LAN to LAN VPN on ADSL router

K

kartracer

Messages
1,178
Edit My Images
No
I need to link two sites/LANS via a VPN, mainly for file transfer/sync and backup. I don't need remote client access at the moment, but it would be nice to have.
Some of the latest designs have AC wireless, but they're designed for use with fibre/cable and not ADSL, so I think I'll have to compromise on N600 or similar,
which isn't a problem.

Any suggestions/recommendations for a suitable ADSL VPN router with dual band, good performance, and robust VPN security?
 
For Robust VPN I would look at draytek.
 
I do this with my site firewalls (which are low-spec PC's running pfSense). I then have consumer fibre/cable routers (Asus RT-N66U's) internally as access points as well as decent switches to link everything together. The firewalls act as my routers in the two end points. One of these is connected via ADSL and I use an external ADSL modem (Draytek 120) to connect to ADSL. Whilst Draytek support VPN, their wireless offerings were not brilliant last time I looked when compared to other manufacturers.

If I was going to do this with routers only, I'd be looking at the Asus RT-N66U (or AC66U) and probably installing dd-wrt on it. Then linking via OpenVPN (this is how I link two sites here and it is robust against links going down etc...). It is also possible to route between the subnets - I have different 192.168.x.y subnets at either end. Any computer on either subnet can access any other on the other subnet directly by name (e.g. mainserver.home or modem.shop).

BTW: VPNs can be a bit painful to setup - especially if they are a distance apart! I'd always try and get the basics running through a router locally first.
 
cant really offer you much on the router front, I always use a firewall/appliance.

id agree with andy on the differing subnet at each site, otherwise it'll end up in a right mess and/or just not send traffic over the link.

you'll probably need dyndns at both sites too unless youre running static external IP with your ISP.
 
+1 for pfSense.

I would probably try and find an ITX machine with two LAN connections to run it on. You can pick up some fairly nice atom and celeron ITX boards with dual Ethernet.

Or buy a dedicated pfSense appliance.
 
Thanks for replies, its a fairly limited choice for ADSL router products, which is what I expected. Billion wireless is supposedly not great. Fritzbox is expensive (don't need VOIP) but covers all requirements, Draytek gets good reviews. The Asus N55U won't run DD-WRT so I'd need an ADSL modem to use the N66U. Incidentally, the Buffalo Airstation does run DD-WRT. Leaning toward Asus RT-N66U with DD-WRT, and OpenVPN.
 
kartracer said:
Leaning toward Asus RT-N66U with DD-WRT, and OpenVPN.
Click to expand...
If I didn't have pfSense boxes, this is exactly what I'd do, although my preference now is to run pfSense on a virtualising server at each location - always useful to have an always on PC/linux machine remotely you can access. For modems, you have very little choice, but my preference would be a Draytek 120 in bridge mode. We also have a TP-link 8816 that was fine at the last place, but kept losing s/n ratio and ultimately sync. at the new place and was replaced 2 weeks ago by the Draytek. Much happier with that now.

BTW: there is a way of punching through the router to get at the ADSL stats page on the modem. Our modem is at 192.168.5.254, connected to a pfSense box that manages a network at 192.168.10.x. This is connected to my network at home (192.168.1.x) via OpenVPN and I can sit on a computer on 192.168.1.x and access the modem (192.168.5.254) through the remote network (the remote network config at my home endpoint shows remote nets as 192.168.10.0/24 and 192.168.5.0/24). It looks possible on dd-wrt too: http://www.dd-wrt.com/wiki/index.php/Access_To_Modem_Configuration. It's just some extra routing configuration....
 
It will be more secure with a VPN. If you open ports, you will have to attach some server process to them (or use ssh). Depending on what you attach to those ports, you could leave your disks open to being scanned/data taken from them.

Open ports are generally bad IMHO (I only have ping and the OpenVPN port open on mine).
 
Those sorts of options are unlikely to be on a consumer router though Neil...
 
neil_g said:
Pretty sure even my ancient sky router does
Click to expand...
What... ports open for specific machines only? Can't remember seeing that but... Also, you'd need a fixed IP to make that work properly.
 
neil_g said:
You could restrict by source if you have that option available.

OP how are you handling external IP addresses? Ie are you using dyndns or static?
Click to expand...

Using dyndns at present. Is it not going to work unless I get fixed IP at both ends?
 
