LAN to LAN VPN on ADSL router

All sorted now, not sure what was awry but after several reboots/retries its OK. Connecting at same speed as my old DG384GT (which is not surprising as the 320B also uses a Broadcom chipset). I changed the IP to 192.168.1.1 on the 320B and 192.168.0.1 on the RT-N66U. Thanks for all your help.
 
You won't be able to ping the router from a local PC. You will have to punch a hole through the WAN routing to be able to do so and you can do this later. Things to do:

* Set both subnets back to 255.255.255.0
* Check you have WAN port of N66U connected directly to the ethernet port on the modem
* Triple check the password. If you are getting a password error, I would guess the password is correct
* Make sure the modem is actually in modem passthrough mode (it looks like it is as it is Bridged VC Mux)

If all that fails, I'd connect a PC directly to the modem and setup a connection through that (if you are on Windows 7, you can setup a PPPoE connection in the network wizard).
 
kartracer said:
All sorted now, not sure what was awry but after several reboots/retries its OK. Connecting at same speed as my old DG384GT (which is not surprising as the 320B also uses a Broadcom chipset). I changed the IP to 192.168.1.1 on the 320B and 192.168.0.1 on the RT-N66U. Thanks for all your help.
Click to expand...
Glad you are sorted. How is the modem connected to the router and can you ping the modem from a local PC?
 
afasoas said:
You might want to avoid no-ip for now - Microsoft have them by the balls:
http://blogs.technet.com/b/microsof...ime-epidemic-in-tenth-malware-disruption.aspx

More reading here:
http://yro.slashdot.org/story/14/07...ins?utm_source=rss1.0moreanon&utm_medium=feed
Click to expand...


Update from NO-IP if anyone is interested:

We would like to give you an update and announce that ALL of the 23 domains that were seized by Microsoft on June 30 are now back in our control. Please realize that it may take up to 24 hours for the DNS to fully propagate, but everything should be fully functioning within the next day. One of the domains, noip.me, took longer to get back online, but it should be fully restored within the next day. Is your service back up? Please send us a tweet and let us know.


We are so sorry for the inconvenience that this takedown has caused our customers. Thank you so much for the support and for sticking with us through this entire process this week. More information surrounding the event will be released within the next few days, so stay tuned. Again, THANK YOU.


Have any questions or comments? Please do not hesitate to open a Support Ticket or give us a call at 775.853.1883, but please understand that we are still under heavy call/ticket volume and it may take more time than normal to get back to you.
 
I'm plodding along with this setup. Incidentally, the ADSL sync is now 8.6M vs 7.9M on my old DG384GT. Could that be because the Broadcom chipset is updated?

So, on to remote access. How can I access the remote site RT-N66U as admin?
 
kartracer said:
So, on to remote access. How can I access the remote site RT-N66U as admin?
Click to expand...

Do you have a VPN tunnel up yet?
What can you access on the remote site?
Can you ping a computer on site A from site B successfully?
 
arad85 said:
Do you have a VPN tunnel up yet?
What can you access on the remote site?
Can you ping a computer on site A from site B successfully?
Click to expand...

None of those. Having a problem connecting at remote site. Same 320B, same RT-N66U. 320B connects OK. Cannot connect Internet via RT-N66U - login times out. I can connect OK with the old Technicolor router. so I know the login ID and password are OK. I've been through the RT-N66U settings and cannot see any problem. I did have a problem like this at the other site but it persists here. Both RT-N66U's using latest stock firmware (thought I'd go with that as a starting point). 320B connecting at 6.6M - a little faster than the 5.5M of the Technicolor.
 
Best get that working first then ;)

Are you set as PPPoE connection on the router? How is the modem set - it *must* be in bridged mode....
 
What does the old router say it is setup as? Who is the ISP?
 
The old router is a Technicolor TG582n which I had from Primus. Have been using it with Plusnet without problems. The 320B appears to be connecting OK (I'm going to take it back to the other site to verify its OK). The error I'm getting is using RT-N66U quick setup ... "Redetecting your connection status".. "Start to detect your connection type"... "Detecting the Internet connection timed out.. Do you want to try again" Have cleared the browser cache just in case. Reloaded firmware and reset router. Still the same problem. Although its Plusnet both ends, I'm wondering if there could be something different at the exchange making a difference.
 
I would set everything up manually and avoid the quick setup wizard. No idea what might cause it unless Plusnet are expecting the MAC address of your old router...
 
A quick Google reveals its not an unheard of problem. Already got one site set up, eventually. If the MAC was a problem it resolved somehow.

