Dynamic DNS on surf soho for webserver & VNC behind ISP router

My setup:
My Surf-Soho is connected to my landlords modem provided by her ISP via wi-fi WAN. Her ISP modem is running a DHCP server. I set my surf soho up to run as a static IP address on her DHCP server. My surf soho, is acting as the main router and firewall for all of my devices on my private LAN. The ISP modem is running a dynamic ip, not a static ip, so when the landlords modem is reset, her ip changes. This is not condusive for my setup.

What I am trying to accomplish:

  1. Connect remotely from the WAN side to my Mac behind my router using a VNC application.
  2. Run a small nginx server on a raspberry pi to host a tiny Wordpress blog, accessible to to the public (www).

I would like to implement Dynamic DNS in my surf soho router, so that when my landlords ISP changes my IP address, dynamic DNS automatically updates my new ISP assigned IP address, and allows me to connect to my web server as well as my VNC host using the dynamicdns IP address. From my understanding, this is one of the main purposes of of using dynamic dns, to keep your ip and dns consistent across IP address changes. Am I wrong on this? If so, could you provide more understanding on what dynamic dns does and if it could help me solve this problem? If not, and I am right, could you please explain how to get this setup working?

Caveats:

  1. My landlord is stupid, and knows nothing about routers. Therefore she won’t let anyone properly configure and secure her ISP modem (including UPnP), because she thinks it will lead to her getting hacked. Therefore, I can’t properly set up port forwarding on her router, and am hoping that UpNp will automatically trigger the proper ports opening for my setup.

  2. With my current setup, I signed up for noip.com, and create a dynamicdns service with hostname “myhostname123.no-ip.org”. In the surf-soho web interface under wi-fiWAN settings>Connection Details>dynamicDNS, I enter noip.org as my Dynamic-DNS-Service-Provider, then enter my username and password for noip.com, then put “Myhostname123.no-ip.org” in my hosts box. After all of this, I get

DDNS: myhostname123.no-ip.org update failed for Wi-Fi WAN on 5 GHz. Authentication error

in my event log. Am I not using the right username and password? How do I authenticate this service on my surf soho?

Any advice as to how I can achieve my desired configuration is much appreciated. Thank you Kindly!

.

Dynamic DNS will not work behind another router because your IP address is a private NAT’d one.

1 Like

Sounds like your living arrangements need to be reconfigured. :sunglasses:
[Sorry – I couldn’t resist …]

Since your SOHO is NAT’d behind the landlady’s ISP router (and you’re not allowed to play with that) port forwarding just isn’t going to work. UPnP relies on a two way device discovery process using SSDP and your SOHO does not support SSDP on the WAN so the ISP router is not going to open ports.

If she would give you admin access to it then you would be able to reserve an IP for your WAN port and forward traffic to that IP from her router on the ports you want to use.

Then DDNS would work, since the whole point of that is that the SOHO creates and outbound session (over the ISP router) to no-ip (or whatever service you are using) and that service reads the return public IP address (the WAN of the ISP router) and stores that as the current IP address that your dynamic dns name should resolve to.

If you can’t get access to the ISP router then you need a plan B. My go to solution for this is to host a FusionHub Solo virtual appliance (a free license from Peplink) on Vultr.com (for $5/month) and create a PepVPN from the SOHO to the Fusionhub. Then you can port forward from the FusionHub’s static public IP back through to your laptop / Raspberry Pi over the VPN tunnel.

Have fun!

1 Like

I appreciate the help, but do you think you could elaborate on this? I just signed up for and deposited $5 on vultr.com. But I am completely lost as to what I should be setting up on Vultr. It seems like vultr just deploys cloud servers. Do I really need that? Could you maybe give me some instructions on what to do/purchase exactly on vultr? Secondly, I am totally confused as how to install FusionHub Solo virtual appliance, and what device I should install it to. I downloaded what the instructions told me and I just get a .bin file that looks like firmware. What do I do with this file? How do I install fusionhub? I did sign up for the free license key, but once again I am totally confused noob style as to how I should proceed! Any specifics would be really appreciated!

