ER605 reflection/loopback, why is this so difficult?
I bought this device because TP-Link recommended this device claiming it would meet my needs and I'm now beging to doubt their recommendation.
I've tried firmware from 1.1.1 to 1.3.1, I can't find one page or tab that has loopback or reflection.
I have a range of IP's (example) 97.100.200.56/29 (97.100.200.62 is the gateway), I need to map these (NAT) to the following:
97.100.200.57-->192.168.0.8,
97.100.200.58-->192.168.0.10
97.100.200.59-->192.168.0.11
97.100.200.60-->192.168.0.20
97.100.200.61-->192.168.0.22.
97.100.200.62-->GateWay
I added the NAT's and loopback isn't working and I can't find any place to turn it on..
I have read posts that claim this option is available in the firmware starting at v1.1.1, the manual provides no details on how to enable it and scouring the net I could find references for failover and other stuff that has no use to my needs.
I guess I'm just used to working with a devices that when you NAT a public IP to a private IP it takes care of everything including loopback and you don't need to be frustrated by a device that doesn't work as expected and no simple solution can be found anywhere.
I have also noticed a tendency for people who claims to have this working to make arbitrary statements such as "I turned it on in settings" without any real detail as to what they enable or set which makes their claim that it is in fact possible very questionable.
I have looked and,I cannot find loopback or reflection on any page or tab so it has to be referenced by a different name and this detail is missing.
Since i can't find sensible documentation that shows how to do this I'm looking to pay someone to set the thing up to do what I need and, is this even possible with this device or did TP-Link misled me by claiming it would do what I needed?
From what I can tell, all of these routers seem to have the same settings and no real reference or picture showing a loopback or reflection option so is this a fantasy feature and no TP-Link router is capable of providing the services I need?
Many people rave about the quality and features of TP-Link products but for me so far it has fallen terribly short by not even providing my simple requirements,surely I don't need to abandon TP-Link products in favor of another brand that just works and can be solved by configuration.
Contact me privately if you have time to configure my device and tell me how much you want for this service.
-- Dale
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
So disappointing, so many network specialists here who have sent me DM's and not one with enough intelligence who knows how to make the ER605 work or to figure out how to make the ER605 work or figure out that I made a configuration error.
Contrary to my SonicWall TZ170, NAT configuration details are reversed, Source IP is the WAN IP and the Derstination IP is the LAN IP, in the ER605 Original IP is the LAN IP and the Translated IP is the WAN IP and this is where my configuration issue stemmed from and no one caught it or even asked for relevant information to determine if it was/is a configuration issue.
I guess Network specialists are a thing of the past which has been replaced with Network Technicians who know how to plug in hardware and can follow a manual for basic configuration information and anything beyond that is a crap shoot or just plain luck depending on the actual technician.
Now that I have resolved the hairpin/loopback issue and have it up and running, lets close the thread with the following real working configuration details/information to make life easier for the next individual who needs help making it work.
I used an old ASUS windows 7 laptop to configure the ER605 over Ethernet so I wouldn't kill my existing emergency working network.
These are the settings/details I used to make it work and I have tested these settings on 2 different ER605's for verification,
Network->WAN
WAN Mode tab: WAN checked (I only have one fiber-optic modem connection so only need 1 WAN port)
WAN tab: configure as needed (I used an IP dedicated for WiFi so it wouldn't affect or interfere with the rest of the dedicated network)
Network->LAN (you can probably skip this if you wish to use the default 192.168.0.2-192.168.0.199 IP's)
I edited the LAN to provide IP's in 10.0.100.x range and not the default 192.168.0.x range and dish out IP's from 10.0.100.2-10.0.100.99 just to be unique.
Transmission->NAT
One-To-One NAT tab:
Name: 58 (I used the last quad of the WAN IP for it's Name)
Interface: checked WAN
Original IP: 10.0.100.10 (machines LAN IP / don't use WAN IP here)
Translated IP:97.100.200.58 (machines WAN IP /don't use LAN IP here)
DMZ Forwarding: check Enable
Description: 97.100.200.58 (just for Reference)
Status: check Enable
Name: 59 (I used the last quad of the machines WAN IP for it's Name)
Interface: checked WAN
Original IP: 10.0.100.11 (machines LAN IP
Translated IP:97.100.200.59 (machines WAN IP)
DMZ Forwarding: check Enable
Description: 97.100.200.59 (just for Reference)
Status: check Enable
Firewall->Access Control
(to make sure I initially block nothing I added/edited ID: 1)
Name: ALL
Policy: Allow
Service Type: ALL
Direction: ALL
Source: IPGROUP_ANY
Destination: IPGROUP_ANY
Effective Time: ANY
States: checked New, Established, Related
ID: 1
Powered it down and unplugged it from the laptop I used to configure it.
