DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Could a site-2-site VPN affect general internet connectivity?
- eveares
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 60
- Thank you received: 0
30 Aug 2021 08:17 #99788
by eveares
Could a site-2-site VPN affect general internet connectivity? was created by eveares
I have a IKEv2 IPSec site-2-site VPN between my grandparents Vigor 2862 router (Firmware 3.9.6.1_BT, model 2862n ) and a 3rd party Untangle firewall I have at my end.
My subnet is 10.100.1.0/24 and theirs is 10.100.12.0/24. Tunnel dials out at their end, and "always on" and "Enable PING to keep IPsec tunnel alive" options are both enabled.
Now occasionally (such a couple of times a month) their internet goes completely down (i.e. they complain and loose internet access) for long periods (i.e. a few hours) and normally requires a reboot of their Vigor 2862 to fix.
The odd thing is is that if I have a continuous ping going from my server to their router (over site VPN tunnel) during an outage incident, I get a normal reply very occasionally. (say in 1 out of 100 pings or so).
Further more, I can normally access their Vigor 2862 via it's static WAN IP to remotely reboot it (Don't worry, My static WAN IP is whitelisted in the Vigor 2862) during such an outage incident, although it is unusually very slow and sluggish to access during such incidents.
Now my grandparents broadband is not the greatest and they only get a few Mbps up and also have CCTV cameras streaming as well as a Nest doorbell in addition to all the typical things like multiple iPad's.
As verified via Diagnostics > Routing Table, The default 0.0.0.0/0.0.0.0 route on their Vigor 2862 is as expected going to the gateway IP on the WAN interface, and only my 10.100.1.0/24 subnet is being routed via the VPN-1 interface.
What I really want to know is what is causing these hours long "outages" that requires the 2862 to be rebooted to make it all come good?
Is it an issues with the site-2-site VPN tunnel, the saturation of their WAN line from devices like CCTV and Nest doorbell, a setting on the Vigor 2862 that I have misconfigured or got set non-optimally somewhere, or something else like a hardware fault?
They are getting 100Mbps FTTP broadband soon, so I hope that fixies the issues.
Regards: Elliott.
My subnet is 10.100.1.0/24 and theirs is 10.100.12.0/24. Tunnel dials out at their end, and "always on" and "Enable PING to keep IPsec tunnel alive" options are both enabled.
Now occasionally (such a couple of times a month) their internet goes completely down (i.e. they complain and loose internet access) for long periods (i.e. a few hours) and normally requires a reboot of their Vigor 2862 to fix.
The odd thing is is that if I have a continuous ping going from my server to their router (over site VPN tunnel) during an outage incident, I get a normal reply very occasionally. (say in 1 out of 100 pings or so).
Further more, I can normally access their Vigor 2862 via it's static WAN IP to remotely reboot it (Don't worry, My static WAN IP is whitelisted in the Vigor 2862) during such an outage incident, although it is unusually very slow and sluggish to access during such incidents.
Now my grandparents broadband is not the greatest and they only get a few Mbps up and also have CCTV cameras streaming as well as a Nest doorbell in addition to all the typical things like multiple iPad's.
As verified via Diagnostics > Routing Table, The default 0.0.0.0/0.0.0.0 route on their Vigor 2862 is as expected going to the gateway IP on the WAN interface, and only my 10.100.1.0/24 subnet is being routed via the VPN-1 interface.
What I really want to know is what is causing these hours long "outages" that requires the 2862 to be rebooted to make it all come good?
Is it an issues with the site-2-site VPN tunnel, the saturation of their WAN line from devices like CCTV and Nest doorbell, a setting on the Vigor 2862 that I have misconfigured or got set non-optimally somewhere, or something else like a hardware fault?
They are getting 100Mbps FTTP broadband soon, so I hope that fixies the issues.
Regards: Elliott.
Please Log in or Create an account to join the conversation.
- hornbyp
- Offline
- Big Contributor
Less
More
- Posts: 1323
- Thank you received: 0
30 Aug 2021 23:09 #99791
by hornbyp
Replied by hornbyp on topic Re: Could a site-2-site VPN affect general internet connectivity?
My guess is that this problem lies somewhere between the Vigor and Openreach. This is ADSL presumably?
I'm surprised it's usable with any (let alone all ) the things it's being asked to do - but I wouldn't have thought 'saturation' is the issue, as such. (After all, you can saturate most IP networks and still use them ... just s-l-o-w-l-y).
