@Ben-91 

It is quite normal that you cannot access your front ISP router because they are two networks and they have firewalls. (A router is a NAT, that's stopping you from the cross-LAN connection) 

have you tried the static routing on our ER605 to route the traffic to the ISP router? I remember that I read some links on other forum saying Static routing could achieve this. 

  @John1234 Hi, thanks for your reply. I tried without success:

- destination : 192.168.1.0

- subnet : 255.255.255.0

- next hop : 192.168.0.1

- interface : I tried either WAN or LAN, not being sure, but none worked

- metric : 0

I had applied successfully the symmetric rationale for routing the traffic from my ISP router to my LAN : on my ISP router, I have a route :

- destination : 192.168.0.0

- subnet : 255.255.255.0

- gateway : 192.168.1.2

I don't know what is wrong in my settings. Note that when I used, previously, ikev/Ipsec vpn option, I could access to both 192.168.1.1 on the WAN and some equipment on my LAN (e.g. 192.168.0.9), while having a VPN IP in the 192.168.3.190 to 192.168.3.200 pool.

So I wonder if I face a limitation of VPN server with Openvpn, or if I messed up in my settings :-)

Thanks in advance if you have any further advice,

best regards

Benjamin 

  @Ben-91 

OK. Just simply put the IP address of the first NAT and you can go in without a problem. This is the fact.

This should work the same to the VPN. 'cause VPN client gets an IP from the LAN inside the second NAT(ER605).  VPN type, L2TP, PPTP, IPsec. 

So, OpenVPN, you can run tracert to find how your packets are re-routed. It seems that packets are not re-routed to the LAN of the ER605. Instead, it is going through the gateway locally. 

I don't know if your OpenVPN can do proxy gateway and forward everything to the LAN of ER605. Something should be done to forward the packets from the Client side to the LAN side of ER605. It begins to be an issue on your device. Instead of ER605. Nothing needs to be configured on ER605 until you can confirm the packets are forwarded to the ER605. If the packets are not even there, there is no point doing any config to route anything to your modem router. 

  @John1234 Hi John, many thanks for your feedback. I could make some testing today : when remotely connected with openvpn (either openvpn gui or openvpn connect) :

-  I can access to all my devices on LAN side 192.168.0.x, but not to the first NAT 192.168.1.1, neither to the internet (tested with google etc...),

- I made some tracert tests with the diagnosis tool from the ER605 router standalone interface, and when I put google address and WAN interface, it manages to reach google and describe the route.

So it looks like if I request directly to the ER605 to "look at something on the WAN side", it manages to do it, but the WAN information does not seem to be "automatically transferred" to the LAN side when remotely connected to the LAN side with the VPN (I'm not sure this description of my current understanding is clear enough :-)).

Probably the missing trick is related to proxy you mentioned, but I'm not able to define the appropriate settings - I have not defined any proxy on my network.

Sorry for all these questions, and thanks in advance !

Benjamin

  @Ben-91 

But if you can access(ping) your in-LAN IP no problem, you should be able to access them without a problem. 

The issue is that your ER605 is a NAT, when there is a NAT and you try to penetrate this NAT and access a upstream NAT, you need to try out the static routing to properly direct(tell) ER605 where this 192.168.1.1 should be forwarded. 

Instead of making things complicated, you can consider accessing your modem router by its WAN IP. That's the common way for people to access their router. When you type in the public WAN IP, you'll be able to access it with the username and password.