First pepVPN setup - one strange thing


#1

hi,

I have setup my first pepVPN and thought it worked just fine until I found out that it works only one way : From one place (main) I can reach whatever machine on the other one, but the reverse seems not true. It seems I can’t even ping any machine from the other side to the main one…
And more precisely, even the remote routeur can’t ping the main one (while pepVPN status is green everywhere)…

PepVPN looked symetrical to me. I must have missed something.

Any suggestion on how to investigate that?

Thanks,


#2

Hi,

  1. Destination subnet (at main site) able to learn by remote Balance router? Please check via Status > SpeedFusion.

  2. Ensure traffics not block by firewall. Please check via > Network > Access Rules > Internal Network Firewall Rules > Default rule = Allow on both main and remote Balance routers. Fyi, Internal Firewall supported since v6.2.1.

Hope this help.


#3

ok, back to a place where I can check the things:-)

On 1, I see the following

On the main router (LAN is 192.168.0.x) :
Balance_xxxx (LV) FA 192.168.1.0/24

On the remote router (LAN is 192.168.1.x) :
Balance_yyyy (FA) LV 172.16.0.0/24

So yes, the 172.16.0.0/24 looks very strange and I have no idea of where it comes from? How should I tell it the right one?

On 2., I checked the firewall rules and they are all clean and default rule… So I guess this is good.


#4

Ok, ok, I think I may have understood. I have 2 LANs on my main router. And the IP 172.16.x.x are the ones of the second LAN - associated to VLAN 10.

Not sure why pepVPN did pick just the one I did not want. I need to find a way to force it to the right LAN, I guess?


#5

I’m a bit stuck here : how can i drive pepVPN to the LAN i want?

Thanks,


#6

Hi,

Please check whether you have static route 192.168.0.0/24 on remote router (Network > LAN > Static Route Settings).


#7

Will do when I’ll be back to the place.

Just for my info, why should I add this route manually? And why would the route to the other LAN be established by default?


#8

Hi,

I just need your confirmation whether this static route is available on remote router. 192.168.1.0/24 will not learn from SpeedFusion peer if you have local static for same subnet.


#9

So, i was able to check : No static route on either of the routers.


#10

Hi,

This is strange… Difficult to guess here. Please open ticket for us to check further. Remember to enable Remote Assistance for both units.

Thank you.


#11

One question, waiting for my ticket to be processed : Where and how on the PepVPN definition should I state which LAN I want to be “connected” to the pepVPN (remember that, on the main router, I have 2 LANs).

I don’t see any place to do that (except if I enable NAT on the pepVPN - but I don’t think I should need to enable NAT to be able to select which LAN pepVPN will connect to…

Thanks,


#12

Hi,

We don’t have this option at the moment. All Vlans including Untagged Vlan will be advertise to remote SpeedFusion peer automatically.


#13

Ah, so this is not what i want. This means that if this would work properly, i would need to use the firewall rule you gave me in à différent topic to prevent the access to the LAN i don’t want to see involved? Right ?

Or maybe using NAT option is what i should do then? Would that give me what i want?

Thanks,


#14

Okay, so, support team found the issue :

I had a WAN connection on the remove router using 192.168.0.x address and this was creating a conflict with one of my local LANs…

So I just changed both LANs (local and remote) to more exotic private IP set of addresses to reduce probability of a conflict like that in the future.

Thank you TK Liew for your help.

Now I need to configure the local router to exclude the second LAN from being connected to the VPN. Would you please guide me on how I would do that?

Thanks,


#15

Coming back to this, is there a firewall rule that I could add that would ensure that my PepVPN connection is not visible to the second LAN on the main site?

Thanks !


#16

Hi,

Vlans still advertise to remote peer but the access will be block if you apply firewall rule.