Check this post:
FusionHub on KVM at VULTR Host - Mission Success!

Basic process is:

  1. Download the raw image
  2. Login into vultr.com and upload the raw image as a snapshot
  3. deploy a $5 vultr server selecting the uploaded snapshot as the OS.
  4. Once its booted navigate to the public IP address and login as admin/admin
  5. Login to InControl2 generate FusionHub Solo license (in organization settings → Warranty and license)
  6. Copy and paste the license key into your FusionHub web interface that you just logged into
  7. Set a new admin password on the fusionhub.
  8. Create the VPN between the FusionHub and your SOHO
  9. On the Fusionhub setup port forwarding
  10. Go and have a cup of tea and a rest.
2 Likes

Thank you so much! I really appreciate your timely response. However, I can’t past step 2. When I try to upload the snapshot, it asks me for the “Remote URL” of the file. It seems that the only way to actually upload this is by creating a remote url (I don’t know how without running a server) to the file. I tried copying and pasting the link to the download you posted, and it downloaded the zip file, but then gave me an error that the file is in an incompatible format, and must be in .raw format. How can I upload the .raw file directly from my computer? Otherwise, is there a link that I can copy and paste to the unzipped .raw file? Please let me know. I am very confused! Thank you!

Well, I officially pulled an all nighter and have been starting at this stuff for 20 some hours now. Ughh! This is ridiculously complicated for a newbie like me. So far I believe I successfully got to step 7. Maybe. I do have the peplink firmware running on a vultr server. However, I cannot for the life of me get the fusionhub to show a status of “Online” when trying to connect it to my surf soho from incontrol2. After entering the serial key, I get a successful activation on the fusionhub firmware, but no matter what, my fusion hubs status stays “Offline” in in control2. Is there any way to get this thing to go online? What am I doing wrong?

  • Screenshots removed

@Dan_Ran,

I had removed the the screenshots share in previous post due to the license info & device SN shared in public.

In-order the FusionHub can connect to IC2, can you please check the front end firewall is not blocking any traffics for the IC2 ports & IP addresses ?

If the traffics is not blocked, please open a support ticket for support team to check.
https://contact.peplink.com/secure/create-support-ticket.html

1 Like

Thank you for the screen shot removal. In my sleepiness, there was haste, and I neglected to blur those out. In any event, I just to clarify your (much appreciated) response, when referring to my “Front end” firewall, are you talking about the first firewall for my main internet connection? i.e. the firewall built into my ISP’s router? I really hope not, because the main reason I was trying to get this to work, is that it was a suggested workaround for my inability to access and port forward on my ISP’s router, since my landlord bogards the thing. Is there a way to test her firewall rules without being able to access her router. I do know that she has no outbound traffic blocked on her router, but possibly inbound. Does that make a difference? I suppose I will open a ticket for this as suggested especially since it seems I am not the only user ( @zegor_mjol ) having this problem. Thank you again for any replies or further advice.

@Dan_Ran

Engineering team found license info is missing for your device in IC2. Engineering team had fixed the issue.

The FusionHub should show online in IC2 now

1 Like

Just to clarify so I know, the license info was missing for specifically my Vultr instance (fusionhub device), and not my surf soho router, correct?

Anyways, the fusionhub is indeed working just great! Please thank the engineering team and give them a big thumbs up for me! Also, thank you @sitloongs for all of your help and assistance! It is highly appreciated and life is a bit better now! Yay!

1 Like

So I knew this was going to get complicated for my newish self, but I hoped it wouldn’t be this daunting to pull off. I’m having a lot of confusion with setting up proper ip addresses with the vultr server, and with the Pepwave instance. A lot of my confusion has to do with different subnet masks, security, and proper port forwarding from my virtual device to my surf soho, in order to unlock the proper ports to run a VNC and a web server. So lets start a bunch of questions…

Securing the server to the Virtual device:

  1. Vultr has a spot to enter your public ssh keys. What is this for? Does this mean I can SSH into to Pepwave virtual device from the server? Or ssh from my computer from the server? If either of these are so, how would I go about doing so?

  2. Vultr has Reserved IP’s. Should I be using these instead of the default ip considering I am going to set up an ssl certificate for my web server? Or does this not matter?

  3. Vultr has and allows firewall rules directly from their site. Should I be using these prior to setting up the virtual appliance/fusionHub? Or should I leave all ports open and and just use the firewall in my Pepwave virtual device? If I use the Vultr firewall, rules do you recommend (with ipv4 & ipv6 both considered) ?

  4. Vultr also has an option for “Using private networks”, and assigns a subnet like this “10.2.96.0/20” without assigning a corresponding ip. Would it be in my interest to be using vultr private networks from vultr when doing things like accessing the Pep Virtual Web interface etc. etc.? If so, how would I go about doing this?

Break…
OK……On to the more important stuff……

  1. Net masks scare the living hell out of me. I don’t understand how they work whatsoever and I am worried I could easily and accidentally create a relatively large attack vector in my configuration if I don’t get some expert advice on this. The only thing I am comfortable with is keeping everything on the same net mask of 255.255.255.0/24, and only changing the subnet to create different networks. Anything above that is beyond my understanding. With that being said, Vultr.com assigns me a server with an ip of 148.28.115.224, a Netmask of 255.255.254.0, and a gateway of 148.28.115.1. I have then taken my FusionHub and set it up the WAN Connection with a static IP of 148.28.115.224, Subnet mask of 255.255.254.0, and a gateway of 148.28.115.1. Can someone verify that this is correct so far?.

  2. Now, what I don’t understand, is how to get that network with a Subnet mask of 255.255.254.0 properly converted to a mask of 255.255.255.0 (/24), in order to match the netmask of my Surf-Soho. Wouldn’t this be ideal in order to easily create matching subnets with the surf, or am I overthinking this? If it would be the way to go, could you please explain how I might go about doing this? If not the way to go, then what should I do?

  3. I am trying to keep things as simple as possible since I am a noob learning, so I am trying to configure PepVPN through IC2 using the PepVPN/Speedfusion interface. Question is…

  • a) what topology do I use?

  • b)What do I use as my Hub device? The surf Soho, or the SpeedFusion Instance?

  • c)What do I use as my end point device? The surf soho, or the speedFusion instance?

  • d)Nat mode or no Nat mode?

  • e)DHCP Server for NAT MODE Profile enabled or disabled? If enabled, what do I use for ip range and subnet mask?

  1. Port Forwarding - I don’t fully understand how to forward ports. Assuming I want to forward 2 ports (1 for the vnc and 1 for the web server), how would I go about doing that? Is the “Server Address” the address of the speedfusion WAN, speedfusion PepVPN, the Soho Endpoint address, or the soho WAN? Or none of the above?

Next, what about the “Inbound” IP address? Is that coming inbound from the WAN (requests from outside the internal network), or the inbound from the LAN (requests coming my local network)? Im very confused on this.

  1. Firewall - Once I have the proper ports forwarded from the fusionhub to the surf soho, how do I adjust my firewall settings (Outbound/Inbound/Internal) on both the FusionHub, as well as the Surf soho, in order to best secure my setup, and isolate all devices from each other, especially the web server/VNC connections from my less secure home network? I don’t understand layer2, or layer 3 isolation either so any hints on this would be very welcome.

Assuming all of these questions are perfectly answered, I will should now have a secure and functional setup that can securely host a web server and VNC, as well as protect my less protected/stringent home network.

