Dynamic DNS on surf soho for webserver & VNC behind ISP router

Since your SOHO is NAT’d behind the landlady’s ISP router (and you’re not allowed to play with that) port forwarding just isn’t going to work. UPnP relies on a two way device discovery process using SSDP and your SOHO does not support SSDP on the WAN so the ISP router is not going to open ports.

If she would give you admin access to it then you would be able to reserve an IP for your WAN port and forward traffic to that IP from her router on the ports you want to use.

Then DDNS would work, since the whole point of that is that the SOHO creates and outbound session (over the ISP router) to no-ip (or whatever service you are using) and that service reads the return public IP address (the WAN of the ISP router) and stores that as the current IP address that your dynamic dns name should resolve to.

If you can’t get access to the ISP router then you need a plan B. My go to solution for this is to host a FusionHub Solo virtual appliance (a free license from Peplink) on Vultr.com (for $5/month) and create a PepVPN from the SOHO to the Fusionhub. Then you can port forward from the FusionHub’s static public IP back through to your laptop / Raspberry Pi over the VPN tunnel.

Have fun!

I appreciate the help, but do you think you could elaborate on this? I just signed up for and deposited $5 on vultr.com. But I am completely lost as to what I should be setting up on Vultr. It seems like vultr just deploys cloud servers. Do I really need that? Could you maybe give me some instructions on what to do/purchase exactly on vultr? Secondly, I am totally confused as how to install FusionHub Solo virtual appliance, and what device I should install it to. I downloaded what the instructions told me and I just get a .bin file that looks like firmware. What do I do with this file? How do I install fusionhub? I did sign up for the free license key, but once again I am totally confused noob style as to how I should proceed! Any specifics would be really appreciated!

Check this post:
FusionHub on KVM at VULTR Host - Mission Success!

Basic process is:

1. Download the raw image
2. Login into vultr.com and upload the raw image as a snapshot
3. deploy a $5 vultr server selecting the uploaded snapshot as the OS.
4. Once its booted navigate to the public IP address and login as admin/admin
5. Login to InControl2 generate FusionHub Solo license (in organization settings → Warranty and license)
6. Copy and paste the license key into your FusionHub web interface that you just logged into
7. Set a new admin password on the fusionhub.
8. Create the VPN between the FusionHub and your SOHO
9. On the Fusionhub setup port forwarding
10. Go and have a cup of tea and a rest.

Thank you so much! I really appreciate your timely response. However, I can’t past step 2. When I try to upload the snapshot, it asks me for the “Remote URL” of the file. It seems that the only way to actually upload this is by creating a remote url (I don’t know how without running a server) to the file. I tried copying and pasting the link to the download you posted, and it downloaded the zip file, but then gave me an error that the file is in an incompatible format, and must be in .raw format. How can I upload the .raw file directly from my computer? Otherwise, is there a link that I can copy and paste to the unzipped .raw file? Please let me know. I am very confused! Thank you!

Well, I officially pulled an all nighter and have been starting at this stuff for 20 some hours now. Ughh! This is ridiculously complicated for a newbie like me. So far I believe I successfully got to step 7. Maybe. I do have the peplink firmware running on a vultr server. However, I cannot for the life of me get the fusionhub to show a status of “Online” when trying to connect it to my surf soho from incontrol2. After entering the serial key, I get a successful activation on the fusionhub firmware, but no matter what, my fusion hubs status stays “Offline” in in control2. Is there any way to get this thing to go online? What am I doing wrong?

• Screenshots removed

@Dan_Ran,

I had removed the the screenshots share in previous post due to the license info & device SN shared in public.

In-order the FusionHub can connect to IC2, can you please check the front end firewall is not blocking any traffics for the IC2 ports & IP addresses ?

