PPTP on Balance 20 - can't access LAN nor Internet


#1

Dear Peplink,

I have configured the Balance 20 (with the latest FW) to allow PPTP - I created a user and it works, I can connect to my home network and can open the admin page of the Peplink.

But that’s about it - I can’t connect to any other devices on my LAN - tried pinging them, no response… Tried RDP to my Win2K8 server, doesn’t work either. I can’t browse the internet either…

Is there something I’m overlooking? I read some other articles that I need to create some firewall rules but that doesn’t seem to make sense to me - since I’m already on the LAN, wouldn’t the existing firewall rules apply just as if I was connected locally (the standard rule allows all outgoing traffic, by the way)?

Thx,
B.


#2

First thing I am going to try is to configure inbound and outbound firewall rules as Allow All. But you should be able to access your LAN freely once the PPTP connection is established. We could be missing something here - is there anything else on your LAN with filtering/blocking capacities?


#3

Hi Kurt, first of all, thank you for the very fast response!

No, the peplink is the only router / firewall on my network (192.168.1.1) - behind it, I have a Win2K8 server (with firewall disabled) on 192.168.1.4 - all on subnet 255.255.255.0.

I only have 1 incoming firewall rule to allow SSH (on a high port), and outgoing = Allow All.

I also tried (after I posted this question) by creating 2 incoming firewall rules, one for port 1723 and one for IP 47 but this also didn’t help.

I connect using a Mac on OSX 10.7.4 - connecting to the PPTP is painless and can access the admin page of the Peplink but nothing more…

Now here’s one question - my local LAN (where I connect to the internet) has the same subnet as the remote LAN (192.168.1.x) - could it be that the system is lost in translation? I have set the ‘send all traffic over VPN’ option so I thought that solved it - but could that be the issue? If that is the issue, I can’t change the local subnet (no access to the router) but could do it for the remote site, just wondering what the impact would be - I think the Win2K8 won’t like it if I suddenly change the subnet and probably, since I don’t have access to it from my current location, I think I won’t be able to access it anymore…

If you want me to test anything else, please let me know.

Thanks!
Bernard


#4

Hi Bernard,

I think the problem may be because both sides are in the exact same subnet. Could you try changing one of them to 192.168.2.x for example?


#5

Hi Tim,

You may be right - I did some googling around and found this could indeed be a possible problem - even though I checked the netstat data and saw that the peplink (then named “balance-wan”) is the default route… Since I configured the client to route all traffic through the VPN, I would expect it to work. In fact, I can’t be changing my home LAN subnet every time I need to access it from a location where the ‘local LAN’ and my ‘home LAN’ have the same subnet. If today I change my subnet to 192.168.2.x and tomorrow I want to connect from a location that uses the same, I can’t be changing it all to something else again… I have all my equipment with static IPs (and there are 25 reserved IPs) so I simply don’t want to change it around… And I can’t test it thoroughly since I’m about 2.000 km away from home at the moment without the option of changing the local subnet :frowning:

I will be looking a bit more into this - it should be possible to create a static route on my Mac that forces all traffic to my home LAN over the VPN - there simply must be a way to do this.

Thanks,
Bernard

ps. luckily I have an SSH server running on my Win2K8 which works and which has RDP and SFTP so I’m not completely cut off. And since I use certificates for authentication, it’s probably even more secure than PPTP…


#6

I have exactly the same problem. Was this issue fixed, if so how?


#7

Some further information.
My remote machine’s network (192.168.1.0/24) is different to the Peplink LAN address (192.168.111.0/24).
When I connect to the VPN my remote machine is assigned an IP address in the 192.168.111.0 subnet (192.168.111.72 in the example below).
I can then connect to the Peplink Balance 30 admin page on 192.168.111.1 but I cannot communicate with any other hosts on my LAN.

This is an extract of my ‘netstat -rn’ on my remote machine.

Internet:
Destination        Gateway            Flags        Refs      Use   Netif Expire
default            192.168.1.1        UGSc           30        0     en1
default            192.168.111.1      UGScI           2        0    ppp0
---
192.168.111        ppp0               USc             2        0    ppp0
192.168.111.1      192.168.111.72     UHr             5        8    ppp0

Any thoughts appreciated.


#8

Hi Heathy65,
To be honest, I don’t know - I changed my home subnet to 172.16.10.x but haven’t tested in the meantime - I’ll have to try sometime soon… When I do, I’ll let you know if that worked!
Cheers,
B.


#9

HOW WAS THIS PROBLEM SOLVED???

CAN ANY PEPLINK ADMIN PLEASE ADVISE. THANKS


#10

Hi,
I created a single rule in the Firewall configuration (Inbound Firewall Configuration) with the following settings:

Rule Name: PPTP
Enable: Yes
WAN Connection: Any
Protocol: Any
Source IP & Port: IP=192.168.1.0 Mask=255.255.255.0
Destination IP & Port: IP=192.168.1.0 Mask=255.255.255.0
Action: Allow
Event Logging: Enable

You will need to change the source & destination addressing from 192.168.1.0 (and the mask) to match your LAN addressing.

This enabled me to VPN in and access endpoints/equipment on my LAN (previously I could only access the actual Balance 30 via the VPN).

This configuration still seems a bit weird TBH, i.e. having a rule with the same source & destination but it works…

Cheers Ian


#11

Thanks for your info, Ian.

Ummm I would expect Balance to allow PPTP users access LAN resources without this firewall rule. Which firmware is your Balance running? We will try to reproduce this in our lab and fix this from there.


#12

Hi Kurt,

Yeh seems very strange to me too.

I’m currently on 5.4.6 build 1585

Cheers Ian


#13

Thanks Ian. Let’s us take a good look at this.


#14

I’ve upgraded to 5.4.7 now so will see if I have the same problem on that version too.


#15

Hi Heathy,

were you able to connect without the firewall rule?

Thx,
Bernard


#16

Hi all,

This configuration is correct and I will try to explain it below:

  1. It is an inbound firewall rule since the PPTP client is coming from the outside.

  2. You are getting authenticated to the local network via PPTP so that is the source network.

  3. The destination of 192.168.1.0 will restrict you to keeping on the local network.

  4. By default, the Microsoft PPTP client will use the remote destination gateway. With this setting you can control whether or not the client can also get out to the internet from the Balance. To allow for split tunneling, simply change the destination network to “Any”.

Best regards,

Ron


#17

I also wasn’t able to access internal LAN resources after connecting to the PPTP server. Creating the inbound FW rule solved it! thanks for the tip.

Just to add, in Windows 10, the “Use default gateway on remote network” option is not accessible via the VPN network properties GUI (actually, the whole GUI doesn’t come up at all, believe its a known bug).

To force all traffic thru the VPN connection, run powershell set-vpnconnection “vpnname” -splittunnel $False

To verify all traffic is inside the tunnel, just tracert google.com and the first hop should be your surf soho IP.


#18

Is this problem resolved? I have balance one but I am able to connect PPTP but cannot access local resources. I tried keeping access rules as well but didn’t worked for me.

Model: Peplink Balance One Core
Firmware: 6.2.2 build 2037


#19

Yes, on my Surf SOHO got it working by adding an INBOUND FW rule. The rule allows source of your internal LAN subnet to ANY Destination. Example: 192.168.x.x to Any Destination.

Not sure if recent firmware updates have changed this though.

Model: Pepwave Surf SOHO
Firmware:6.2.0 build 1644


#20

Hi,

Please enable InterVlan routing. Our tech support was feedbacked this via ticket. Please check and follow up there.

Thank you.