With all that being said, I apologize for such a long post, and would really really like to thank you and anyone who dares to reach out and answer all of (or some of) my questions to help me better understand this stuff. If you want, maybe you could just throw in some corresponding “Active Configuration” files for me to download (then upload to my soho, and Fusionhub) and take a look at them to help my understanding. Once again, all of your input and help is HIGHLY appreciated! Anything helps! Thank you so much! Cheers!

When you deploy a standard linux image to Vultr you can use the web control panel to manage ssh keys for login. Vultr i snot managing the Fusionhub (its a secure locked down appliance without local SSH login) so you can ignore this.

You can ‘take ownership’ of public IPs in Vultr and associate these against your account. Normally when you deploy a server it gets allocated an IP from vultrs available pool of public IPs. This means that if you destroy the server and create a new one, you’ll get a new public IP - not the one you just released. So you can reserve IPs for more permanent long term use if you want to. You don’t need to here particularly.

You can use the vultr firewall as an added layer of security. I don’t typically myself unless I’m using cellular data at the remote end. The Fusionhub is a locked down appliance and very secure and doesn’t need the extra firewall security unless that is your thing.

Yes that sounds right, although you could have left it as DHCP since Vultr would of assigned the address to you automatically anyway. Either way that’s fine.

Hub and Spoke

The FusionHub

The Soho

No NAT mode is fine.

Not needed.

The Server address is the LAN IP of the device you are forwarding the ports to. So if you want to forward VNC to your PC and its on 192.168.1.50 then thats the Server address.

Inbound address in your instance is the WAN IP of your FusionHub. IN the end you’ll connect your VNC viewer to the WAN IP of your Fusionhub and the traffic will be forwarded from there over the PepVPN securely to the LAN IP of the PC/server you want to control.

That’s a topic in itself, but basically, the only traffic that can get through your Fusionhub to your PC on the LAN of the SOHO is the traffic on the ports you have specifically opened. You don’t need any additional firewall rules in my opinion. The SOHO is already protecting you from the host wifi network that its connected to (your landlords). You can of course secure anything further later if you want or need to.

3 Likes

Forgot to say - well done on getting this far - its not easy learning something new and you’re smashing this :slight_smile:

We’re all here to help. You can always post screenshots of any config element here and we can help also.

1 Like

Just a minor suggestion: since the FusionHub is a Solo and he is really only interested in a VPN from home to the FusionHub, I would suggest using a point-to-point connection. (Even) simpler setup :slight_smile:

2 Likes

Yes agreed. Easier that way.

1 Like

Hey @MartinLangmaid and @zegor_mjol ! I just wanted to let you both know that I didn’t abandon you faithful and loyal tech-teachers, and I didn’t abandon hope either. I was just on the brink of insanity after hours and hours and hours of living Einsteins definition of insanity. Naturally, I had to take a break after trying to put together your last posts. However, I just want to express how thankful I am to have the two of you guys helping me on this. You are really awesome supportive people and it’s highly encouraging! So thank you so so much! I am back at it again, and I will be posting again shortly for help! But seriously, thank you so so much! You guys really rock! I am relatively active on several different forums, and I haven’t ever had an experience as rewarding and positive as this one here with you guys. Sooooooo… yeah, thanks a TON! I will probably be going so far as to post this experience on my blog it was so outstanding! Rock ON!

Wow, I’ve got to say, between the two of you guys I am absolutely blown away! I feel like my childhood self just walked into my favorite and most enthusiastic teachers classroom! What a warm invitation to help me learn! Its very awesome of you and this definitely put the peplink family close to my little nerdy heart! So Thank you Kindly for all of the extremely helpful advice and answers! It is thoroughly encouraging, especially being a newb working on a discouraging project (even though I’m having a lot of fun doing it).

With that all being said, After reading your last posts, I basically stared at my computer for the next 12 hours until my brain sunk into oblivion trying to figure things out. Moral of the story, If I didn’t take a nice long break from this, I quite possibly would have been living Einsteins definition of insanity. Never the less, all of your help and encouragement is truly appreciated!