If the traffics is not blocked, please open a support ticket for support team to check.
https://contact.peplink.com/secure/create-support-ticket.html

Thank you for the screen shot removal. In my sleepiness, there was haste, and I neglected to blur those out. In any event, I just to clarify your (much appreciated) response, when referring to my “Front end” firewall, are you talking about the first firewall for my main internet connection? i.e. the firewall built into my ISP’s router? I really hope not, because the main reason I was trying to get this to work, is that it was a suggested workaround for my inability to access and port forward on my ISP’s router, since my landlord bogards the thing. Is there a way to test her firewall rules without being able to access her router. I do know that she has no outbound traffic blocked on her router, but possibly inbound. Does that make a difference? I suppose I will open a ticket for this as suggested especially since it seems I am not the only user ( @zegor_mjol ) having this problem. Thank you again for any replies or further advice.

@Dan_Ran

Engineering team found license info is missing for your device in IC2. Engineering team had fixed the issue.

The FusionHub should show online in IC2 now

Just to clarify so I know, the license info was missing for specifically my Vultr instance (fusionhub device), and not my surf soho router, correct?

Anyways, the fusionhub is indeed working just great! Please thank the engineering team and give them a big thumbs up for me! Also, thank you @sitloongs for all of your help and assistance! It is highly appreciated and life is a bit better now! Yay!

So I knew this was going to get complicated for my newish self, but I hoped it wouldn’t be this daunting to pull off. I’m having a lot of confusion with setting up proper ip addresses with the vultr server, and with the Pepwave instance. A lot of my confusion has to do with different subnet masks, security, and proper port forwarding from my virtual device to my surf soho, in order to unlock the proper ports to run a VNC and a web server. So lets start a bunch of questions…

Securing the server to the Virtual device:

1. Vultr has a spot to enter your public ssh keys. What is this for? Does this mean I can SSH into to Pepwave virtual device from the server? Or ssh from my computer from the server? If either of these are so, how would I go about doing so?

2. Vultr has Reserved IP’s. Should I be using these instead of the default ip considering I am going to set up an ssl certificate for my web server? Or does this not matter?

3. Vultr has and allows firewall rules directly from their site. Should I be using these prior to setting up the virtual appliance/fusionHub? Or should I leave all ports open and and just use the firewall in my Pepwave virtual device? If I use the Vultr firewall, rules do you recommend (with ipv4 & ipv6 both considered) ?

4. Vultr also has an option for “Using private networks”, and assigns a subnet like this “10.2.96.0/20” without assigning a corresponding ip. Would it be in my interest to be using vultr private networks from vultr when doing things like accessing the Pep Virtual Web interface etc. etc.? If so, how would I go about doing this?

Break…
OK……On to the more important stuff……

5. Net masks scare the living hell out of me. I don’t understand how they work whatsoever and I am worried I could easily and accidentally create a relatively large attack vector in my configuration if I don’t get some expert advice on this. The only thing I am comfortable with is keeping everything on the same net mask of 255.255.255.0/24, and only changing the subnet to create different networks. Anything above that is beyond my understanding. With that being said, Vultr.com assigns me a server with an ip of 148.28.115.224, a Netmask of 255.255.254.0, and a gateway of 148.28.115.1. I have then taken my FusionHub and set it up the WAN Connection with a static IP of 148.28.115.224, Subnet mask of 255.255.254.0, and a gateway of 148.28.115.1. Can someone verify that this is correct so far?.

6. Now, what I don’t understand, is how to get that network with a Subnet mask of 255.255.254.0 properly converted to a mask of 255.255.255.0 (/24), in order to match the netmask of my Surf-Soho. Wouldn’t this be ideal in order to easily create matching subnets with the surf, or am I overthinking this? If it would be the way to go, could you please explain how I might go about doing this? If not the way to go, then what should I do?

7. I am trying to keep things as simple as possible since I am a noob learning, so I am trying to configure PepVPN through IC2 using the PepVPN/Speedfusion interface. Question is…

• a) what topology do I use?

• b)What do I use as my Hub device? The surf Soho, or the SpeedFusion Instance?

• c)What do I use as my end point device? The surf soho, or the speedFusion instance?

• d)Nat mode or no Nat mode?

• e)DHCP Server for NAT MODE Profile enabled or disabled? If enabled, what do I use for ip range and subnet mask?

