One-to-one NAT on the TL-R600VPN

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

One-to-one NAT on the TL-R600VPN

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
One-to-one NAT on the TL-R600VPN
One-to-one NAT on the TL-R600VPN
2020-10-02 19:14:12 - last edited 2021-04-18 10:51:33
Model: TL-R600VPN  
Hardware Version: V4
Firmware Version: 4.0.3 Build 20190227 Rel.48206

I have a local server on my network, call it 192.168.0.2. This Linux server has an OpenVPN client running that connects it to a cloud VPS (call it 1.2.3.4). The VPS is configured to forward traffic down the tunnel so that, even outside the network, the server can be accessed at 1.2.3.4. (I know that I could port forward on the router, but I cannot do this in practice for a number of reasons). However, this server has SSL certificates that match public domains (call it example.com), so accessing this server by it's IP is not possible, especially on devices such as phones that may not always be on the WiFi.

 

Traffic could just go through the DSL to 1.2.3.4 then back down to the Linux box, but this would be about 4 orders of magnitude slower than just connecting directly. On computers where I can edit /etc/hosts, this isn't a problem because I just alias example.com to 192.168.0.2, but for phones, it becomes a problem. There are two possible solutions: The first is to change the DNS servers. This is insecure, so I don't want to do it. The second is to do some really easy one-to-one NAT. It takes about 30 seconds in iptables.

 

Only problem is, this router does not seem to support the kind of one-to-one NAT I'm looking for. The interface selection option in the one-to-one NAT section gives me no options with just one WAN. So far, I have tried the following:

  1. Placing the server on WAN2 (currently, I have only 1 WAN). The problem with this is that the server cannot access the internet.
  2. Using routing tables to route 1.2.3.4 via 192.168.0.2 and having the Linux box take both those IPs on the LAN. The router seems to ignore the static route and sends the packets on to the 1.2.3.4 VPS.
  3. Plugging a dummy device into a second WAN port, then using port forwarding to forward 192.168.255.1 (the fake WAN2 IP) to 192.168.0.2, then using the one-to-one NAT to map 1.2.3.4 to 192.168.255.1. This just doesn't work.
  4. I haven't really tried VLANs yet because I can't seem to figure out how they work on this particular device... I may switch the server's switch port to be tagged and then give the server access to the WAN2 port via the tagged VLAN and use one-to-one NAT, but I haven't tried this yet.

 

Any ideas for how to make this work on this router?

  0      
  0      
#1
Options
2 Reply
Re:One-to-one NAT on the TL-R600VPN
2020-10-04 23:30:24 - last edited 2021-04-18 10:51:33

Alright, looks like TP-Link just doesn't support this, which is a huge PITA. As it turns out, I can't mix WAN and LAN VLANs on ports, which is possible on the hardware, there's just a poorly written UI restricting it for no technical reason. So I've got two options: Buy a second ethernet card for my server and run TWO cables to the switch (yes, I'm actually considering this) or buy a new router.

 

Since TP-Link seems to like putting software restrictions on their devices just to piss people off, I'm probably going to end up buying some new hardware.

  0  
  0  
#2
Options
Re:One-to-one NAT on the TL-R600VPN
2020-10-07 14:42:47 - last edited 2021-04-18 10:51:33

Dear @e2GMc6,

 

Only problem is, this router does not seem to support the kind of one-to-one NAT I'm looking for. The interface selection option in the one-to-one NAT section gives me no options with just one WAN.

 

On TP-Link routers, One-to-One NAT (Network Address Translation) creates a one-to-one mapping between a valid public IP address and a private IP address of a local host. It is mainly used when there are two or more available public IPs used on the same WAN port. And it only takes effect when the connection type of the corresponding WAN port is Static IP. We are sorry that our routers cannot meet your requirements for the time being.

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#3
Options

Information

Helpful: 0

Views: 1562

Replies: 2

Related Articles