Brought all the kit back, to first site, going to try swapping modem and router out individually with existing kit.
 
If it is a MAC address problem, you will probably need to wait for an hour or so for the system to clear. There also should be a MAC address option in the Asus settings.
 
Swapped out the 320B - no Internet connection from the RT-N66U. Reverted back to original 320B - connected. Switched off the Internet connection from the status tab, swapped the 320B, switched back on - connected! Apparently, using this switch has the effect of dropping the MAC address at the ISP. I didn't know about this and possibly explains how, after some time, initial problems at site 1 cleared. At site 2 I did not leave enough time between trying various config options etc. Now I know the switch trick I'll try that (it will have to wait a week or two).
 
kartracer said:
Switched off the Internet connection from the status tab,
Click to expand...
Where is this? On the Asus router (I can't see a status page on my N66U) or 320B?
 
Click the globe on the network map page (next to where it says Internet status and above the security level icon).
 
I'm surprised that does anything at all...
 
Whoever offered the Sonicwalls take them up on the offer; by far and away the easiest way to solve this problem.
 
inkiboo said:
Whoever offered the Sonicwalls take them up on the offer; by far and away the easiest way to solve this problem.
Click to expand...
All solutions become easy once you know how to do them...

EDIT: Although I think the OP is going to have to run DD-WRT to get a proper VPN tunnel up and running, so perhaps this is more difficult initially....
 
Last edited:
To the op. I'd back-to-back the routers in one location first. You can emulate the Internet with a switch and get every thing setup in one room saving lots of heartache time and travelling...
 
I
inkiboo said:
Been running Sonicwalls since 2004; there is nothing else that comes close.
Click to expand...
I've been running pfsense for the last couple of years and think there is nothing else that comes close. But I'm 100% convinced that's due to familiarity rather than it actually being the best.
 
arad85 said:
I

I've been running pfsense for the last couple of years and think there is nothing else that comes close. But I'm 100% convinced that's due to familiarity rather than it actually being the best.
Click to expand...

Have you tried a Sonicwall or anything beyond the home/open-source solution? pfsense is very good for what it is but it's too complicated for the average home user and does not have the support for most commercial applications.
 
arad85 said:
To the op. I'd back-to-back the routers in one location first. You can emulate the Internet with a switch and get every thing setup in one room saving lots of heartache time and travelling...
Click to expand...

I've got a couple of weeks before I'm at the other site again so I'll try it back to back. Can I used my old DG384GT as the switch?
 
arad85 said:
I

I've been running pfsense for the last couple of years and think there is nothing else that comes close. But I'm 100% convinced that's due to familiarity rather than it actually being the best.
Click to expand...

Horses for courses, there's a lot of appliances from different vendors, all of which excel at different things, such as full DPI throughput, VPN throughput, options for perimeter AV, content filtering, and reporting/auditing/logging ability which although some Tech's might deem to be of minimal need, it is in fact one of the most crucial requirements, especially when having to report statistics and dataflow for PCI Compliance.

I'm certified in both Sonicwall and Watchguard, and much prefer Watch guard for preference, pfSense in all honesty I come across where they appreciate the zero-cost and the IT guy has implemented. Enterprises and medium businesses however do not take the risk, at least that's my findings.
 
inkiboo said:
Have you tried a Sonicwall or anything beyond the home/open-source solution? pfsense is very good for what it is but it's too complicated for the average home user and does not have the support for most commercial applications.
Click to expand...
No. And that was my point - my familiarity with pfSense, makes it easiest for ME. Your familiarity with Sonicwall makes it easiest for you.

I bet I could set up a VPN tunnel quicker in pfSense than I could in Sonicwall. And I bet you'd find the reverse true.
 
And I bet I don't need to build a computer to get my sonicwall working! Great it works for you but the days of me building a PC when there are so many dedicated boxes are long gone
 
depends how much grunt you require i guess. plus dedicated appliance more often than not require subscription and/or cost the earth.

you could get a 2nd hand appliance which may be cost affective, such as a watchguard that is out of support (i.e. fixed on an old firmware) however.

you could always use a VM instead of a "PC".
 
inkiboo said:
And I bet I don't need to build a computer to get my sonicwall working! Great it works for you but the days of me building a PC when there are so many dedicated boxes are long gone
Click to expand...
No, you don't need to build one, you just need to buy one built by Sonicwall - with the cheapest coming in at over the cost of an Atom based PC build (and the one that would just cope with a fibre connection being £600) ;) Anyway, my two pfSenses are sat on a corner of a pair of VM servers running ESXi (yes, I know this isn't for the average consumer either). Works very nicely too :)

My point was, and still is, it is familiarity that breeds ease of use.
 
kartracer said:
I've got a couple of weeks before I'm at the other site again so I'll try it back to back. Can I used my old DG384GT as the switch?
Click to expand...
Sorry... too busy arguing to see the question, I now have a beer and a few hours to kill before bedtime :).