8. Port Forwarding - I don’t fully understand how to forward ports. Assuming I want to forward 2 ports (1 for the vnc and 1 for the web server), how would I go about doing that? Is the “Server Address” the address of the speedfusion WAN, speedfusion PepVPN, the Soho Endpoint address, or the soho WAN? Or none of the above?

Next, what about the “Inbound” IP address? Is that coming inbound from the WAN (requests from outside the internal network), or the inbound from the LAN (requests coming my local network)? Im very confused on this.

9. Firewall - Once I have the proper ports forwarded from the fusionhub to the surf soho, how do I adjust my firewall settings (Outbound/Inbound/Internal) on both the FusionHub, as well as the Surf soho, in order to best secure my setup, and isolate all devices from each other, especially the web server/VNC connections from my less secure home network? I don’t understand layer2, or layer 3 isolation either so any hints on this would be very welcome.

Assuming all of these questions are perfectly answered, I will should now have a secure and functional setup that can securely host a web server and VNC, as well as protect my less protected/stringent home network.

With all that being said, I apologize for such a long post, and would really really like to thank you and anyone who dares to reach out and answer all of (or some of) my questions to help me better understand this stuff. If you want, maybe you could just throw in some corresponding “Active Configuration” files for me to download (then upload to my soho, and Fusionhub) and take a look at them to help my understanding. Once again, all of your input and help is HIGHLY appreciated! Anything helps! Thank you so much! Cheers!

When you deploy a standard linux image to Vultr you can use the web control panel to manage ssh keys for login. Vultr i snot managing the Fusionhub (its a secure locked down appliance without local SSH login) so you can ignore this.

You can ‘take ownership’ of public IPs in Vultr and associate these against your account. Normally when you deploy a server it gets allocated an IP from vultrs available pool of public IPs. This means that if you destroy the server and create a new one, you’ll get a new public IP - not the one you just released. So you can reserve IPs for more permanent long term use if you want to. You don’t need to here particularly.

You can use the vultr firewall as an added layer of security. I don’t typically myself unless I’m using cellular data at the remote end. The Fusionhub is a locked down appliance and very secure and doesn’t need the extra firewall security unless that is your thing.

Yes that sounds right, although you could have left it as DHCP since Vultr would of assigned the address to you automatically anyway. Either way that’s fine.

Hub and Spoke

The FusionHub

The Soho

No NAT mode is fine.

Not needed.

The Server address is the LAN IP of the device you are forwarding the ports to. So if you want to forward VNC to your PC and its on 192.168.1.50 then thats the Server address.

Inbound address in your instance is the WAN IP of your FusionHub. IN the end you’ll connect your VNC viewer to the WAN IP of your Fusionhub and the traffic will be forwarded from there over the PepVPN securely to the LAN IP of the PC/server you want to control.

That’s a topic in itself, but basically, the only traffic that can get through your Fusionhub to your PC on the LAN of the SOHO is the traffic on the ports you have specifically opened. You don’t need any additional firewall rules in my opinion. The SOHO is already protecting you from the host wifi network that its connected to (your landlords). You can of course secure anything further later if you want or need to.

Forgot to say - well done on getting this far - its not easy learning something new and you’re smashing this

We’re all here to help. You can always post screenshots of any config element here and we can help also.

Just a minor suggestion: since the FusionHub is a Solo and he is really only interested in a VPN from home to the FusionHub, I would suggest using a point-to-point connection. (Even) simpler setup

Yes agreed. Easier that way.

Hey @MartinLangmaid and @zegor_mjol ! I just wanted to let you both know that I didn’t abandon you faithful and loyal tech-teachers, and I didn’t abandon hope either. I was just on the brink of insanity after hours and hours and hours of living Einsteins definition of insanity. Naturally, I had to take a break after trying to put together your last posts. However, I just want to express how thankful I am to have the two of you guys helping me on this. You are really awesome supportive people and it’s highly encouraging! So thank you so so much! I am back at it again, and I will be posting again shortly for help! But seriously, thank you so so much! You guys really rock! I am relatively active on several different forums, and I haven’t ever had an experience as rewarding and positive as this one here with you guys. Sooooooo… yeah, thanks a TON! I will probably be going so far as to post this experience on my blog it was so outstanding! Rock ON!

Wow, I’ve got to say, between the two of you guys I am absolutely blown away! I feel like my childhood self just walked into my favorite and most enthusiastic teachers classroom! What a warm invitation to help me learn! Its very awesome of you and this definitely put the peplink family close to my little nerdy heart! So Thank you Kindly for all of the extremely helpful advice and answers! It is thoroughly encouraging, especially being a newb working on a discouraging project (even though I’m having a lot of fun doing it).

With that all being said, After reading your last posts, I basically stared at my computer for the next 12 hours until my brain sunk into oblivion trying to figure things out. Moral of the story, If I didn’t take a nice long break from this, I quite possibly would have been living Einsteins definition of insanity. Never the less, all of your help and encouragement is truly appreciated!

Anyways, I believe I have the strength to now continue this project and hopefully (but doubtfully) get to a quick finish. After you guys posted, I also spent hours with peplink support as they logged into my router and my instance and configured my speedfusion to properly work. They also helped me forward ports from my instance, to my surf soho. Because they had spent so much time with me already, I told them I could figure out the rest of my issues, and the most important thing was understanding port forwarding (which I though I did after they configured it). Of course, as I progressed deeper into the depths of nerd-oblivion, I soon figured out that I still need help getting things working.

What I have, is an instance that is properly connected and working with my peplink surf soho. But, I am still running into come caveats with port forwarding.

To start, The Pepwave Engineer set up my instance and surf soho pretty much exactly as you guys described it. Very simple with no extra settings.
My instance’s settings are in the pics below:

My%20Vultr%20Instance%20WAN%20settings1704×938 132 KB

My%20Instance%20PepVPN2170×1582 431 KB

After I told the amazingly patient engineer that I needed my ports to be forwarded from an obfuscated WLan port on the instance to my mac’s local IP using the standard VNC port (5900) so I could use a VNC to log in to my computer from the outside world, they then set my instance up to forward ports like so:

My%20Instance%20Port%20forwardingUDP1586×886 90.3 KB

My%20Instance%20Port%20Forwarding%20TCP11594×896 92.7 KB

My%20Instance%20Port%20Forwarding%20A1648×296 35.9 KB

Instance%20Fusion%20Status12062×518 90.1 KB

Obviously, the local IP address of my Mac/pc is 192.168.22.60 (you don’t need to delete the image, I will be changing the Local IP for security anyways).

My subnet for my instance WAN is different than my subnet for my Soho Wan. I know you guys said that shouldn’t matter but I just wanted to double check.

Finally, The Peplink Tech did NOT configured any port forwards or firewall settings on my SOHO.

My Soho looks like this:

Soho%20Web%20admin%20Forwarding%2012186×528 97.8 KB

Soho%20Firewall12114×1232 369 KB

Surf%20Soho%20PepVPN%20Status2012×598 116 KB

Now, Supposedly, this setup should have worked properly for my VNC connection. However, I am not getting any of the desired results when trying to connect. I still cannot connect from my VNC client on my phone to my instance. Can anyone recommend the proper settings to get this configuration working?
Furthermore, I do have some more questions that I would love to get some clarification with.

1)On the surf soho, I have toyed with the setting under Advanced>PepVPN>Send All Traffic To>”Fusionhub”.

Surf%20Soho%20PepVPN%20Forward%20All%20traffic1258×530 37.7 KB

• This successfully changes my local Mac/PC IP address to my Public FusionHub Instance WAN Address. Isn’t this exactly what I need but only for a specific Local IP (my Mac acting as a VNC Server)? Why is there not a setting to send “Specific” traffic to my Instance’s Public Wan address? Let’s assume that the inbound ports from my instance were actually working properly. When I connect from my VNC client to the instance from the instances public IP, my traffic is supposed to be forwarded through the instance, to the surf soho LAN, then to my MAC/PC local IP, to finally reach my VNC Server running on my Mac/pc…. Correct? Well…. Once I am able to access the VNC server running on my local computer, why would I want any traffic responding to the VNC client requests, to go out my Surf Soho’s Wan? Would’n I Ideally want the responses from my VNC server to go back through the PepVPN tunnel, out to the Instance WAN IP, and back to the VNC Client on my phone? If I am not able to forward ports from the surf soho’s local addresses, out to the instance through PepVPN, then how exactly does my VNC Client receive responses? It seems that this configuration would cause some sort of Loop where the VNC Client is trying to connect to the Instance Wan, to the Surf soho, to the VNC Server, which then is trying to connect to the VNC Client through the Surf Soho’s wan address, out to the www, and somehow reaching the VNC Client again. This just doesn’t make any sense to me and seems like I am opening a gaping attack vector on my soho’s wan. If all of the above understood settings are correct, then could someone please explain to me Why this is supposed to work, and how exactly?

2)Honestly, My second question skipped my head. I hope my brain isn’t starting to hurt too much again. Maybe a follow up will come back to me once some of these settings are adjusted per your advice, and some of my questions are answered with a bit more clarity. Just remember, I am EXTREEEEMELY grateful for all of your answers and follow ups. This stuff isn’t easy without help! So mucho gracias my friends!

Sincerely,

Dan

On an unrelated topic, I just unbricked my router today. That took a month. So I think I’m on a nerd roll here. I think I’m going to get this topic solved! I can feel it!

So to connect to VNC on your MAC, you’ll need to tell VNC viewer to use the xxx.202.53.79 IP of the fusionhub and then the non standard port of 40555 instead of 5900. Is that what you tried? If that doesn’t work, the most likely issue are your firewall rules. You have blocked everything inbound.

Yes this is fine. Your Fusionhub is connected to a very different WAN network than your SOHO’s WAN so its normal for them to have very different IP ranges and subnets.

This setting sends all traffic from any LAN device via the VPN connection so it breaks out at the Fusionhub. Effectively you are tunneling all your internet traffic out via your hosting provider.

There are pros and cons to this. The pro is that since the traffic is encrypted - nothing on the WAN of the SOHO can see or know what your traffic is or which websites you are visiting. It gives you privacy. It also means that even f you moved your SOHO to a different building or country, the IP address you are using to access the internet doesn’t change (since its the one in your hosting provider).

You are using a SOHO. On the Balance and MAX routers there is a concept of outbound policies where you can identify specific traffic types and IP addresses and send them over specific WANs and/or VPN connections. For the SOHO is either all or nothing.

Yes thats exactly what you want, and with the port forwarding setup that’s what you should get - you shouldn’t need to forward all traffic or specifically your VNC traffic yourself manually.

Well happy new years everyone! I’ve got some new years nerd needs in getting this to work!

At the end of the day , I think i’ve spent over 75 hours, with weeks of trial and error trying to get this to work, and i think its time that I ask for some serious baby step walkthroughs or even a readymade config file from someone. The trial and error (with some minor successes, but temporary), has seemed so patternless, that I am starting to think that I might have a hardware problem.

As it is, I am barely getting any luck or consistency, just starting at the bare setup of connecting my instance to incontrol2, let alone the glitchiness of trying to get it to connect to PepVPN. Those two things alone literally took me an entire all-nighter… but something tells me it really shouldn’t be this difficult.

Now, So far, the only real consistent (partial) success that I am getting, is setting the pepvpn option to route all traffic through pepVPN to the instance. THAT, is literally the only thing that makes me feel sane, because it always works. When I hit the button, it always changes my ip address to the vultr ip address. WONDERFUL! Except… I don’t want it to route ALL my traffic. As we discussed, I just need it to route a single IP, or even VLan (so i cloud just hardwire my server to a Lan Eth port), and getting this to actually work, has proven to be one of the most difficult computer challenges I have faced. The amount of times I have gotten locked out of either my instance or surf soho because either a glitch breaking something, or a misconfigured setting would keep your head spinning for months!

So, lets assume that I have my pepvpn working (i don’t know what mode the vpn is in) with my instance and surf soho (because it actually is working right now, WOW!), how in the heck do I configure the following:

1. The Firewall on the instance & the firewall on the Surf Soho

2. An outbound policy to forward traffic from my server IP to the instance, without using the “Route all traffic to pepvpn” button.

3)Forward ports properly and open the firewall for those ports properly.

My trial and errors have consisted of using the VNC client on my phone, over and over and over again, to attempt connections to my mac, after every minor change has been made to a configuration on either the surf, or the vultr instance. Starting with the loosest security settings (no firwalls, all ports forwarded, etc. etc.), to then slowly tightening them up inch by inch, until the VNC client can no longer connect, and then trying to trace the most recent setting change back to the cause of why my VNC can’t connect with seeming normal firewall rules or forwarded ports. This has proven quite tedious. However, through this process, there are a few things that I think I have discovered in which I require an explanation, and/or elaboration on.

After a lot of trial and error, A few things that I “Thought” i had an understanding with,are now causing me to second guess the solidity of my knowledge. The First thing one of these things is:

1a) It was my understanding that not only do i forward ports from the Instance WAN IP address, directly to the local Mac IP, but I also wanted to open up the same ports from the same WAN IP in my firewall, so it allows external traffic into my network. However, the interesting part that I figured out, is that while it is true my ports need to be forwarded from my instance WAN IP, in order for the VNC client to work, I have learning that it is NOT True, that the firewall open ports also from the instance WAN IP. Instead, I have learned, that with the firewall on my instance completely open on all fronts, external traffic is still being blocked from accessing my instance, and thus, the forwarded ports on my Vultr WAN IP. Interestingly enough, I figured out that the only way to allow access from my phone’s vnc client to my surf soho, through my instance via pepvpn, is to track down my PHONES WAN ip (by going to whatsmyip.org), and entering the ip address of my phone into my incoming firewalls allow settings.

1b) Can someone please verify that this is normal, and if so, please explain why? It seems odd that with my firewall wide open, i still need to enter custom entries for external IP’s in order to allow devices into my network. Isn’t the whole idea of an external firewall to block or allow any ip’s on specified ports, but only for the WAN ip address? Why must I create a custom entry specifying each external devices WAN ip address? With all firewalls down, should that by default, let any traffic into my network regardless of weather or not it’s ip is specifically entered in the the “Allow” settings of the firewall? Any explanation would be greatly appreciated!

2. I have barely. narrowed down my firewall rules to anything close to minimizing all attack vectors, but never the less, I have narrowed it down a little bit. In doing so, there are also a few odd quirks that made me question my understanding of the firewall.

a)It seems that with my vnc, the only way to get it working is to allow it to enter any port once it passes the Wan firewall. For some reason, the VNC is obfuscating its port path upon entering the router. In other words, I can’t forward port 5900 directly from the wan IP, to the mac’s LAN Ip. I can’t go from 5900 to -p 5900. Once the vnc reaches the inside of the router, it seems to constantly change ports, at which it enters the Lan VNC. So there is really no understood way for me to narrow down what internal ports it is actually using in order to close off all the ports it isn’t using. Instead, I just have this wide gap of open internal ports just to allow a vnc to use a single port that it randomly selects for some reason. Is there a way to identify what ports it is using, and a way to instruct it to not obfuscate its internal path?

b)Furthermore, it also seems as though the VNC Does not use the same port (5900) when exiting from the server to the client. Once again, it’s port path is unpredictable, and thus, I must “Allow all” ports going from the lan IP back out to the vultr instance IP. Why in the world is this acting this way, and how do i identify and tackle this problem?

This isn’t really an intact or polished post, as I have left quite a bit out, because well, I’m just exhausted and too tired to keep my head in this game today. But I wanted to get something out there in hopes that I might get some helpful responses, or even a gold mine of some professional config files that are already set up to utilize the illustrated configuration properly.

Any guidance and help is highly appreciated, and once again, sorry for the delay in my posts. Theres just only so much of this debugging that I can take in large doses.

Also, Sorry if i sound a little bitchy or irritated. I’m just very frustrated and my bloodshot eyes are encouraging me to give up! So if i came off negatively at all, I appologize!

Thanks everyone!

Might anyone have a follow up or some suggestions regarding this? Thanks everyone!!