Dynamic DNS on surf soho for webserver & VNC behind ISP router


#1

My setup:
My Surf-Soho is connected to my landlords modem provided by her ISP via wi-fi WAN. Her ISP modem is running a DHCP server. I set my surf soho up to run as a static IP address on her DHCP server. My surf soho, is acting as the main router and firewall for all of my devices on my private LAN. The ISP modem is running a dynamic ip, not a static ip, so when the landlords modem is reset, her ip changes. This is not condusive for my setup.

What I am trying to accomplish:

  1. Connect remotely from the WAN side to my Mac behind my router using a VNC application.
  2. Run a small nginx server on a raspberry pi to host a tiny Wordpress blog, accessible to to the public (www).

I would like to implement Dynamic DNS in my surf soho router, so that when my landlords ISP changes my IP address, dynamic DNS automatically updates my new ISP assigned IP address, and allows me to connect to my web server as well as my VNC host using the dynamicdns IP address. From my understanding, this is one of the main purposes of of using dynamic dns, to keep your ip and dns consistent across IP address changes. Am I wrong on this? If so, could you provide more understanding on what dynamic dns does and if it could help me solve this problem? If not, and I am right, could you please explain how to get this setup working?

Caveats:

  1. My landlord is stupid, and knows nothing about routers. Therefore she won’t let anyone properly configure and secure her ISP modem (including UPnP), because she thinks it will lead to her getting hacked. Therefore, I can’t properly set up port forwarding on her router, and am hoping that UpNp will automatically trigger the proper ports opening for my setup.

  2. With my current setup, I signed up for noip.com, and create a dynamicdns service with hostname “myhostname123.no-ip.org”. In the surf-soho web interface under wi-fiWAN settings>Connection Details>dynamicDNS, I enter noip.org as my Dynamic-DNS-Service-Provider, then enter my username and password for noip.com, then put “Myhostname123.no-ip.org” in my hosts box. After all of this, I get

DDNS: myhostname123.no-ip.org update failed for Wi-Fi WAN on 5 GHz. Authentication error

in my event log. Am I not using the right username and password? How do I authenticate this service on my surf soho?

Any advice as to how I can achieve my desired configuration is much appreciated. Thank you Kindly!

.


#2

Dynamic DNS will not work behind another router because your IP address is a private NAT’d one.


#3

Sounds like your living arrangements need to be reconfigured. :sunglasses:
[Sorry – I couldn’t resist …]


#4

Since your SOHO is NAT’d behind the landlady’s ISP router (and you’re not allowed to play with that) port forwarding just isn’t going to work. UPnP relies on a two way device discovery process using SSDP and your SOHO does not support SSDP on the WAN so the ISP router is not going to open ports.

If she would give you admin access to it then you would be able to reserve an IP for your WAN port and forward traffic to that IP from her router on the ports you want to use.

Then DDNS would work, since the whole point of that is that the SOHO creates and outbound session (over the ISP router) to no-ip (or whatever service you are using) and that service reads the return public IP address (the WAN of the ISP router) and stores that as the current IP address that your dynamic dns name should resolve to.

If you can’t get access to the ISP router then you need a plan B. My go to solution for this is to host a FusionHub Solo virtual appliance (a free license from Peplink) on Vultr.com (for $5/month) and create a PepVPN from the SOHO to the Fusionhub. Then you can port forward from the FusionHub’s static public IP back through to your laptop / Raspberry Pi over the VPN tunnel.

Have fun!


#5

I appreciate the help, but do you think you could elaborate on this? I just signed up for and deposited $5 on vultr.com. But I am completely lost as to what I should be setting up on Vultr. It seems like vultr just deploys cloud servers. Do I really need that? Could you maybe give me some instructions on what to do/purchase exactly on vultr? Secondly, I am totally confused as how to install FusionHub Solo virtual appliance, and what device I should install it to. I downloaded what the instructions told me and I just get a .bin file that looks like firmware. What do I do with this file? How do I install fusionhub? I did sign up for the free license key, but once again I am totally confused noob style as to how I should proceed! Any specifics would be really appreciated!


#6

Check this post:
FusionHub on KVM at VULTR Host - Mission Success!

Basic process is:

  1. Download the raw image
  2. Login into vultr.com and upload the raw image as a snapshot
  3. deploy a $5 vultr server selecting the uploaded snapshot as the OS.
  4. Once its booted navigate to the public IP address and login as admin/admin
  5. Login to InControl2 generate FusionHub Solo license (in organization settings -> Warranty and license)
  6. Copy and paste the license key into your FusionHub web interface that you just logged into
  7. Set a new admin password on the fusionhub.
  8. Create the VPN between the FusionHub and your SOHO
  9. On the Fusionhub setup port forwarding
  10. Go and have a cup of tea and a rest.

