ER-605 gateways without port forwarding - access to device
Hello,
I have two locations (Site A, Site B). The goal is: I would like to access the camera of Site B from Site A.
The challenge is that I cannot enable ports at location B or forward them to the respective device (camera). (This is because it is a mobile network).
So I will have to choose the way via a VPN. It would be enough if the camera is reachable, it doesn't have to be the entire network of location B at location A that is reachable.
Unfortunately, IPSec does not work: Auto is set up, but it is not visible under Insights. A manual setup fails with error 24. I suspect it is because of the lack of opening ports at Site B.
What possibilities do you see for establishing a VPN connection? Are there technologies (OpenVPN?) that do not require port sharing at location B?
Thank you and best regards
Christian
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @CS2
Thanks for posting in our business forum.
Unfortunately, there is no service supporting VPN without ports forwarding. Think it from the perspective of networking, any communication requires at least an IP and a TCP/UDP to connect and transfer the data/traffic.
You should port forward on both modems if you are not getting the public IPs on both Omada routers. (To check if you have a public IP or not, you should check the IP shown on the WAN details. Don't use the whatsmyip to tell. That's not accurate.)
You probably set it up wrong if you use the IPsec. Suggest you double-check yourself with the guide we have. Or seek help from the technical support from us.
IPsec, site to site requires a public IP on each site. Client to site VPN requires one of the ends to have a public IP.
- Copy Link
- Report Inappropriate Content
Following these instructions, an ER-605 could also function as a "wireguard client": https://community.tp-link.com/en/business/forum/topic/603600
This could be the solution.
Unfortunately, you can only enter an IP address in the Endpoint field and not a domain / dynamic DNS. Can the software be adapted so that dynamic addresses are also allowed in this field?
- Copy Link
- Report Inappropriate Content
I do this today with a pair of ER605's.
My solution is to put the NAT'd ER605 (your cellular site) as the Client, and your DSL site as the Server for an L2TP IPsec VPN. You can then advertise the local subnets at the remote sites and have full access to devices without any port forwarding needed. I use DDNS names and not IP's at either end:
Here's a snapshot of what my 'client' end looks like:
- Copy Link
- Report Inappropriate Content
@d0ugmac1 Really good, thanks for your tip and idea.
I have now established succesfull a VPN connection in this way (remote site (B) as VPN client). This means that the remote ER-605 has the IP address 192.168.16.2 at the main site (site A).
Screenshot vom Insights:
Site A (main):
Site B (remote):
Unfortunately, I cannot access the remote devices. Hence my further question: How can I advertise the local subnets from the remote site (Site B) to the main site (Site A)?
Screenshot of the remote ER-605 (site B):
As far as I understand it: I specify which local networks are to be unlocked. I have selected "all". Shouldn't I be able to access it from the main location?
- Copy Link
- Report Inappropriate Content
Your tunnel IPs should be wholly unrelated to the subnets at either end of the tunnel. In my case, Server has a 10.x.x.x client subnet, Client has several 192.168.x.x client subnets and the tunnel endpoints are 172.16.x.x. At the client I tell it remote subnet is 10.x.x.x (at the server) and I specify a subset of all the 192.168.x.x subnets present at the Client. At the server, the opposite, I specify the subnet of 192.168.x.x subnets as remote and the 10.x.x.x as local.
Most annoyingly, the remote subnets do NOT show up in the controller routing table under 'Insights'.
Key points on the VPN user you configure at the server end...make sure you tick the LAN extension mode:
- Copy Link
- Report Inappropriate Content
Hello,
Thank you for your explanations, @d0ugmac1.
Unfortunately, I don't understand it, or rather, as I understand it, it doesn't work.
Let's assume I have the network "LAN" at the remote location (Site B), which I would like to make available to Site A via VPN. To do this, I would have to make the following settings according to your explanations:
Site B:
- 'local networks': selection of "LAN".
- remote subnets: any IP address range which is not occupied.
Site A:
- 'local networks': for simplicity's sake "All".
- IP pool type: ...Mask
- IP pool: any IP address range which is not occupied and is different from that of site B.
To make it more concrete, I have the following subnets:
main site (Site A) | remote site (Site B) |
---|---|
guests: 192.168.3.1 / 24 | guests: 192.168.14.1 / 24 |
IoT: 192.168.15.1 / 24 | IoT: 192.168.50.1 / 24 |
LAN: 192.168.188.1 / 24 | LAN: 192.168.10.1 / 24 |
Work: 192.168.189.1 / 24 | Work: 192.168.13.1 / 24 |
VPN: 192.168.16.1 / 24 |
I have set the following for the VPN-IPSec:
1. main site (Site A)
1.1 VPN policy
1.2 VPN user
2. remote site (Site B)
2.1 VPN Policy
The VPN connection is established according to Insights. With the IP 172.31.151.1 I can access the remote ER-605. (I assume that it is the one from Site B, as I have no access to this IP with the VPN deactivated.)
Bbut where can I see which clients are now connected via VPN? Or which IP address has now been assigned for remotely?
Do you see a mistake in my configuration?
Thank you and sorry, I am not familiar with VPN.
- Copy Link
- Report Inappropriate Content
You have selected the wrong VPN type! Use L2TP or L2TP+IPsec not PPTP.
Maybe set up your first tunnel as L2TP (unencrypted), once that's working, then add in the IPsec layer to encrypt the traffic between sites.
- Copy Link
- Report Inappropriate Content
Oh okay, I thought that PPTP or L2TP was just the encryption or authentication method. I changed it to L2TP encrypted and the VPN tunnel works.
Insights at Site A:
Insights at remote site (Site B):
But strangely, I don't see the remote end devices as end devices at Site A?
How do I get the IP addresses of the end devices ((e.g. the camera, see architecture figure in the first post)) connected via VPN tunnel?
Thank you one again.
- Copy Link
- Report Inappropriate Content
Remote devices don't have local IP's. The only way that could happen is if each device was able to establish it's own VPN tunnel back to your NAS site (ie each camera was capable of establishing a PPTP or similar client tunnel directly to the main ER605 or NAS).
The easy solution is simply to reserve IP's for the devices you need regular remote access to. So Camera #1 always gets say a .101 IP, and Camera #2 gets .102 in the remote site's local subnet. You can then point your NAS at the remote IP of the remote cameras just like you would do to a local camera on the local subnet.
So:
Remote Cam1 192.168.50.101
Remote Cam2 192.168.50.102
Local Cam1 192.168.15.101
Local Cam2 192.168.15.102
etc.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1167
Replies: 9
Voters 0
No one has voted for it yet.