Hi,
I Have setup PepVPN between two balance one routers. The connection is established and I can hit both routers GUI in a browser when connected to either of the routers. However thats all I can hit any other devices on the remote end is unreachable. I am guessing I haven’t got a route applied. Could someone help me out I’m not that experience in VPN connections.
For clarification you are not able to ping the remote devices? No route is needed if the default gateway is the local Balance One on each side.
When the connection is established I can Ping the remote end router and vice versa but can’t hit the AP connected to the remote end. If that makes sense.
Can the Balance ping the remote AP under: System> Tools> Ping selecting the VPN interface? If the remote AP has a default gateway of its local Balance it should reply unless there are firewall rules in place.
I couldn’t that way either. Both routers are fresh out of the box. All that has been configured is the LAN ip, VLANs and the pepVPN on both units. Also both are running the current firmware.
Seems like this question comes up about once a month. The documentation should explain this (haven’t I said this before?).
Besides the VPN connection, you have to open the firewall to permit access from the remote LAN. You have a connection, but you haven’t told the firewall its ok to let traffic in from the remote LAN.
Lets say the remote LAN is 192.168.100.0/24, you would create an inbound firewall rule:
protocol ANY
WAN ANY
source 192.168.100/24
destination any
You can tailor the source description to whatever devices on the remote that you want to allow access. For example maybe you only want one or two devices on the remote to be able to use the VPN, or maybe you want to allow every device.
Don’t forget you have to create the same rule at the remote destination, but substitute the LAN address for the opposite location.
I have tried adding that rule. I have attached some screenshots as Im still not having any luck. Im sorry if I have asked an obvious question I’m not great at this.
Don’s post above about firewall rules is relevant when you have additional firewalls/routers in circuit so:
LAN A → Firewall → Peplink <–PepVPN → Peplink ← Firewall ← LAN B
From your post it would seem that you actually only have a pair of peplinks with PepVPN between them.
The most likely issue is that the devices on LAN A and Lan B are not currently using the Peplink devices as their gateway.
Might be worth doing a quick sketch to explain your network topology…
Dan - the first rule as written shows WAN Connection = WAN1. Suggest you try changing that to ANY, like you did on the second rule.
Just to be clear since it isn’t working, confirm that 192.168.2.0 is the LAN range of the remote devices on the other side of the VPN? Not the local LAN of the device where this rule is applied? When you’re pulling your hair out, its easy to get these reversed.
Martin, I understand your thought, but the rules have always been necessary even with just Balance to Balance with PepVPN between them. Its one way of controlling which LAN devices are allowed to access devices on the other end of the VPN. The example I gave with /24 subnet would give all 254 devices access, but a smaller subnet would restrict it to only certain devices, or just one.
I am out of the office today but I will tell you my setup.
Hub 192.168.2.1 - WAN (using dynamic dns on my WAN1) - internet - WAN (using dynamic dns on my WAN1) Remote 192.168.1.1
Once back in the office I will change the firewall rule to LAN must have missed that. Have attached the pepvpn config for my HUB router. the remote is set the same just a different DNS and serial number.
All your help is much appreciated!
Respectfully - They might have ‘always been necessary’ in your deployments to limit traffic over the PepVPN, but to suggest changing firewall rules is required to make routing between LANs across a PepVPN connection work at all is incorrect.
With the default rules in the firewall from factory settings that allow all internal traffic to pass, when a PepVPN is created between two Peplink devices - devices on each LAN segment can and should be able to route to each other as soon as the tunnel is up.
@danwillis On your Hub device what WAN IP does it have? I wonder if it connects to the internet via another modem/router that is dishing out private IP addresses via DHCP so you might have a 192.168.1.0/24 IP on the WAN of the hub which might be confusing things.
Im still having no luck.
When you say…
The most likely issue is that the devices on LAN A and Lan B are not currently using the Peplink devices as their gateway.
Where do I enter this in the LAN settings of either peplink? I know I haven’t put a gateway in each end.
Right I have it working it was because the AP I was using didn’t have a default gateway of the local pep. I Used a different AP as the one I was using didn’t even give you the option of a default gateway which I find quite odd. Draytek AP900.
I know this was said early on in the post I just missed it. Thanks for all your help.
Awesome. Well done!