Powered down my SonicWall TZ170 and removed all the Ethernet cables. (my emergency 10/100 firewall router with automatic reflection/loopback/hairpin).
Plugged in all the Ethernet cables, connected it to the fiber-optic modem, powered it up, after a couple of minutes booting up everything was up and running without issues.
My only disappointment now is the difficulty in blocking a single (external / Public) IP or a range of IP's without creating rules in Preferences->IP Group (IP Address tab to add the IP or range of IP's then IP Group tab to add the created address to block).
I've decided that all IP ranges should be handled by the ER605 and single IP's handled by IPFW automated by an app i wrote to watch the logs for repeated failed login attempts, when several consecutive IP's are detected (I used some code from whatmask) they are reduced to a range and reported by email so I can create the required rules in the ER605 and remove the entry from IPFW.
- Copy Link
- Report Inappropriate Content
Omada, the whole series does not have an option to turn on NAT loopback(AKA hairpin). It's automatically working without a config.
ER605 V1 has ended its support, but it should still work for NAT loopback.
The community does not have private support. If you need to contact the email or chat support, go to the official website and seek the support help from the proper portal.
- Copy Link
- Report Inappropriate Content
@Clive_A if you say it is always enabled then my device must be defective because i can ping 192.168.0.20 and it works but if I ping the NAT'd address (97.100.200.60) it times out and has 100% packet failure.
You claim it is always enabled and I don't need to do anything but from my perspective, I don't see it working which is why I am frustrated.
Can you tell me another (non wifi) model that has the same functionality where I can add the NAT's and hairpin/loopback just works?
Another thing I noticed when I changed the default DHCP LAN IP to 10.1.100.1 in windows 7 ipconfig shows the assigned new IP in the 10.1.100.xxx range but the reported gateway show 192.168.0.1, if it's just a windows 7 bug I can ignore it but if you say it isn't then I need to address this issue as well.
- Copy Link
- Report Inappropriate Content
dwalsh62 wrote
@Clive_A if you say it is always enabled then my device must be defective because i can ping 192.168.0.20 and it works but if I ping the NAT'd address (97.100.200.60) it times out and has 100% packet failure.
You claim it is always enabled and I don't need to do anything but from my perspective, I don't see it working which is why I am frustrated.
Can you tell me another (non wifi) model that has the same functionality where I can add the NAT's and hairpin/loopback just works?
Another thing I noticed when I changed the default DHCP LAN IP to 10.1.100.1 in windows 7 ipconfig shows the assigned new IP in the 10.1.100.xxx range but the reported gateway show 192.168.0.1, if it's just a windows 7 bug I can ignore it but if you say it isn't then I need to address this issue as well.
Firewall settings got a feature called "block ping from WAN". Disable it and try again on that part. I am not sure if that would affect the NAT loopback. I think that's worth a try.
You wanna test a domain or some kind of web service and you try to access it from the LAN. And use Wireshark or monitor your access log from your web server, see where that connection request comes from. If it comes from the LAN, that means the access is working.
Telnet to test this would be the same way.
- Copy Link
- Report Inappropriate Content
@Clive_A I only have one rule in firewall, allow from any to any TCP/UDP 1-65535 and nothing else.
I don't care about blocking or denying anything until I can confirm it (loopback/hairpin) works and can put it into service, so far it doesn't work which is what frustrates me.
Using telnet SMTP into the public IP fails but telnet SMTP into the private IP works.
Without loopback/hairpin functioning putting into real service would be a fatal mistake.because it doesn't function as needed, loopback/hairpin has to work for it to go into service and claiming that the device automaticvally enables it and is functionaing means this can't be true if there is no evidence of it working, this is a logic based conclusion from current testing.
- Copy Link
- Report Inappropriate Content
Someone suggested that it needs to be live to work so I installed it, restarted the MODEM and started the TP-Link when it came up and no functioning loopback.
While I was using ping and telnet to test loopback it never works using the public IP's and while it was in a live installation and the machines connected by their static IP's, I did notice that none of the machines could access the admin interface when assigned one of the private IP's but when I changed it to DHCP and it assigned an IP it would access the admin interface.
While I had assigned NAT's for the server IP's, assigning them to the servers showed that I could access the private IP's of all the machines but not one of the public IP's was accessible and oddly not of machines configured with a static private IP could access the admin interface.
This is taking considerable time and guessing on things to try wasting my time and I feel I have been misled into purchasing a device that clearly doesn't work and is not capable of doing what it should be doing as recommended by TP-Link..
Surely their has to be someone in the USA (Florida) who is intimate with these devices and knows how to properly program them without offering guesses I can send it to who can program it, confirm it works and return it for a small fee?