100Mbps FTTP doesn't exactly get the pulse raising though
Is there an ISP-supplied device, that can be put into 'Bridge mode', thence to a WAN port on the 2862? (Whatever the ISP supplies, might be better suited to the line in question...after all, ISPs are experts in such things:lol: )
Why the subnetted 10.0.0.0 network addresses? As in, if you want Class-C addresses, why not use 192.168.x.0. I see this a lot (and I ask the question a lot!); no one ever replies - I may die not knowing
I'm surprised it's usable with any
100Mbps FTTP doesn't exactly get the pulse raising though
Is there an ISP-supplied device, that can be put into 'Bridge mode', thence to a WAN port on the 2862? (Whatever the ISP supplies, might be better suited to the line in question...after all, ISPs are experts in such things
Why the subnetted 10.0.0.0 network addresses? As in, if you want Class-C addresses, why not use 192.168.x.0. I see this a lot (and I ask the question a lot!); no one ever replies - I may die not knowing
Please Log in or Create an account to join the conversation.
- hornbyp
- Offline
- Big Contributor
Less
More
- Posts: 1323
- Thank you received: 0
30 Aug 2021 23:37 #99796
by hornbyp
Replied by hornbyp on topic Re: Could a site-2-site VPN affect general internet connectivity?
Another post just reminded me: The "SNR" is adjustable on the Vigor (ie it can lie about the strength of the signal it is receiving), which can improve Speed or Reliability.
See:
https://www.draytek.com/support/knowledge-base/4800
At the bottom of that page, it says
This (alternate firmware) is probably more likely to succeed, when experiencing poor speed and poor reliability.
See:
At the bottom of that page, it says
If the SNR value or the DSL stability is not as good as you expected, please try other DSL modem codes to improveDraytek wrote:
This (alternate firmware) is probably more likely to succeed, when experiencing poor speed and
Please Log in or Create an account to join the conversation.
- eveares
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 60
- Thank you received: 0
31 Aug 2021 04:23 #99797
by eveares
Replied by eveares on topic Re: Could a site-2-site VPN affect general internet connectivity?
No it’s VDSL, and it’s using a Openreach modem connected to WAN 2 of the 2862.
Please Log in or Create an account to join the conversation.
- eveares
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 60
- Thank you received: 0
31 Aug 2021 04:31 #99798
by eveares
Replied by eveares on topic Re: Could a site-2-site VPN affect general internet connectivity?
As for the 10.xxx.xxx.xxx/24 subnet, I just think it looks more professional and “neater” than 192.168.
You can have 192.168.xxx.xxx subnets less than /24 to though. I.e. 192.168.0.0/21 taking you right up to 192.168.7.255 with the broadcast address for example.
You can have 192.168.xxx.xxx subnets less than /24 to though. I.e. 192.168.0.0/21 taking you right up to 192.168.7.255 with the broadcast address for example.
Please Log in or Create an account to join the conversation.
- hornbyp
- Offline
- Big Contributor
Less
More
- Posts: 1323
- Thank you received: 0
31 Aug 2021 21:37 #99802
by hornbyp
Ah, so none of what I said before is applicable
Maybe you could test your VPN theory, by leaving it disconnected, except when you actually need to use it? (At this point, I'm sure you're going to tell me the 2862 does the 'dialling'...)
Now I wasn't expecting that answer!:lol:
I do have experience of 'subnetting' - about 35 years ago, when the multi-national I was working for, was issued with a selection of (real-world) Class-B IP addresses. Unfortunately, this was not a good match for the hundreds (thousands?) of sites the company had. The experience was not improved by the fact that none of us knew what we were doing, so we had a few attempts at it :wink:
(I tried my best to keep out of it ... at that stage, I had 10 years
Decnet
experience under my belt and could see no reason for change :wink: )
I've always thought that the best choice for private networks, is the Class B: 172.16. 0.0 — 172.31. 255.255 ranges - subnet-ed as appropriate. (As in far less chance of clashing with any future connections - because nobody ever seems to use them). There again, I've never actually used them either
Replied by hornbyp on topic Re: Could a site-2-site VPN affect general internet connectivity?
eveares wrote:
No it’s VDSL, and it’s using a Openreach modem connected to WAN 2 of the 2862.
Ah, so none of what I said before is applicable
Maybe you could test your VPN theory, by leaving it disconnected, except when you actually need to use it? (At this point, I'm sure you're going to tell me the 2862 does the 'dialling'...)
eveares wrote:
As for the 10.xxx.xxx.xxx/24 subnet, I just think it looks more professional and “neater” than 192.168.
Now I wasn't expecting that answer!
You can have 192.168.xxx.xxx subnets less than /24 to though. I.e. 192.168.0.0/21 taking you right up to 192.168.7.255 with the broadcast address for example.
I do
(I tried my best to keep out of it ... at that stage, I had 10 years
I've always thought that the best choice for private networks, is the Class B: 172.16. 0.0 — 172.31. 255.255 ranges - subnet-ed as appropriate. (As in far less chance of clashing with any future connections - because nobody ever seems to use them). There again, I've never actually used them either
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek