Problems with Multi Wan Multi LAN, VPN PPTP behind PEPLink Balance Router


#1

Good Day PEPLink Experts! haha

This is my first post, so go a little easy on me :3

I’ve read the forums and the wiki on passing VPN Traffic through the PEPLink but somehow it doesn’t seem to work properly.
My First Scenario was with a PEPLink Balance 210 as it had drop in mode, but I wanted to change this to 1:1 NAT for proper failover in the event of ISP failure.

In any case here’s the connection Scenario

WAN1(Multiple Statics)} {LAN1 IP eg. 192.168.10.1 (1:1 NAT Static on WAN1) -----ISA1 (with VPN)
----PEPLink—
WAN2(Single Static) } {LAN2 IP eg. 192.168.10.2 (1:1 NAT Static on WAN1)----- ISA2 (with VPN)

VPN Fails at either 619 error or stuck at verifying username and password.

Same ISA Server tested without PEPLink VPN connects fine ofcourse replacing the NAT LAN IPs with the direct Static ones.

Rules to be noted, i’ve changed the outbound policy default rule to prefer WAN2 over WAN1 (Priority)
Scenario 1 - No inbound policy as I dont think that was needed as it was 1:1 NAT’d
Scenario 2 - With Inbound policy and 1:1 NAT but this didn’t work either
Scenario 3 - Remove 1:1 Nat and use inbound policy alone - To test.

Also tried outbound policy for TCP Port 1723 / IP 47 Enforced to WAN1 before the default rule and no dice…

Can anyone enlighten me?

We are using ISP2 for http / https bandwidth primarily

I’ve already looked at http://www.peplink.com/index.php?view=faq&id=51&path=22 (Scenario 3)
http://www.peplink.com/index.php?view=faq&id=164&path=29 (Scenario 1)
and Scenario 2 is just a hybrid between 1 and 3

I also took a quick look at http://www.peplink.com/index.php?view=faq&id=171&path=29

Any help is appreciated.

Regards

Edit: I realized my Diagram in text didn’t come out properly … but to note the PEPLink is between the WAN Links and LAN Links (Just didn’t space like it should’ve)


#2

Some years ago we had the same problem putting a Peplink in front of ISA Server and outbound VPN traffic from inside the network didn’t work ( error 619 ).
the solution is still configuring Peplink in Drop-in mode and Enforce PPTP VPN traffic to only go through the WAN port which is in Drop-in mode. I think something is going wrong on PPTP protocol when Peplink is in front of an ISA server.


#3

Sighs… there really isn’t a way ? maybe there’s a rule or something ? I even tested this with the Balance 20 router and same problem …
The NAT is the problem? Well Lets just hope this ISP never has an outage on a Holiday …


#4

Well, I think there’s something happens on PPTP protocol when two consecutive NAT happens ( one by Microsoft ISA and one by Peplink router ) and prevents the client to authenticate with the PPTP server correctly. ( error 619 )
I hope peplink technical team could find a way to solve this.


#5

Hmm yeah it seems like that is the problem, as i’m able to test further (out of office hours). I re-did the PEP from scratch using drop-in mode this time and left all my ISA firewalls as default.
Simply edited the default rule weighted balance ISP1:ISP2, 2:10.
Tested fail-over for internal Web browsing and this is fine (and what I realistically hoped to achieve with my 1:1 NAT original config). So there is some transition inside the PEPLink from one isp to the other once you’ve left the Gateway as Default (or the same as the PEPLink), its intelligent enough to notice that it’s Gateway is down and switches regular traffic (unless specified by a rule) through the other WAN Link and it’s pretty seamless.

I may have originally set an outbound policy incorrectly … I will let you know how it goes.

Pretty much Drop-In Mode is the way to go and realistically it’s pretty simple.