.201.aa.1:80 

 

  0  
  0  
#5
Options
Re:Unable to reach LAN IP
2023-03-12 18:29:03 - last edited 2023-03-12 18:29:50

  @Addy28 

 

Here's where I see a problem, if your ISP owns the public IP block of 118.201.aa.X then there is an extremely good chance they also own 118.201.bb.X, which means any internet traffic bound for an IP on your LAN (118.201.bb.X) will go somewhere else on the planet rather than via your gateway which is (118.201.aa.2) because you don't control the routing for that.

 

You also need to decide why you have your router and your firewall stacked and if you really need both of them at all.  For simplicity sake I'm am going to suggest you do the following:

 

1. Change your ER605 LAN subnet to be 192.168.0.0/24, your ER605 will get 192.168.0.1 and you can statically reserve an IP, let's say 192.168.0.100 for your webserver's MAC address.

2. Unplug and remove your firewall from the solution altogether for the moment.

3. Connect your webserver to a LAN port of the ER605 and verify that it now gets a 192.168.0.100 IP.

4. Create NAT rules to forward from your WAN interface (118.201.aa.2) to 192.168.0.100 for ports 80 and 443

 

You should now be able to access your webserver from the internet. Build your firewall rules on the ER605.

 

You can now add back in your firewall if you really need to (the ER605 can do most if not all of whatever it was doing), but you typically want to put it behind the ER605 and then make it the DMZ for the ER605's LAN.  Depending on how your firewall works, you can keep the webserver on the same subnet, or create a new one below the firewall.

 

Maybe you can tell me what type of firewall you have?

<< Paying it forward, one juicy problem at a time... >>
  1  
  1  
#6
Options
Re:Unable to reach LAN IP
2023-03-13 07:17:53

  @d0ugmac1 

 

Apologies. Yeah I am taking over this set up and it is very complex to comprehend.

 

This is the new network diagram. My firewall is a Sophos.

 

The thing is this set up works on an old Cisco Router. Is there any way that ER605 can replicate Cisco's Router mode?

 

 

  0  
  0  
#7
Options
Re:Unable to reach LAN IP
2023-03-13 07:51:39

Hi  @Addy28 

 

ER605 is a pure NAT router. It does not support classic routing. 

 

One-to-one NAT may be a solution, but that may still requires you to change something on your Firewall.

 

How to configure One-to-One NAT on Safestream routers using the new GUI

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#8
Options