It will work, but not recommended, as there is obviously a delay between when you get a new address and when DNS propagation has taken place to reflect the new IP to the hostname, it effectively means there will be a delay in the IPsec tunnel coming back online.
 
It appears a static IP from PlusNet is a £5 one-time cost, so that's not an issue. What's the throughput going to be like end-to-end on ADSL (I'm connecting at 8Mbps one end and 9Mbps the other for down, and around 1Mbps up)?
 
In a word... rubbish

You'll be limited by the upload speed so at an absolute push you might get 100 KB/s
 
We had a static IP from plusnet. Their routing tables appear to be complete cack as after the first disconnect, we got no internet - we could ping their gateway fine (so it wasn't a connection issue) but no packets would route out - or more precisely, they would route out, but there was no return path for the packets to come back through. Flipping back to dynamic IP and all worked.

BTW: Only one end (the server end) needs a static IP though. You will be limited to lowest common denominator speeds - that is 1Mbit in each direction.... MAX.

BTW2: with Neil's "open ports on the router and limit them to the particular IP address" is unlikely to work on dynamic DNS. If your router does support this, it will likely expect an IP address, not a name as the restriction.
 
I think I've got 2 Sonicwall TZ190's lying around somewhere that you are welcome to have if you cover the postage...

What is it exactly that you are trying to achieve between the sites? Replication between machines? If it is, you could use LogMeIn Hamachi to test it as a "Proof of Concept" before investing any further money in equipment, just a though :)
 
I've happily used DynDNS for yonks and I've never had any problems with loss of connectivity.

I have an array of open ports - the services I use with them will block a connection after three failed authentication attempts and send me a notification email. I've not knowingly been compromised yet. On Some days hundreds if IPs have been blocked but most days, none at all.

You can use a broad band speed checker to test your download and upload speeds. You might find that even a low connection speed is fine for incremental backups. Just use sneakernet for your full backups.
 
afasoas said:
I've happily used DynDNS for yonks and I've never had any problems with loss of connectivity.
Click to expand...
It will depend on your dynamic DNS client and how it operates. I have one on my firewall and knows when the connection is lost so updates immediately it is reconnected - but this is only used for pings. The master in the VPN has a static IP. If you use a dyndns client based on a computer (not all routers have a dyndns updater on them), updates will be slower and could lead to issues depending on what you are trying to do and how stable the link is. But Plusnet are only a one off £5 charge anyway, so it really isn't an issue - I think we were unlucky with our static IP saga with them...

afasoas said:
I have an array of open ports - the services I use with them will block a connection after three failed authentication attempts
Click to expand...
But would a backup system block ports after 3 failed attempts? Opening ports on a router is generally a bad idea unless you know what you are doing. The only ports I have open on mine are for ping and establishing a VPN connection on the "master" and ping on the "slave"....
 
arad85 said:
I have one on my firewall and knows when the connection is lost so updates immediately it is reconnected - but this is only used for pings. The master in the VPN has a static IP. If you use a dyndns client based on a computer (not all routers have a dyndns updater on them), updates will be slower and could lead to issues depending on what you are trying to do and how stable the link is. But Plusnet are only a one off £5 charge anyway, so it really isn't an issue - I think we were unlucky with our static IP saga with them...
Click to expand...

Most VPN client software can be configured to redial the connection if it is lost. I really don't know where you are going with "master VPN" - you will have one box running a VPN server with (at anyone time) one IP address using one or more ports. Once you have an authenticated VPN connection, it doesn't matter about any other IP addresses. A static IP can be problematic in the case of a persistent attacker. A periodically changing IP is a good thing from a security perspective, although the benefit is only small.

arad85 said:
But would a backup system block ports after 3 failed attempts? Opening ports on a router is generally a bad idea unless you know what you are doing. The only ports I have open on mine are for ping and establishing a VPN connection on the "master" and ping on the "slave"....
Click to expand...

The VPN will look after the ports. If it's running on a pfSense style appliance (which can do both VPN and firewall) then firewall rules will be created blocking offending source IPs after multiple failed authentication attempts. The back-up software itself will be oblivious to the fact it's running over VPN.

