Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[sfsouter]

Hi,

I've just purchased two DSR-250 VPN Routers.  In my situation I have a Sonicwall at the WAN Internet connection and this is setup to pass-thru VPN traffic.  On the LAN side of the Sonicwall I have two networks, one for business and one for personal.  The business network, 10.54.85.0/24, is setup directly on the LAN ports of the Sonicwall.  The personal network will be on the downstream side of an additional DSR-250 router with the WAN side on 10.54.85.0/24 and LAN side 192.168.0.0/24.  The intent is to use one DSR-250 for VPN access to the 10.54.85.0/24 network and one to act as the router for 192.168.0.0/24 with a PPTP VPN server to access it as well. 

So far I was able to successfully set up the DSR-250 for the personal router/vpn server successfully and can gain access via VPN to the 192.168.0.0/24 network from an external internet connection.  The Sonicwall is passing the VPN connection thru without issue.

Where I am struggling is to setup the business side VPN server on the other DSR-250 in transparent mode. This DSR-250 would have an IP of 10.54.85.100 and is directly connected on the LAN side of the Sonicwall 10.54.85.0/24.  Can I assume that the VPN server component of this router still works in transparent mode?  I was able to connect to it via a VPN client provided I was already connected on the 10.54.85.0/24 subnet so I know the server is working, with correct user accounts etc.  I just cannot access it via an external connection to the WAN side of the Sonicwall as I was able to do with the personal network on 192.168.0.0/24 with the other DSR-250 in stadard NAT routing mode.

If this willl work, can someone please guide me in the correct setup of the transparent mode VPN server?  I'm not sure if I am to only configure the WAN side IP info or only the LAN side IP info?  My understanding is that in transparent mode, the unit only will have one IP and not two as would be case for NAT routing mode.

Thanks for the help,
Scott

[FurryNutz]

Link>Welcome!

• What Hardware version is your router? Look at sticker under the router case.
• Link>What Firmware version is currently loaded? Found on the routers web page under status.
• What region are you located?

Internet Service Provider and Modem Configurations

• What ISP Service do you have? Cable or DSL?
• What ISP Modem Mfr. and model # do you have?

Let me see if we can get some additional help on this...

[sfsouter]

Hardware Version: A2
Firmware Version: 1.09B32_WW
Region: Spruce Grove, Alberta, Canada

ISP info:
We are rural and use a radio system that I believe is microwave technology.  The modem is provided with a static IP. 
http://tbwifi.ca/equipment.php

[FurryNutz]

 If the ISP modem has a built in router, it's best to bridge the modem. Having 2 routers on the same line can cause connection problems: Link>Double NAT and How NAT Works. To tell if the modem is bridged or not, look at the routers web page, Status/Device Info/Wan Section, if there is a 192.168.0.# address in the WAN IP address field, then the modem is not bridged. If the modem can't be bridged then see if the modem has a DMZ option and input the IP address the router gets from the modem and put that into the modems DMZ.

[sfsouter]

Did you see my note that I was able to get the more complex part of my setup to work successfully?
Internet - Modem - Sonicwall - 10.54.85.0/24 LAN - DSR-250 router / VPN Server to 192.168.0.0/24 personal network.
Connected via a VPN client from a remote location to the cascaded router worked fine.

The simpler system where I only want one of the DSR-250's to funcion as a VPN server only is the challange.  It is likely however that I may not be setting things up correctly in the configuration and potentially the wiring.  For clarity in communications, the IP of the DSR-250 will be 10.54.85.100.  My assumption is that it will only have one IP since it will be in transparent mode. 

Some questions:

Do I configure it for transparent routing mode?
Do I configure only the WAN side IP info leaving the LAN side as default / empty?
Do I configure onkly the LAN side IP info leaving the WAN side info as default?
Are there any other special configurations required?
On the wiring side do I connect only the LAN side port of the DSR-250 to the 10.54.85.0/24 subnet or only the WAN port?

[FurryNutz]

Ok just making sure your ISP modem doesn't have any NAT.

Will check on if we can get some information from other users.

While you wait, I recommend that you phone contact your regional D-Link support office and ask for help and information regarding this. We find that phone contact has better immediate results over using email.

[sfsouter]

I should also clarify that the Sonicwall's WAN side connected to the modem has an external IP address of 216.X.X.X.  The modem has no NAT function.

I'll wait to hear what others have to recommend.

It's likelly I'm just not clear on how to properly configure the unit for my purpose.

Cheers,
Scott

[Rara Avis]

First nitpick, double NAT'ing is beyond kludgy and will cause issues, please don't double NAT.  Think of the children.

Second nitpick, you have 3 gateway devices on your network, our goal should be to have only one.  Once again, the children will thank you.

Now, on to the existing design.  Do you realize that clients of the first DSR will have access to both networks unless you specifically start writing firewall rules?  You normally route all networks (0.0.0.0/0) through a VPN, and that DSR itself has routes to both networks (and indeed everything not destined for the 192.168.0.0/24 will be NAT'ed from the DSR itself).

Given the above nugget I suspect you can see where I am headed, there is no reason to use transparent mode on the second DSR (and perhaps no reason for the second DSR at all), because all the VPN clients (of either DSR) are going to have access to it's WAN network and all it's routes anyhow.  It's LAN network (which is presumably unconnected) effectively becomes a black hole network.  And since we don't want to have to touch on adding routes to everybody on the 10.54.85.0/24 network for your VPN clients, this solution will be much cleaner.

Also, forwarding VPN traffic to multiple gateways is a little bit of a special trick depending on protocol and gateway, not something I would touch with a 10m pole by choice.

Please understand that I am only trying to help when I say that this design is going to be trouble for you, redundant hardware and NATs are going to cause issues, embrace appropriate GWs that can handle all of your needs (which could be the DSR, or the Sonicwall, or a 3rd option for all we know at this point) and appropriate LAN side segregation.

[sfsouter]

Thanks for the tips!  Note taken.  There are some reasons for this mess which I need to leave in place to save significant expediture. 

I did just finish a call with D-Link business support and he said that having one unit function as a VPN server only will not work since the WAN port connection is required for VPN traffic.

Now if my minimum networking understanding is correct, are you saying that the unit I have configured as a router/vpn server for the 192.168.0.0/24 personal network under the 10.54.85.0/24 Sonicwall LAN side business network should be able to provide VPN access to both it's WAN side network (10.54.85.0/24) and the LAN side network (192.168.0.0/24) ?  If that's the case I'm satisfied becuase I'm the only VPN remote user and would no reason from a secuity standpoint to prevent access to one vs. the other at least from the VPN side of things.  I'm more concerned with keeping users of the business network 10.54.X.X (connected via 3 Sonicwalls in a hardware VPN tunnel) out of my personal network.

Additional thoughts or comments on feasibility?

[sfsouter]

I should further clarify my question.  The unit I have successfully setup for router / VPN server to my personal network assigns me an IP of 192.168.0.200 as a VPN client, which I don't believe will allow me access to 10.54.85.0/24.  Am I missing something?

[sfsouter]

Maybe a messy work-around is to configure this second DSR-250 unit for NAT mode routing and assign as follows:

WAN side IP: 10.54.85.100
LAN side IP: 10.54.86.1
subnet mask: 255.255.0.0

??

Will a remote VPN connection to the 10.54.86.0/24 subnet, assigning me a VPN client IP of 10.54.86.200 (for example), allow traffic to and from the 10.54.85.0/24 subnet that I'm really trying to access remotely via VPN?

I know, I know, I should be thinking of the children...

[PacketTracer]

Hi,

back to your former problem, where you operated your DSR-250 in question in transparent mode and didn't succeed to access its PPTP-Server from the Internet.

I see two aspects of discussion:

• First, as in the case of your first DSR-250 (where I don't know which kind of VPN you use: probably IPsec?) you need some VPN pass-thru feature for PPTP in your Sonicwall: a 1723/TCP port forwarding for the PPTP control connection and a forwarding rule for the GRE protocol (the actual tunnel protocol) both to the WAN address of your DSR device.
• Second, I'm in doubt, if a PPTP-Server really works as expected in transparent router mode. In this case, as you supposed, it should be enough to connect just one port, either the WAN or the LAN port, no matter which one.

But anyway: Your scenario of a PPTP server on a router in transparent mode is a very "unusual" one.

PT