#7

Thank you so much! I really appreciate your timely response. However, I can’t past step 2. When I try to upload the snapshot, it asks me for the “Remote URL” of the file. It seems that the only way to actually upload this is by creating a remote url (I don’t know how without running a server) to the file. I tried copying and pasting the link to the download you posted, and it downloaded the zip file, but then gave me an error that the file is in an incompatible format, and must be in .raw format. How can I upload the .raw file directly from my computer? Otherwise, is there a link that I can copy and paste to the unzipped .raw file? Please let me know. I am very confused! Thank you!


#8

Well, I officially pulled an all nighter and have been starting at this stuff for 20 some hours now. Ughh! This is ridiculously complicated for a newbie like me. So far I believe I successfully got to step 7. Maybe. I do have the peplink firmware running on a vultr server. However, I cannot for the life of me get the fusionhub to show a status of “Online” when trying to connect it to my surf soho from incontrol2. After entering the serial key, I get a successful activation on the fusionhub firmware, but no matter what, my fusion hubs status stays “Offline” in in control2. Is there any way to get this thing to go online? What am I doing wrong?

  • Screenshots removed

#9

@Dan_Ran,

I had removed the the screenshots share in previous post due to the license info & device SN shared in public.

In-order the FusionHub can connect to IC2, can you please check the front end firewall is not blocking any traffics for the IC2 ports & IP addresses ?

If the traffics is not blocked, please open a support ticket for support team to check.
https://contact.peplink.com/secure/create-support-ticket.html


#10

Thank you for the screen shot removal. In my sleepiness, there was haste, and I neglected to blur those out. In any event, I just to clarify your (much appreciated) response, when referring to my “Front end” firewall, are you talking about the first firewall for my main internet connection? i.e. the firewall built into my ISP’s router? I really hope not, because the main reason I was trying to get this to work, is that it was a suggested workaround for my inability to access and port forward on my ISP’s router, since my landlord bogards the thing. Is there a way to test her firewall rules without being able to access her router. I do know that she has no outbound traffic blocked on her router, but possibly inbound. Does that make a difference? I suppose I will open a ticket for this as suggested especially since it seems I am not the only user ( @zegor_mjol ) having this problem. Thank you again for any replies or further advice.


#11

@Dan_Ran

Engineering team found license info is missing for your device in IC2. Engineering team had fixed the issue.

The FusionHub should show online in IC2 now


#12

Just to clarify so I know, the license info was missing for specifically my Vultr instance (fusionhub device), and not my surf soho router, correct?

Anyways, the fusionhub is indeed working just great! Please thank the engineering team and give them a big thumbs up for me! Also, thank you @sitloongs for all of your help and assistance! It is highly appreciated and life is a bit better now! Yay!


#13

So I knew this was going to get complicated for my newish self, but I hoped it wouldn’t be this daunting to pull off. I’m having a lot of confusion with setting up proper ip addresses with the vultr server, and with the Pepwave instance. A lot of my confusion has to do with different subnet masks, security, and proper port forwarding from my virtual device to my surf soho, in order to unlock the proper ports to run a VNC and a web server. So lets start a bunch of questions…

Securing the server to the Virtual device:

  1. Vultr has a spot to enter your public ssh keys. What is this for? Does this mean I can SSH into to Pepwave virtual device from the server? Or ssh from my computer from the server? If either of these are so, how would I go about doing so?

  2. Vultr has Reserved IP’s. Should I be using these instead of the default ip considering I am going to set up an ssl certificate for my web server? Or does this not matter?

  3. Vultr has and allows firewall rules directly from their site. Should I be using these prior to setting up the virtual appliance/fusionHub? Or should I leave all ports open and and just use the firewall in my Pepwave virtual device? If I use the Vultr firewall, rules do you recommend (with ipv4 & ipv6 both considered) ?

  4. Vultr also has an option for “Using private networks”, and assigns a subnet like this “10.2.96.0/20” without assigning a corresponding ip. Would it be in my interest to be using vultr private networks from vultr when doing things like accessing the Pep Virtual Web interface etc. etc.? If so, how would I go about doing this?

Break…
OK……On to the more important stuff……

  1. Net masks scare the living hell out of me. I don’t understand how they work whatsoever and I am worried I could easily and accidentally create a relatively large attack vector in my configuration if I don’t get some expert advice on this. The only thing I am comfortable with is keeping everything on the same net mask of 255.255.255.0/24, and only changing the subnet to create different networks. Anything above that is beyond my understanding. With that being said, Vultr.com assigns me a server with an ip of 148.28.115.224, a Netmask of 255.255.254.0, and a gateway of 148.28.115.1. I have then taken my FusionHub and set it up the WAN Connection with a static IP of 148.28.115.224, Subnet mask of 255.255.254.0, and a gateway of 148.28.115.1. Can someone verify that this is correct so far?.

  2. Now, what I don’t understand, is how to get that network with a Subnet mask of 255.255.254.0 properly converted to a mask of 255.255.255.0 (/24), in order to match the netmask of my Surf-Soho. Wouldn’t this be ideal in order to easily create matching subnets with the surf, or am I overthinking this? If it would be the way to go, could you please explain how I might go about doing this? If not the way to go, then what should I do?

  3. I am trying to keep things as simple as possible since I am a noob learning, so I am trying to configure PepVPN through IC2 using the PepVPN/Speedfusion interface. Question is…

  • a) what topology do I use?

  • b)What do I use as my Hub device? The surf Soho, or the SpeedFusion Instance?

  • c)What do I use as my end point device? The surf soho, or the speedFusion instance?

  • d)Nat mode or no Nat mode?

  • e)DHCP Server for NAT MODE Profile enabled or disabled? If enabled, what do I use for ip range and subnet mask?

  1. Port Forwarding - I don’t fully understand how to forward ports. Assuming I want to forward 2 ports (1 for the vnc and 1 for the web server), how would I go about doing that? Is the “Server Address” the address of the speedfusion WAN, speedfusion PepVPN, the Soho Endpoint address, or the soho WAN? Or none of the above?

Next, what about the “Inbound” IP address? Is that coming inbound from the WAN (requests from outside the internal network), or the inbound from the LAN (requests coming my local network)? Im very confused on this.

  1. Firewall - Once I have the proper ports forwarded from the fusionhub to the surf soho, how do I adjust my firewall settings (Outbound/Inbound/Internal) on both the FusionHub, as well as the Surf soho, in order to best secure my setup, and isolate all devices from each other, especially the web server/VNC connections from my less secure home network? I don’t understand layer2, or layer 3 isolation either so any hints on this would be very welcome.

Assuming all of these questions are perfectly answered, I will should now have a secure and functional setup that can securely host a web server and VNC, as well as protect my less protected/stringent home network.

With all that being said, I apologize for such a long post, and would really really like to thank you and anyone who dares to reach out and answer all of (or some of) my questions to help me better understand this stuff. If you want, maybe you could just throw in some corresponding “Active Configuration” files for me to download (then upload to my soho, and Fusionhub) and take a look at them to help my understanding. Once again, all of your input and help is HIGHLY appreciated! Anything helps! Thank you so much! Cheers!


#14

When you deploy a standard linux image to Vultr you can use the web control panel to manage ssh keys for login. Vultr i snot managing the Fusionhub (its a secure locked down appliance without local SSH login) so you can ignore this.

You can ‘take ownership’ of public IPs in Vultr and associate these against your account. Normally when you deploy a server it gets allocated an IP from vultrs available pool of public IPs. This means that if you destroy the server and create a new one, you’ll get a new public IP - not the one you just released. So you can reserve IPs for more permanent long term use if you want to. You don’t need to here particularly.

You can use the vultr firewall as an added layer of security. I don’t typically myself unless I’m using cellular data at the remote end. The Fusionhub is a locked down appliance and very secure and doesn’t need the extra firewall security unless that is your thing.

Yes that sounds right, although you could have left it as DHCP since Vultr would of assigned the address to you automatically anyway. Either way that’s fine.

Hub and Spoke

The FusionHub

The Soho

No NAT mode is fine.

Not needed.

The Server address is the LAN IP of the device you are forwarding the ports to. So if you want to forward VNC to your PC and its on 192.168.1.50 then thats the Server address.

Inbound address in your instance is the WAN IP of your FusionHub. IN the end you’ll connect your VNC viewer to the WAN IP of your Fusionhub and the traffic will be forwarded from there over the PepVPN securely to the LAN IP of the PC/server you want to control.

That’s a topic in itself, but basically, the only traffic that can get through your Fusionhub to your PC on the LAN of the SOHO is the traffic on the ports you have specifically opened. You don’t need any additional firewall rules in my opinion. The SOHO is already protecting you from the host wifi network that its connected to (your landlords). You can of course secure anything further later if you want or need to.


#15

Forgot to say - well done on getting this far - its not easy learning something new and you’re smashing this :slight_smile:

We’re all here to help. You can always post screenshots of any config element here and we can help also.


#16

Just a minor suggestion: since the FusionHub is a Solo and he is really only interested in a VPN from home to the FusionHub, I would suggest using a point-to-point connection. (Even) simpler setup :slight_smile:


#17

Yes agreed. Easier that way.