Of course, you could ditch the VPN idea and look at sFTP and SSH. I have an SSH server that runs some software that itself blocks IPs and also syncs denied IP addresses with other servers.
 
afasoas said:
Most VPN client software can be configured to redial the connection if it is lost. I really don't know where you are going with "master VPN" - you will have one box running a VPN server with (at anyone time) one IP address using one or more ports. Once you have an authenticated VPN connection, it doesn't matter about any other IP addresses. A static IP can be problematic in the case of a persistent attacker. A periodically changing IP is a good thing from a security perspective, although the benefit is only small.
Click to expand...
VPN server=master VPN. And yes, I know VPN software can redial... ;). My point - although badly made, is that if your VPN server is on a dynamic IP, then how reliable your connection is depends on:
  • The flakiness of the physical connection
  • The speed at which DNS updates are made
  • State of caching of DNS entries between the client and the DNS server

All I was saying is where you run the DNS updater (some router/firewall software have it embedded, others rely on a small app run on a local PC) - and how often it checks - may cause you issues - especially if you have a relatively flaky physical connection. At least with a static IP, you are only down to the physical connection and not reliant on address to IP mappings.

afasoas said:
The VPN will look after the ports. If it's running on a pfSense style appliance (which can do both VPN and firewall) then firewall rules will be created blocking offending source IPs after multiple failed authentication attempts. The back-up software itself will be oblivious to the fact it's running over VPN.
Click to expand...
We are talking at cross purposes. I was referring to Neil's "just open a few ports on each router and tie down the source IPs". Plus I was replying to your "I have an array of open ports" comment which isn't relevant if those ports are only opened when you are connected via a VPN connection as you can never see them open unless you have an authenticated connection.
 
Thanks for the offer Neilc28, a very nice gesture. I've just ordered two Asus N66U's. Upgrading from DG384GT's, so long overdue.

As for application, replication across sites for backup, general file transfer, access to various systems - a mix of work related and domestic (home automation project, etc.)
 
Last edited:
Got RT-N66U's delivered today along with a D-LINK 320B which I intend to use for a short time until I get fibre. I set the 320B connection type to Bridge Mode "1384 Bridged IP LLC" after finding some online guidance by someone who had used this combo. The ADSL modem connects up OK, but the Internet indicator light is off which indicates no WAN protocol is configured (green is a successful Internet connection and red a failed Internet connection). I've left the modem IP at 192.168.1.1 and changed the router to 192.168.101.1. Any idea what I might have overlooked?
 
Its still at 255.255.255.0. I changed the IP following guidance I found online from someone who had set up this specific combination. Will change to 255.255.0.0. and see what happens.
 
What are you trying to do and how is the modem connected into the router? How have you configured the router?

Your modem only does the ADSL link. The router handles the WAN. I would expect the WAN light on the modem to be off....
 
PS. This is how I have the modem setup here:

2014-07-06 11_57_20-Vigor120-Series.gif


EDIT: these settings are correct for a connection provided by OpenReach (i.e. on anything using BT lines back to the exchange). If you use an unbundled provider (that has their own equipment at the exchange) it may be incorrect.
 
Last edited:
OK, that encapsulation setting differs from mine which is 1384 Bridged IP LLC

Just went into RT-N66U Internet setup and selected ADSL PPPoE, put in credentials and it times out. The Netgear DG384GT it was replacing was set to VC-based so maybe the LLC setting I picked up from Google is wrong?
 
When I changed to 1483 Bridged IP VC-Mux instead of getting a timeout from the router when logging in I got an error message for name/password (previously I got a timeout).

This seems unlikely as I can see the password and its the same as I was using in the DG384GT.

Here's my 320B setup

WAN
WAN connection: VC0
ADSL connection: Bridge Mode
Bridge Mode: 1483 Bridged IP VC-Mux
VPI: 0
VCI: 38
Virtual Circuit: Enable
Service Category: UBR

LAN
Router IP address: 192.168.1.1
Subnet mask: 255.255.0.0
DHCP: Enabled

RT-N66U

IP 192.168.101.1
Subnet mask: 255.255.0.0
WAN connection type: PPPoE
Enable WAN: Yes
Enable NAT: Yes
Enable UPnP: Yes
Get the WAN IP automatically: Yes
Connect to DNS server automatically: Yes
MTU: 1492
MRU: 1492
Enable VPN+DHCP connection: Yes

I cannot ping the modem (192.168.1.1) from a PC attached to the router.
 
You must log in or register to reply here.
Back
Top