PDA

View Full Version : Question for network gurus


G G
03-01-2017, 02:44 PM
I recently upgraded my wireless router. I have DSL from my phone company. The modem from the phone company is in bridge mode.

I have enabled the VPN Client on the router because I do some streaming through Kodi and don't care for the phone company to know it.

I have until I got this router had dyndns set up on my router for viewing my security cameras and it always worked, since I had no VPN set up on the old router.

I think the answer is no, but can I set up dyndns on the router and have a VPN client running and still see the cameras from outside the network?

I tried to set both up but when I activate the VPN client it won't connect, it gives a ip conflict/routing error.

I am guessing there is no way to get the dyndns to see the ip of the VPN and it can't see the router since it's IP is going through another city.

jledou
03-01-2017, 03:26 PM
Probably way over my head but do you need to open a port for everything to be allowed out?

G G
03-01-2017, 03:56 PM
Probably way over my head but do you need to open a port for everything to be allowed out?

I forgot to add that I have the port forwards configured.

mosesbotbol
03-02-2017, 07:24 AM
Can you do a host file entry for the camera?

G G
03-02-2017, 01:25 PM
Can you do a host file entry for the camera?

I don't have the knowledge to know if I can or not Moses. I know very little about host files.;s

8zeros
03-02-2017, 11:52 PM
So dyndns sets up a place on the internet you can address to look back at your router to see the cameras, right? And you have a port set up to forward out to that dyndns place, it seems.
Question 1. Does this work without the VPN?

VPN sets up a standard port to connect to that is running a program that encrypts and authenticates the connection with an outside computer.
Question 2. Does this work without the camera/dyndns stuff?
In other words, can one or the other or both work without the other running?

It seems to me that they are two separate things running their separate ways and should not bother the other.

Weelok
03-03-2017, 01:53 AM
Hmmm, I think the answer to your question is no but I say that only because your router is doing the VPN. If you set up a VPN connection from your computer you could do what you want as that is what I do and the only encrypted connection is the computer IP traffic. This type of set up allows other connected devices to be routed through the router as normal.

By enabling VPN on the router, I suspect all the connections try and go encrypted? What router are you using?

I did some googling and it's possible to get what you want working but it's going to depend on the service you use to view the camera remotely as that service would have to support the VPN connection as well, e.g. Have the key in order to encrypt and decrypt the IP traffic.

Weelok
03-03-2017, 02:09 AM
Here is someone doing what you want and it does sound complicated.

http://superuser.com/questions/875823/unable-to-remotely-view-ip-cameras-rtsp-stream

G G
03-03-2017, 07:18 AM
So dyndns sets up a place on the internet you can address to look back at your router to see the cameras, right? And you have a port set up to forward out to that dyndns place, it seems.
Question 1. Does this work without the VPN?

VPN sets up a standard port to connect to that is running a program that encrypts and authenticates the connection with an outside computer.
Question 2. Does this work without the camera/dyndns stuff?
In other words, can one or the other or both work without the other running?

It seems to me that they are two separate things running their separate ways and should not bother the other.

the answer is yes they can both work separately. It's not quite as simple as you make it though. Using a VPN changes your ip (because of the encryted tunnel from my computer to the host) to the one on the VPN server. That is why the ISP cannot log or track what you are doing on the internet. The dyndns is required to connect back to the home network because most of us have a dynamic IP and not a static one. It simply lets you use a domain to connect back to the cameras, because when you set up the dyndns on the router it updates the actual ip so that the domain is always looking at the router. That's probably not as technical or correct as some on here can make it, but I think it's close enough.

G G
03-03-2017, 07:20 AM
Hmmm, I think the answer to your question is no but I say that only because your router is doing the VPN. If you set up a VPN connection from your computer you could do what you want as that is what I do and the only encrypted connection is the computer IP traffic. This type of set up allows other connected devices to be routed through the router as normal.

By enabling VPN on the router, I suspect all the connections try and go encrypted? What router are you using?

I did some googling and it's possible to get what you want working but it's going to depend on the service you use to view the camera remotely as that service would have to support the VPN connection as well, e.g. Have the key in order to encrypt and decrypt the IP traffic.

I have an Asus RT-AC87U. Yes I could use the VPN per device but it wouldn't be useful for my purpose then. The main reason I am using a VPN at the router level is that I am running Fire Sticks with Kodi and am streaming, and really don't care for the ISP to know. The Fire Sticks don't have native capability to run a VPN on the device.

mosesbotbol
03-03-2017, 09:45 AM
I don't have the knowledge to know if I can or not Moses. I know very little about host files.;s

located in %windir%\system32\drivers\etc

Enter the host name of the device and IP address of the host to bypass DNS name resolution. There's a sample within the file.