Yes. You will need to do the following:

  • Install dd-wrt onto your two routers
  • Choose 3 subnets, call them A, B and C, A will be the home subnet, B the remote subnet and C represents the internet. They must all be distinct and non-overlapping.
  • Router 1 will deal with subnet A, router 2 will deal with subnet B, your DG384GT will deal with subnet C. Note to get VPN working, the two networks at either end of the tunnel must have different subnets. If your home network is 192.168.1.x and the remote network is the same, ONE WILL HAVE TO CHANGE. As an example, how about A=192.168.1.x, B=192.168.2.x and C=192.168.10.x (all with subnet mask 255.255.255.0)
  • Setup the 3 routers to have their IP within the appropriate range (if they are all .1, they will probably be easier to remember). E.g. DG384GT=192.168.10.1, router 1=192.168.1.1, router 2=192.168.2.1
  • Connect the two router WAN ports to the LAN ports of the DG384GT
  • Set the WAN settings on each of router 1 and 2 to be static IPs in the subnet of C (e.g. 192.168.10.10 and 192.168.10.20)
  • Somewhere in the diagnostics of dd-wrt there will be a ping page which allows you to ping over the wan. Try pinging the other router. If this does not work, you need to check that dd-wrt has got ICMP echo set to on (it may be labelled ping/ICMP/something else).

If you have this working, you are half way there. The next thing to do is configure the VPN tunnel. To do this, you will need to setup the two routers (one as the VPN server, the other as a slave). There will be lots of tutorials out there to do this. You will probably need to choose a tunnel IP range. I tend to use ones in the 10.0.x.y range, purely for convention.

Once you have successfully built the tunnel (which will include telling each end that you need to route requests for the other ends IP addresses over the tunnel - this may be in the config pages) you should be able to ping across the networks. That is, a machine on network A should be able to ping a machine on network B (try pinging the router IP across the bridge first - e.g. on a computer on network A, ping 192.168.2.1. Once this works, you have a tunnel up and running. You need to be careful to only route the traffic to the other network down the tunnel. Even though the tunnel shares the same physical connection as your internet connection, it is sent to a different machine for further processing. If you do route all traffic down the VPN tunnel, that means you will end up rputing all traffic through the other site, so web requests from the salve site will go to the server site, then be fulfilled and then sent back - you will introduce a significant delay AND start eating any data limits you have!

Now to name resolution. If you want to be able to address a machuine by name rather than IP address, you will need to make sure you have local DNS services running on the two machines. dd-wrt has a DNS service which also allows DHCP machines to update the address table. Think of two domain names (I use .home and .shop). If you setup the DNS servics properly, any machine on the home network should then be addressable from network A by its name followed by .home. E.g. if you have a machine called server, it would be pingable by the name server.home from any other machine on the same network (network A).

Unfortunately, machines on network B will only be able to ping the servers IP address since the DNS server on router B doesn't know how to resolve the names of type xxxx.home. The way you do this is to tell the DNS server to query the DNS server at the other end of the tunnel if it sees a xxxx.home request. I'm not sure how you do this in dd-wrt, but it will be possible.

Yes, I know this sounds daunting, but one step at a time and it will come together. Whichever method you use to create a tunnel, you would still need to go about creating most of the above. It is also likely to take many hours of reading and understanding - you will make mistakes and you will end up bashing your head against a wall several times.

BTW: anyone who says it isn't that complex either hasn't set up a fully working VPN tunnel OR has setup most of the infrastructure (like getting stuff working/having working DNS servers) before attempting to configure the VPN network.

If you have any questions, ask away - I don't know the dd-wrt interface well, so may only be able to give pointers, but once you have it working, I'm sure you will have learned a lot and feel a great sense of achievement :)

Or put a hammer through both routers and decided that rotating disks really is the best way to proceed :D
 
:D BTW: OpenVPN seems both the most secure and most reliable flavour of VPN to use (as well as being one of the easier ones to setup). You want to be running it in tun mode too.
 
You must log in or register to reply here.
Back
Top