I have just setup my first Balance One router with VLANs assigned both to WiFi and wired connections. No inter-VLAN routing enabled.
I’ve configured the L2TP VPN remote access to route to the wired VLAN. It works from my iPhone (from outside the router). However it does not work from the internal WiFi network configured on the Balance One router.
The VPN connection uses the external WAN IP address, but the VPN does not get established. I get a message “The L2TP-VPN server did not respond. Try reconnecting.” on my Mac.
It seems the router does not route back from WiFi VLAN → WAN1 → VPN/wired VLAN.
What can I do to get it to work without lowering the security with inter-VLAN routing or something similar?
Thanks a lot for support!
P.S. This is what I get in the ppp.log:
Sun Jan 27 19:40:12 2019 : l2tp_get_router_address
Sun Jan 27 19:40:12 2019 : l2tp_get_router_address 10.0.3.252 from dict 1
Sun Jan 27 19:40:12 2019 : L2TP connecting to server ‘A.B.C’ (XX.XX.XX.XX)…
Sun Jan 27 19:40:12 2019 : IPSec connection started
Sun Jan 27 19:40:12 2019 : IPSec phase 1 client started
Sun Jan 27 19:40:12 2019 : IPSec phase 1 server replied
Sun Jan 27 19:40:13 2019 : IPSec phase 2 started
Sun Jan 27 19:40:13 2019 : IPSec phase 2 established
Sun Jan 27 19:40:13 2019 : IPSec connection established
Sun Jan 27 19:40:13 2019 : L2TP sent SCCRQ
Sun Jan 27 19:40:33 2019 : L2TP cannot connect to the server
The IP 10.0.3.252 is the internal router IP address in the WiFi VLAN from which I try to establish the VPN connection.
L2TP VPN is a WAN service. If you connect to the WiFI AP on the Balance One you are on its LAN so it won’t present the service to those connected users.
To make this work, you’d need to use a different device (another Access Point) to create your wifi network, then you’d need a Ethernet to wifi bridge so you could connect a wired WAN on the balance to that new wifi network.
In that way, you could connect to the new wifi network, then use L2TP VPN to the WAN of the balance.
Thanks a lot for taking the time to answer my question!
My goal was to find a more secure way of accessing my documents and resources on my wired LAN from the WiFi network (separated VLANs on the Balance One). I don’t really trust the WPA2 standard, that’s why I wanted a VPN tunnel to my protected LAN.
If the VPN server was in the LAN and I forwarded on the Balance the L2TP ports to that VPN server, would that work?
This would be a setup with one VPN server in the LAN and disabling the VPN on the Balance router, right? It looks like a simple and elegant solution.
I am also working at configuring WPA2 Enterprise with PSK and an internal Radius server. This would also require a change in the WiFi SSID used for accessing the internal LAN, it should be the same VLAN as the wired LAN I want to access. But since it’s going to be protected by WPA2 Enterprise, the traffic can be considered to be reasonably secure.
What’s blocking me now is the darn Apple config tool v2 which requires OS X Mojave to generate an 802.1x profile (Apple does not allow configuration of the 802.1x settings from the UI)… I’ll get there eventually
I had to change in the RADIUS server configuration the IP of the Balance router from the wired VLAN configured initially to the Untrusted VLAN where it seems the WiFi clients get thrown before being accepted by the 802.1x policy / Radius. After they get accepted they are issued an IP from the configured VLAN. Interesting (but not surprising).
So no more changing the VPN server part needed. I’ll stick to the one from Peplink.
