Impossible to make port forwarding work in 2-layer NAT network with TL-WR340G

Impossible to make port forwarding work in 2-layer NAT network with TL-WR340G

Today I had to split my LAN. My ISP does not let me control the NAT/gateway enough, so I just build my own NAT behind ISP NAT. And I am trying to make it work.

I currently need to access a Raspberry Pi's SSH server from outside.

  • 192.168.8.0 is LAN offered by my ISP
  • 192.168.9.0 is LAN offered by a wireless NAT router model TL-WR340G from TP-Link

Raspberry Pi has its static IP address and is ready to go. And MUST be connected to TP-Link router

I have already configured DMZ port forwarding from outside on my ISP gateway (luckily I can control it) and I have verified, changing the IP to my laptop connected directly to ISP modem, that port forwarding works on that side.

Okay...

Then I went to TP-Link router admin and set up port forwarding to Raspberry IP address. I set up the usual: service port? 22, ip address? 192.168.9.x and double-check, protocol? tcp or both. enable? of course.

But the problem is that the wifi router will never ever forward anything to its LAN. I am sure of the cablings. I am capable of reaching Raspberry by its LAN address. I have determined that the router may be misconfigured because I connected my laptop to ISP modem, obtained a .8.x address and tried to ssh at .8.y where y is WAN IP address of TP-Link router. Crazy. Will always refuse connection.

I have tried to enable DMZ to Raspberry, so double-forwarding should occur to any port. No luck. Tried to reboot several times, but the router seems not going.

I am sure of cablings because when I did the migration I moved everything from ISP modem to the LAN ports of the TP Link and connected the WAN of TP Link to a LAN port of ISP modem. All devices behind TP Link get a correct .9.x address.

Is there something more to check on the router settings? Something I might have missed?

I am getting crazy because tomorrow I am leaving this place and need to reconnect in the future via OpenVPN. Cannot try another router, I have only this gear at this time of the day. Not controlling static routes on the ISP modem is the reason, otherwise having Raspberry on ISP modem with port forwarding made openvpn work too. But it has to work bidirectionally and transparently.

答案1

I'm making some assumptions here.

You see to be describing a doubly NATed network, when the ISP's router give you a private network of 192.168.8.xxx, to which you've added another NATing router that provides another private subnet numbered 192.168.9.xxx.

If you are going to be using port forwarding inword, it would be wise to assign static IP addresses to your TL-WR340 and your Raspberry Pi.

Yur ISP's router will have an outside internet address too. You'll need that to get there from the internet. Be aware that ISPs ofen do not give a static internet address unless one is paid for, so you likely have an address that can change. You may need to plan for that. Google "Dynamic DNS"

Lets assume your ISP router has an internet hostname of mypc.myisp.ru, and that you can administer port forwarding on it.

Pick a port number for A. for example 12345, as your ISP may prevent you from forwarding 22. It's a little bit of security by obsurity too. Not much protection, but some.

Your goal is to ssh to you Pi by ssh-ing to mypc.myisp.ru:12345. maybe by a command like

ssh [email protected] -p 12345

The ISP router needs to be set to forward to your TL-WR340G's outside IP address, the address on the subnet that you ISP's router fronts. It'll be easier if you make it static

Lets assume it is 192.168.8.123

Since this is your device, I'm going to assume it can forward port 22.

So on the ISP router, instruct it to forward port 12345 to port 22 on 192.168.8.123.

Now your TL-340G would see an inbound connection on it's port 22.

So you need to go into your TL340G's adminstration pages, and instruct it to forward port 22 to the port 22 at an address you configured your Raspberry Pi to use, for example 192.168.9.55

So basically you need to set up port forwarding twice.

If you can't administer your ISP's router's port forwarding, you need to start looking at UPNP to get your inbound port.

相关内容