DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Draytek 2927 - ability to see device on WAN2 via LAN to LAN VPN

More
22 Dec 2023 19:18 #103077 by HodgesanDY
Haha, I did say!:

HodgesanDY wrote:
In each rule that you setup, be aware that rules execute in one direction (left pane to right pane) see ‘Direction’ ->> ‘Advanced’ button, if you don’t grasp this, you won’t understand why it’s not working.



And for:

Neil201 wrote:
…but if I wanted to block traffic both ways then two separate rules are needed, the existing inbound (to the 10.188.230.0) network and one outbound from that same network.



Well actually, a single rule can block in both directions:

HodgesanDY wrote:
The reason I mention not being able to set a rule on the same LAN, is because you may want to create a single block rule for ALL LANs, or a selection of LANs (and the VPN) in one rule and you’ll be ticking say LAN1 to LAN2 and also LAN2 to LAN1 which looks like it will also apply to LAN1 to LAN1 and LAN2 to LAN2, but it won’t, as that can’t happen, so don’t be put-off by seeing this and thinking that.



———————

Neil201 wrote:
From a security perspective, blocking incoming connectivity to the other subnets on the 10.188.230.0 network should provide adequate security to these networks I'm assuming.


Yes of course, that’s exactly what the firewall rules are there for, but obviously, always test your rules thoroughly.

Please Log in or Create an account to join the conversation.

  • neil201
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
20 May 2024 10:24 #103351 by neil201

HodgesanDY wrote:
Hi Neil201,

I have tried to do this myself several times over the years, and always failed, but I decided to give it another go after reading your post, and it worked!

Because you’re wanting to route via the VPN LAN-to-LAN, you’ll need to add the route into your LAN-to-LAN profile; at the non-4G end.

At the very bottom of the profile settings page, you’ll see the TCP/IP settings, the ones for Remote/Local Network. Look for the “more subnets” option and add the remote GW IP of the 4G M2M unit in as an additional remote subnet, and give it a /31 size subnet.

You should now observe a new static route in your ‘Route table’ (see Diagnostics/Route Table). Now attempt a connection to your remote GW.

Be aware though, this could potentially upset other elaborate routing you may have in place between the two sites, but I’m sure you will notice fairly quickly if that is the case and can easily just remove the newly added additional subnet to revert back.



Hi there, just bouning this thread as I had this working and for some reason it isn't any longer. I'm trying to access my 4G M2M Router on 10.189.230.195 (unit GW on WAN2 of my 2927 at the remote end), I've got an additional subnet set up as 10.189.230.195/31 which did work through the VPN tunnel to the other remote Draytek but for some reason appears to have stopped. In the Routing table there's a static Route 10.189.230.194/31... shouldn't this be 10.189.230.295 ??

Please Log in or Create an account to join the conversation.

More
20 May 2024 12:54 #103352 by HodgesanDY
Hi,

Did you mean 10.189.230.295 or 10.189.230.195?

The subnet size is /31, so the Routing Table is displaying the first of the IPs in that size network, that is correct in this case. You can even check that by looking at what you have entered into the additional network settings in the LAN-to-LAN profile, you’ll see that will probably have .195 in it.

Most likely, your remote end’s 4G dongle has picked up a fresh public IP address. So check that, and then update your “additional network” settings with the new public address (and /31 again) and you should be able to connect.

Although, saying that, it’s a 10.*.*.* network, so you’ve created this network, correct? Sorry, I’m just trying to recap on your setup.

Have you also considered the time old saying “have you turned it off and on again”, I’m more speaking of the 4G dongle, maybe its GUI program has crashed, so may require a quick power cycle?

EDIT: I realise now that I have written "dongle" above, I should've written "M2M 4G Unit". Idiot.

Please Log in or Create an account to join the conversation.

  • neil201
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
21 May 2024 09:32 #103353 by neil201
Apologies, I did mean 10.189.230.195, my typo!

The 4G Router, a Proroute H685, is effectively double-NAT'd from the MNO WAN so changing of the public WAN IP on that shouldn't change anything on the LAN management side, if I'm correct? The unit sits on my 2927's WAN2 as a backup to the building provided internet at my apartment in the Canaries and I'd lost comms to it in early April, so just assumed the unit's web server had crashed as you suggested! I got here though and first thing I did was to try accessing it behind the apartment LAN and it's visible fine. I've rebooted both Draytek Routers at each end of the VPN plus the Proroute, as, like you say, there's always the power-cycle option of a fix!

I'm a bit baffled as to what could have changed, both Routers are still running v4.3.3.1 FW from October 2023 (I've had issues with the latest version so rolled back on the UK 2927) but otherwise all should be identical to as was when it worked!

Please Log in or Create an account to join the conversation.

More
21 May 2024 20:35 #103354 by HodgesanDY
Hi Neil201,

If you log onto the remote end Vigor and check the Route Table, can you see an entry for ‘WAN2’ under the interface column?

Mentally log that IP and its subnet mask (the subnet mask so you can match the size of the network) and enter that same information into the ‘additional subnet’ settings at your local end.

That way, any node on your local-end’s network will know how to reach that subnet because it will hit the Vigor’s routing table first and be routed via the VPN, failing that the request will be forwarded on to the next routing node (i.e. the internet) via 0.0.0.0

Make sure you have no firewall rules blocking the route from node to end-point (the M2M 4G unit). Also, try a ping from node to end-point; if it allows ping echos.

Please Log in or Create an account to join the conversation.

  • neil201
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
21 May 2024 22:29 #103355 by neil201
I've had a look on the Routing table and can see:
10.189.230.0/ 255.255.255.0 directly connected WAN2

I've amended the additional subnet as you suggest on the remote end (UK) Router and still no joy, not even pinging. The odd thing is this all worked fine previously and not sure what's happened as nothing with the setup has changed.

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami