Hi all,

Hope everyone has had a good Christmas and will have a great new year!

I've got a weird issue with a Draytek 2860 currently and if any help is available it would be greatly appreciated.

We have assigned to us by our ISP, a single static IP for the WAN interface of our router, (xx.xx.67.100) and also a block of /29 (xx.xx.7.89/29) , which is routed by the ISP to the single static address. We want the /29 setup as a range on a VLAN behind the Draytek to put servers in, etc so that they have a public IP and can be accessed from anywhere, but also so they can communicate to/from clients on the private LAN which is in LAN1 and has the range 192.168.84.254/24.

This setup is fairly straight forward - I can select an unused LAN subnet (say LAN 6) and put this into routing mode, enter the subnet details and away we go, no real issue on first look and test, clients on the 192.168.84.0/24 subnet and from any other public IP can access the server fine.

The problem comes when we want the server on LAN 6 with a public IP of xx.xx.7.94 to initiate the connection to access a server on the private subnet with an IP of 192.168.84.200, it just won't work. I've tried loads of different options including checking filters - the lot and I can't see anything blocking this traffic. This used to work on our old (non draytek) setup and I would expect this to work with most equipment as indeed it does at my main job with our Cisco kit, just a different set of IPs.

I noticed there was a new feature under the firewall recently called diagnose which I thought great, I can put these parameters in and test it, of which I did - using source xx.xx.7.94:24587 and destination 192.168.84.200:445 and I get a popup saying this packet is not handled by the firewall, which has left me rather confused.

I was curious and switched LAN 6 from routing mode into NAT mode and straight away the LAN communication was back to how it should be (Uninterrupted/unfiltered communication between LAN1 (Private range) and LAN6 (Public range), however rather predictably the Draytek now puts this LAN6 subnet behind the NAT so clients from the internet cannot access our server on xx.xx.7.94.

It seems then that when the LAN6 is set to routing mode, the subnet is completely separate internally and is as if that IP range (xx.xx.7.89/29) could be anywhere on the 'net and is not on the same site as our private ranges and thus not under our control..

Does anyone have any suggestions as to any way to make this work as required, this is a crucial part of our setup and if we can't get this working we will unfortunately have to ditch our Draytek!

Any help greatly appreciated.

Ben

Bento wrote: Hi all,

Hope everyone has had a good Christmas and will have a great new year!

I've got a weird issue with a Draytek 2860 currently and if any help is available it would be greatly appreciated.

We have assigned to us by our ISP, a single static IP for the WAN interface of our router, (xx.xx.67.100) and also a block of /29 (xx.xx.7.89/29) , which is routed by the ISP to the single static address. We want the /29 setup as a range on a VLAN behind the Draytek to put servers in, etc so that they have a public IP and can be accessed from anywhere, but also so they can communicate to/from clients on the private LAN which is in LAN1 and has the range 192.168.84.254/24.

This setup is fairly straight forward - I can select an unused LAN subnet (say LAN 6) and put this into routing mode, enter the subnet details and away we go, no real issue on first look and test, clients on the 192.168.84.0/24 subnet and from any other public IP can access the server fine.

The problem comes when we want the server on LAN 6 with a public IP of xx.xx.7.94 to initiate the connection to access a server on the private subnet with an IP of 192.168.84.200, it just won't work. I've tried loads of different options including checking filters - the lot and I can't see anything blocking this traffic. This used to work on our old (non draytek) setup and I would expect this to work with most equipment as indeed it does at my main job with our Cisco kit, just a different set of IPs.

I noticed there was a new feature under the firewall recently called diagnose which I thought great, I can put these parameters in and test it, of which I did - using source xx.xx.7.94:24587 and destination 192.168.84.200:445 and I get a popup saying this packet is not handled by the firewall, which has left me rather confused.

I was curious and switched LAN 6 from routing mode into NAT mode and straight away the LAN communication was back to how it should be (Uninterrupted/unfiltered communication between LAN1 (Private range) and LAN6 (Public range), however rather predictably the Draytek now puts this LAN6 subnet behind the NAT so clients from the internet cannot access our server on xx.xx.7.94.

It seems then that when the LAN6 is set to routing mode, the subnet is completely separate internally and is as if that IP range (xx.xx.7.89/29) could be anywhere on the 'net and is not on the same site as our private ranges and thus not under our control..

Does anyone have any suggestions as to any way to make this work as required, this is a crucial part of our setup and if we can't get this working we will unfortunately have to ditch our Draytek!

Any help greatly appreciated.

Ben

Hi Ben,

I guess you only need to enable inter-LAN routing between LAN1 and LAN6.

Hi t1255788,

Unfortunately this is already enabled

enabling/disabling inter vlan routing works as expected with LAN6 in NAT mode, but not in Routed mode

Thanks

Hi Ben,

It's quite strange, I had similar setup and it worked well.
Is there any routing setting affecting this?
Maybe you can try the latest f/w as well.

Hi,

Unfortunately I can't see anything that would be affecting this - I have gone through every page of the webadmin systematically looking for any options which might affect this.

our 2860 is already on the latest available firmware

Thanks for your help.

hmm... I'm running out of ideas.
You may try to contact Draytek support