***Copy file to desktop, edit it, and then copy back to "etc" folder. Host file does not have a file extension.

8zeros
03-03-2017, 09:48 AM
I run tunnels and cameras on a lot of servers, but I never have made the router the VPN. I see how this would be the problem. I think you can set up a VPN on another router and bridge it to the one connected to the internet, then keep the camera server on the non VPN router and everything else on the VPN bridged router. You can even have a single computer doing both but that is tricky.

G G
03-03-2017, 09:53 AM
located in %windir%\system32\drivers\etc

Enter the host name of the device and IP address of the host to bypass DNS name resolution. There's a sample within the file.

***Copy file to desktop, edit it, and then copy back to "etc" folder. Host file does not have a file extension.

I use a Mac. I am running the VPN client on the router so that ALL traffic from within my network goes through the VPN. Are you saying to edit the host file on the machine that I am trying to access the cameras with from outside my home network? If so, I use an iphone to do that mostly. And my questions are so that I understand, cause I am just smart enough about networks to be dumb. LOL

Weelok
03-03-2017, 10:51 AM
I think the problem may just be your IP address changed after the VPN was enabled. Check the IP address of the router and verify if it has changed or not. If it has, then see if you can view your cameras from outside your network by using the new IP address and not the domain name.

Here is some interesting data on your router for VPNs but not completely relevant except for the IP changing. Sounds like a powerful router.

https://www.asus.com/support/faq/114892

G G
03-03-2017, 11:08 AM
I think the problem may just be your IP address changed after the VPN was enabled. Check the IP address of the router and verify if it has changed or not. If it has, then see if you can view your cameras from outside your network by using the new IP address and not the domain name.

Here is some interesting data on your router for VPNs but not completely relevant except for the IP changing. Sounds like a powerful router.

https://www.asus.com/support/faq/114892

Yes the IP surely changes from the dynamic one from the phone company to the VPNs IP address in whatever country or server I pick to connect to. You can't connect to the VPN IP cause I believe most VPNs use shared IPs and it doesn't know where to direct the traffic to when I try to connect using it. I tried it just for fun and it didn't work. I saw some info that PureVPN gives a static IP, but I am not sure that it would even work with that, but that's a question for someone with more knowledge than I have.

The IP the router shows is the phone companies dynamic IP in the WAN. But all devices that connect to the router shows the VPNs IP, which I currently use the nearest one to me and it's in Atlanta, GA.

Weelok
03-03-2017, 03:33 PM
Well, I think we are all in agreement that your screwed hah. Since the only IP is virtual and routing is occurring at the VPN server, there is no way for you to forward port traffic to a separate device behind your router. The only way I see for you to make this work is a separate tunnel for each device and your not going to be able to do that with a basic home router.

I recommend you put a MAC by your TV and create a software VPN from the MAC to your streaming service which allows the rest of your network to not be a VPN.

My two cents.

G G
03-03-2017, 04:24 PM
Well, I think we are all in agreement that your screwed hah. Since the only IP is virtual and routing is occurring at the VPN server, there is no way for you to forward port traffic to a separate device behind your router. The only way I see for you to make this work is a separate tunnel for each device and your not going to be able to do that with a basic home router.

I recommend you put a MAC by your TV and create a software VPN from the MAC to your streaming service which allows the rest of your network to not be a VPN.

My two cents.

Kinda knew that was the answer, but I have learned over the years with computers and networks there is sometimes ways to do impossible sounding things. It's not a do or die thing, just nice to be able to peek in when we're not home. Thanks for chiming in.

8zeros
03-03-2017, 11:34 PM
Well, I think we are all in agreement that your screwed hah. Since the only IP is virtual and routing is occurring at the VPN server, there is no way for you to forward port traffic to a separate device behind your router. The only way I see for you to make this work is a separate tunnel for each device and your not going to be able to do that with a basic home router.

I recommend you put a MAC by your TV and create a software VPN from the MAC to your streaming service which allows the rest of your network to not be a VPN.

My two cents.

This is kind of what I was suggesting with the two router solution.
The first router on the modem running dyndns with the cameras port forwarded through it. This would be accessible from outside. This router would be running DHCP.
Another router would hook its WAN port to the first router. It would get DHCPed to the internet. Now run VPN on the second router. Use this router for everything you want tunneled. Since the dyndns was opened with the first router it will be OK for everything forwarded to and from there. Since the second router is VPNed point to point, only those points get altered, not the points in between, like the first router.
I haven't tried this but it seems like it should work the same as a tunnel opened up by a device on the network, except the device is a router.

Weelok
03-04-2017, 03:59 AM
This is kind of what I was suggesting with the two router solution.
The first router on the modem running dyndns with the cameras port forwarded through it. This would be accessible from outside. This router would be running DHCP.
Another router would hook its WAN port to the first router. It would get DHCPed to the internet. Now run VPN on the second router. Use this router for everything you want tunneled. Since the dyndns was opened with the first router it will be OK for everything forwarded to and from there. Since the second router is VPNed point to point, only those points get altered, not the points in between, like the first router.
I haven't tried this but it seems like it should work the same as a tunnel opened up by a device on the network, except the device is a router.

Hah now I see what your saying!!!!! I like it!!!! This sounds like it would work and be a pretty cheap solution!!!

G G
03-04-2017, 08:41 AM
This is kind of what I was suggesting with the two router solution.
The first router on the modem running dyndns with the cameras port forwarded through it. This would be accessible from outside. This router would be running DHCP.
Another router would hook its WAN port to the first router. It would get DHCPed to the internet. Now run VPN on the second router. Use this router for everything you want tunneled. Since the dyndns was opened with the first router it will be OK for everything forwarded to and from there. Since the second router is VPNed point to point, only those points get altered, not the points in between, like the first router.
I haven't tried this but it seems like it should work the same as a tunnel opened up by a device on the network, except the device is a router.

Hah now I see what your saying!!!!! I like it!!!! This sounds like it would work and be a pretty cheap solution!!!
That seems to be the easiest, and as Weelok points out the cheapest solution. I will buy another router soon. But one more question. If I use an older Linksys router that I have for the first router, it wouldn't really matter would it? Because if I understand you right the first one would only do the routing and handle the port forwards for the cameras. The second router would be the actual workhorse for the network as far as the wireless and ethernet connected computers, right?

G G
03-04-2017, 08:52 AM
Searching around on the internet and came up with another possible solution.

I can load the Merlin firmware on my Asus router and it will probably allow me to do some policy routing that may let me select a device that wouldn't go through the VPN. I will check it out further and report back what I find out.

Weelok
03-04-2017, 05:40 PM
Oh interesting!!!! Please do get back on that!!!

G G
03-04-2017, 06:24 PM
Oh interesting!!!! Please do get back on that!!!

Will do, I got the firmware on the router today, but I didn't leave the house to check it. I live in the boonies so we have no cell service out here.

G G
03-05-2017, 09:27 AM
Okay, got the gist of how this works. When you flash the merlin firmware onto the router, it doesn't change the look and feel of the original firmware. It still looks and acts like the original Asus firmware, it just has more settings.

The way the policy based routing works is this: You turn it on, the default devices that have no policy set goes through the WAN and not the tunnel. In order for this to work you have to set static IPs on the devices connected to the router because that's the way you tell it which devices to run through the tunnel. I already set all my devices with static local IPs anyway so I didn't have to do it. You can set a device to either go through the tunnel or the WAN, but if you don't set a device it goes through the WAN. I will probably only run the Fire Sticks through the tunnel and leave everything else on the WAN. I am leaving shortly for the day and I will be able to see if the camera will be available.

CigarNut
03-05-2017, 10:55 AM
Just remember this: the more complex the setup, the much more difficult it is to debug :)

Weelok
03-05-2017, 12:10 PM
Okay, got the gist of how this works. When you flash the merlin firmware onto the router, it doesn't change the look and feel of the original firmware. It still looks and acts like the original Asus firmware, it just has more settings.

The way the policy based routing works is this: You turn it on, the default devices that have no policy set goes through the WAN and not the tunnel. In order for this to work you have to set static IPs on the devices connected to the router because that's the way you tell it which devices to run through the tunnel. I already set all my devices with static local IPs anyway so I didn't have to do it. You can set a device to either go through the tunnel or the WAN, but if you don't set a device it goes through the WAN. I will probably only run the Fire Sticks through the tunnel and leave everything else on the WAN. I am leaving shortly for the day and I will be able to see if the camera will be available.

That sounds like the right answer!!! Simple fix and pretty powerful firmware!!!

G G
03-05-2017, 03:44 PM
Just remember this: the more complex the setup, the much more difficult it is to debug :)
I hear ya. I have ran dd-wrt on a linksys router before. I can say though that running Merlin on the Asus is nowhere near as overwhelming as dd-wrt. It almost seems like dd-wrt has TOO much stuff. Merlin on Asus is great and pretty easy to understand.
That sounds like the right answer!!! Simple fix and pretty powerful firmware!!!

I can report that it's the perfect solution and it works like a charm. I was able to bring up the cameras from outside the network like it's supposed to be.

I can also say that my wifi calling works better since I bought the Asus, but it didn't come right out of the box that way.

I have used an AT&T microcell for several years and it always worked great. I was running a Linksys router until I bought the Asus. I have known for a long time that I was double NATed, but the microcell works fine as long as you do a couple port forwards. When AT&T got wifi calling enabled I tried it since I could get rid of the microcell if it would work. I have tried it several times it always dropped calls and would go in an out.

Flash forward to now, when I configured the Asus, it flashes a message telling you that certain things won't work right cause you are double NATted. So I called the phone company and told them to bridge my modem. Once the modem was bridged and I am no longer double NATed, the wifi calling so far has been working perfect. So i am of the opinion that in my set-up wifi calling is confounded by double NAT.

So far I am loving this Asus RT-AC87U and wished I had bought one sooner. I have had no problems with Linksys and always liked them as well. But this Asus is very powerful in the settings you are able to do, and the wireless is awesome as well. On the 5 ghz band it works a pretty good distance too. On my old Linksys the 5 ghz band would only work about 15 feet and drop out after that. Unless something crazy happens I have probably found a new router brand to stick with for awhile.

Thanks for the ideas and help. Without reading your replies I might not have searched as hard for an answer to find the Merlin and policy based routing feature.:tu

Weelok
03-06-2017, 12:33 AM
This question taught me a lot of new things. For one, I'm happy to hear the router works so well. I have always like Asus for motherboards and monitors and this just shows they are a good all around company. I liked the router software overlay as well. I am currently using an Apple router and while I like the router I don't like the software interface at all.

If it breaks I will probably get an Asus router based on this thread,

8zeros
03-06-2017, 10:29 AM
My home router is failing and I'm looking for a new one. I need some features in Gargoyle, based on Openwrt. Bandwidth allocation stuff. Merlin doesn't seem to have that. I am on satellite and I have limits I need to control.

G G
03-06-2017, 11:44 AM
This question taught me a lot of new things. For one, I'm happy to hear the router works so well. I have always like Asus for motherboards and monitors and this just shows they are a good all around company. I liked the router software overlay as well. I am currently using an Apple router and while I like the router I don't like the software interface at all.

If it breaks I will probably get an Asus router based on this thread,

I like it a lot better than the linksys so far. I have used Linksys for years and always liked them but they don't have as much control over certain things that the Asus has built in. You can flash dd-wrt on most of the Linksys routers though. With the Merlin firmware on the Asus I can't see me needing to do anything that it can't do so far.

G G
03-14-2017, 05:15 PM
Update: After having this fix running for almost two week I thought I would update my findings so far.

There is a selection to lock out devices that are set to go through the VPN tunnel if for some reason the connection to the VPN is lost. I didn't set everything to go through the tunnel and didn't think it was a big deal. After about a week though the tunnel lost connection for whatever reason and I don't know how long it was down. So once I discovered it I changed that setting to lock out the devices if it's lost again. I have both firesticks going through it obviously, but also my MBP, iPhone, and iPad. So from now on I won't have to worry about the phone company knowing I am streaming.

The security cameras have been working fine as well. MY major problem is that I started out with 8 cameras when we bought the system and now for whatever reason we are down to only three working cameras and the night vision went out on one of them last week.

I am looking into buying another system. The one I have is a wired Swann system that has a DVR. Those wires are a pain in the a$$. I am looking at possibly buying a Netgear Arlo system which is truly wireless. I haven't bought yet and was wondering if anyone here has any thoughts or know anyone whom has one?

8zeros
03-16-2017, 02:34 PM
You won't get as high resolution thru wireless. The compression sucks it down. Blocky and blotchy in comparison.

Weelok
03-16-2017, 03:09 PM
Damn, that software is really impressive on that router. After it's locked out of the VPN does it reconnect outside of the VPN fine?

G G
03-16-2017, 03:58 PM
You won't get as high resolution thru wireless. The compression sucks it down. Blocky and blotchy in comparison.
I have looked at tons of reviews from online review sites and on youtube from regular folks. This one is pretty impressive. It's only 720P but it's very clear on all the videos I have seen. And this one doesn't connect the regular way. It doesn't connect through the router wifi. The base transmits it's own wifi for the cameras to connect only. Supposedly has up to 300 line of sight range too! I doubt real world you will get close to that though.
Damn, that software is really impressive on that router. After it's locked out of the VPN does it reconnect outside of the VPN fine?
I haven't lost the tunnel since I changed it. I will let you know when it happens. I think it blocks the device entirely. I would expect they added that just for what I am using it for, questionable streaming, so if the tunnel is lost then the device can't connect until the tunnel is re-established. Kinda gives you a heads up that way.