Anyways, I believe I have the strength to now continue this project and hopefully (but doubtfully) get to a quick finish. After you guys posted, I also spent hours with peplink support as they logged into my router and my instance and configured my speedfusion to properly work. They also helped me forward ports from my instance, to my surf soho. Because they had spent so much time with me already, I told them I could figure out the rest of my issues, and the most important thing was understanding port forwarding (which I though I did after they configured it). Of course, as I progressed deeper into the depths of nerd-oblivion, I soon figured out that I still need help getting things working.

What I have, is an instance that is properly connected and working with my peplink surf soho. But, I am still running into come caveats with port forwarding.

To start, The Pepwave Engineer set up my instance and surf soho pretty much exactly as you guys described it. Very simple with no extra settings.
My instance’s settings are in the pics below:


After I told the amazingly patient engineer that I needed my ports to be forwarded from an obfuscated WLan port on the instance to my mac’s local IP using the standard VNC port (5900) so I could use a VNC to log in to my computer from the outside world, they then set my instance up to forward ports like so:




Obviously, the local IP address of my Mac/pc is 192.168.22.60 (you don’t need to delete the image, I will be changing the Local IP for security anyways).

My subnet for my instance WAN is different than my subnet for my Soho Wan. I know you guys said that shouldn’t matter but I just wanted to double check.

Finally, The Peplink Tech did NOT configured any port forwards or firewall settings on my SOHO.

My Soho looks like this:



Now, Supposedly, this setup should have worked properly for my VNC connection. However, I am not getting any of the desired results when trying to connect. I still cannot connect from my VNC client on my phone to my instance. Can anyone recommend the proper settings to get this configuration working?
Furthermore, I do have some more questions that I would love to get some clarification with.

1)On the surf soho, I have toyed with the setting under Advanced>PepVPN>Send All Traffic To>”Fusionhub”.

  • This successfully changes my local Mac/PC IP address to my Public FusionHub Instance WAN Address. Isn’t this exactly what I need but only for a specific Local IP (my Mac acting as a VNC Server)? Why is there not a setting to send “Specific” traffic to my Instance’s Public Wan address? Let’s assume that the inbound ports from my instance were actually working properly. When I connect from my VNC client to the instance from the instances public IP, my traffic is supposed to be forwarded through the instance, to the surf soho LAN, then to my MAC/PC local IP, to finally reach my VNC Server running on my Mac/pc…. Correct? Well…. Once I am able to access the VNC server running on my local computer, why would I want any traffic responding to the VNC client requests, to go out my Surf Soho’s Wan? Would’n I Ideally want the responses from my VNC server to go back through the PepVPN tunnel, out to the Instance WAN IP, and back to the VNC Client on my phone? If I am not able to forward ports from the surf soho’s local addresses, out to the instance through PepVPN, then how exactly does my VNC Client receive responses? It seems that this configuration would cause some sort of Loop where the VNC Client is trying to connect to the Instance Wan, to the Surf soho, to the VNC Server, which then is trying to connect to the VNC Client through the Surf Soho’s wan address, out to the www, and somehow reaching the VNC Client again. This just doesn’t make any sense to me and seems like I am opening a gaping attack vector on my soho’s wan. If all of the above understood settings are correct, then could someone please explain to me Why this is supposed to work, and how exactly?

2)Honestly, My second question skipped my head. I hope my brain isn’t starting to hurt too much again. Maybe a follow up will come back to me once some of these settings are adjusted per your advice, and some of my questions are answered with a bit more clarity. Just remember, I am EXTREEEEMELY grateful for all of your answers and follow ups. This stuff isn’t easy without help! So mucho gracias my friends!

Sincerely,

Dan

On an unrelated topic, I just unbricked my router today. That took a month. So I think I’m on a nerd roll here. I think I’m going to get this topic solved! I can feel it!