- Copy Link
- Report Inappropriate Content
@Clive_A So basically it doesn't work, I tried everything you said, from inside the network I am unable to access any of the servers so clearly the ER605 is not capable of hairpin/loopback and it appearts that assing DHCP from 100-199 and configuring 2-99 as static lan IP's doesn't appear to work, not only can't i access the administration interface i can't access anything.
Now i ask again, can someone recommend a device that will work when entering the associated NAT's cause I'm getting tired of devices that don't work?
I've tried a SonicWall TZ-170 and it works (hairpin/loopback) however, it has only 10/100 ports and I need 10/100/1000 or 100/1000 ports, I tried a SonicWall TZ-310 but they changed the firmware and now you have to manually configure everything and they don't give a live example to work from and everyone at dell expects you to buy a $1K service plan (nonsense) to get support so its a no go.
Whatever it is, it has to be easy to configure and it has to work and so far, I've tried several TP-Link products including the recommended ER605 and not one of them works.
If someone in the US can make the ER605 work, I would be happy to ship it to you to configure and pay for the service, I just need a working solution that wont put me in the poor house and is easy to maintain,
- Copy Link
- Report Inappropriate Content
So disappointing, so many network specialists here who have sent me DM's and not one with enough intelligence who knows how to make the ER605 work or to figure out how to make the ER605 work or figure out that I made a configuration error.
Contrary to my SonicWall TZ170, NAT configuration details are reversed, Source IP is the WAN IP and the Derstination IP is the LAN IP, in the ER605 Original IP is the LAN IP and the Translated IP is the WAN IP and this is where my configuration issue stemmed from and no one caught it or even asked for relevant information to determine if it was/is a configuration issue.
I guess Network specialists are a thing of the past which has been replaced with Network Technicians who know how to plug in hardware and can follow a manual for basic configuration information and anything beyond that is a crap shoot or just plain luck depending on the actual technician.
Now that I have resolved the hairpin/loopback issue and have it up and running, lets close the thread with the following real working configuration details/information to make life easier for the next individual who needs help making it work.
I used an old ASUS windows 7 laptop to configure the ER605 over Ethernet so I wouldn't kill my existing emergency working network.
These are the settings/details I used to make it work and I have tested these settings on 2 different ER605's for verification,
Network->WAN
WAN Mode tab: WAN checked (I only have one fiber-optic modem connection so only need 1 WAN port)
WAN tab: configure as needed (I used an IP dedicated for WiFi so it wouldn't affect or interfere with the rest of the dedicated network)
Network->LAN (you can probably skip this if you wish to use the default 192.168.0.2-192.168.0.199 IP's)
I edited the LAN to provide IP's in 10.0.100.x range and not the default 192.168.0.x range and dish out IP's from 10.0.100.2-10.0.100.99 just to be unique.
Transmission->NAT
One-To-One NAT tab:
Name: 58 (I used the last quad of the WAN IP for it's Name)
Interface: checked WAN
Original IP: 10.0.100.10 (machines LAN IP / don't use WAN IP here)
Translated IP:97.100.200.58 (machines WAN IP /don't use LAN IP here)
DMZ Forwarding: check Enable
Description: 97.100.200.58 (just for Reference)
Status: check Enable
Name: 59 (I used the last quad of the machines WAN IP for it's Name)
Interface: checked WAN
Original IP: 10.0.100.11 (machines LAN IP
Translated IP:97.100.200.59 (machines WAN IP)
DMZ Forwarding: check Enable
Description: 97.100.200.59 (just for Reference)
Status: check Enable
Firewall->Access Control
(to make sure I initially block nothing I added/edited ID: 1)
Name: ALL
Policy: Allow
Service Type: ALL
Direction: ALL
Source: IPGROUP_ANY
Destination: IPGROUP_ANY
Effective Time: ANY
States: checked New, Established, Related
ID: 1
Powered it down and unplugged it from the laptop I used to configure it.
Powered down my SonicWall TZ170 and removed all the Ethernet cables. (my emergency 10/100 firewall router with automatic reflection/loopback/hairpin).
Plugged in all the Ethernet cables, connected it to the fiber-optic modem, powered it up, after a couple of minutes booting up everything was up and running without issues.
My only disappointment now is the difficulty in blocking a single (external / Public) IP or a range of IP's without creating rules in Preferences->IP Group (IP Address tab to add the IP or range of IP's then IP Group tab to add the created address to block).
I've decided that all IP ranges should be handled by the ER605 and single IP's handled by IPFW automated by an app i wrote to watch the logs for repeated failed login attempts, when several consecutive IP's are detected (I used some code from whatmask) they are reduced to a range and reported by email so I can create the required rules in the ER605 and remove the entry from IPFW.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 1
Views: 570
Replies: 7
Voters 0
No one has voted for it yet.