Making another network see and access another one!

[htcz]

how exactly are you setting up your pc to pc vpn? You may not be allowing IP traffic across the vpn (as simple as that may sound it isnt that simple). What are you using? As you can imagine there are a million and one different vpn solutions and some are much more configurable than others.

For instance if it were cisco, it would probably be a nat issue. the vpn traffic needs to be taken out of nat or be put into a no nat rule. Also another issue would be if the pc had an interface that has the same ip range as the vpn'd network. Though it could be one of the 15 other rules needed to have a successful tunnel up...that is just one that gets missed.

We dont have the equipment yet per say. Since we have seen that the routers Ive mentioned (NB2500 and NB1600) are working off a OpenWRT base and currently there are no alternatives for the siutation at hand, then we are testing on OpenWRT VMs.......

[sc302 Veteran]

post up your config, obscure your ip addresses if you want.

here is a write up. sorry it took so long to respond back, was in deep do doo yesterday.

https://forum.openwr....php?pid=145557

something sounds as if it is missing..

here are the instructions, may take a few days to read through to fully understand what is going on.

http://wiki.openwrt.org/doc/howto/vpn.overview

[htcz]

post up your config, obscure your ip addresses if you want.

here is a write up. sorry it took so long to respond back, was in deep do doo yesterday.

https://forum.openwr....php?pid=145557

something sounds as if it is missing..

here are the instructions, may take a few days to read through to fully understand what is going on.

http://wiki.openwrt....to/vpn.overview

Thanks :)

I wanted to try this with VMs but the other day I accidently touched something in my OpenWRT VM and the DHCP server on it (dnsmasq) overrid the network's DHCP and started to hand out its own IPs so I had to take it off line :(

Anyways I already saw and tried the first link and it is outdated as now opkg is the package manager. Is there any way to download this external and put it on the VM to test it out?

[htcz]

The yellow dots are equipment I have control over (the switch on the left side problably also)

On the bottom side, with have 2 PCs and a router. Nothing else.

On the top side, with have a already in place router. The right side (crossing the red line) is a office area which I have no access to and the right side should not know about the left side and visaversa. The "problem" is that (initially) I dont have access to that first router. Moving on: On the left side of the top side of that first router, we have a router running OpenWRT (possibly the NB2500) and a switch (again that switch I will problably have access to). Later those are end clients but they are NOT PCs. As a matter of fact, NOTHING on the left side at all will be a PC. They are simply machines. They DO however (if the NB1600 is chosen) have a configuration with OpenWRT.

Also, this is a industrial type setup. Reason why I cant just go with DD-WRT routers and call it a day (I dont think I would even convince my boss and anyways we need something like the NB1600)

Continue on that last line, the main probelm is the NB1600. I need that form factor/type of product for the machine they are attached to.

sc302, thank you for all your help and I hope this hast description helps you out on understanding and giving me a bit more information :)

Thank you!

[sc302 Veteran]

The router that is hosting vpn needs to be on the edge, not behind another router that is doing nat. this can and will create issues if not done correctly. If you can have your router that you have control of access the outside directly that would be ideal, perhaps in a dmz that is not natted.

Would need to see the config one way or the other to try and make sense of what is going wrong. There are a lot of things that can stop you from commuicating, no routes setup, natting enabled on vpn traffic, and a few other things. to get down to the bottom of it as quickly as possible and to point you in the right direction I would need to see your config. I have given you the docs, even if old, that would get you there....and I am sure if you look at youtube you can find a video that will step you through the entire process. The technology doesn't change, the screens or places to check may.

[htcz]

The router that is hosting vpn needs to be on the edge, not behind another router that is doing nat. this can and will create issues if not done correctly. If you can have your router that you have control of access the outside directly that would be ideal, perhaps in a dmz that is not natted.

Would need to see the config one way or the other to try and make sense of what is going wrong. There are a lot of things that can stop you from commuicating, no routes setup, natting enabled on vpn traffic, and a few other things. to get down to the bottom of it as quickly as possible and to point you in the right direction I would need to see your config. I have given you the docs, even if old, that would get you there....and I am sure if you look at youtube you can find a video that will step you through the entire process. The technology doesn't change, the screens or places to check may.

Related to that, this is the setup that was shown to us by a 3rd party (the distributor of this equipment) and this does indeed work:

Its a little different but one of the routers we always have control over physically instead of having it remotely. The one that would "host" VPN would be the one on the bottom on our side (bottom). The rest would basically be clients.

[sc302 Veteran]

how are you routing data? do you have layer 3 switches in place to be able to handle routes? or are your specifically adding routes into the client pcs to state where to steer traffic to?

for simplicity sake, on the edge, there is less to troubleshoot when something fails. but if you really know what you are doing, how traffic works, and how to make things go it can be anywhere...how much troubleshooting to you know how to do? do you have a full understanding of how routing works, how port traffic works, and where things can get hosed along the way? If not, keep it as simple as possible with the least amount of possiblity to block and route along the way.

[htcz]

how are you routing data? do you have layer 3 switches in place to be able to handle routes? or are your specifically adding routes into the client pcs to state where to steer traffic to?

for simplicity sake, on the edge, there is less to troubleshoot when something fails. but if you really know what you are doing, how traffic works, and how to make things go it can be anywhere...how much troubleshooting to you know how to do? do you have a full understanding of how routing works, how port traffic works, and where things can get hosed along the way? If not, keep it as simple as possible with the least amount of possiblity to block and route along the way.

The thing is that this is not something I choose. This is the setup already given and I cant change it as we dont do tech stuff. We just setup the configuration on our end.

The current setup (without VPN equipment) is something like:

I put R1 and R2 because after talking to my boss, it might have seem that the other company mixed up details and instead of 2 routers, there is only one.

[sc302 Veteran]

Depending on the client, you could have a pc establish a VPN connection to the router, but from what you said you wanted an entire site to site VPN. You need to be specific in what you want and you also need to be specific as to what the client pcs are.

Site to site requires 2 edge VPN routers. Client to site requires 1 edge VPN router and a client that can be configured for VPN either natively or through add on software. If the client is a serial connection then that cannot be configured, the machine that that connects to would have to be configured. You lack a bit of details to get this working, and I am trying to ask the right questions to help you.

[htcz]

Depending on the client, you could have a pc establish a VPN connection to the router, but from what you said you wanted an entire site to site VPN. You need to be specific in what you want and you also need to be specific as to what the client pcs are.

Site to site requires 2 edge VPN routers. Client to site requires 1 edge VPN router and a client that can be configured for VPN either natively or through add on software. If the client is a serial connection then that cannot be configured, the machine that that connects to would have to be configured. You lack a bit of details to get this working, and I am trying to ask the right questions to help you.

I apoligize for not giving correct answers to your questions.

The end clients are basically industrial machines. Running on propiratory software, we want this system to able to do two things: Remote support and also transfer predone files (basically files, which are binary files that the machine understands) from our end to over there.

The USB port on the routers I mentioned (NB2500 and NB1600) allow to have some temporal space to transfer those files and read it via a share.

I BELIEVE Im not leaving out any details. If you need any more, just ask :)

Thanks and once again I apoligize for not answering your questions.

[sc302 Veteran]

Although the usb ports on the routers allow for transfer of files, they are usually designed for a harddrive or a printer to be connected and configured. I do not know how it will connect up with another device that doesn't sound like one of the 2 devices that I have mentioned.

Again edge would be ideal without a great deal of troubleshooting to function properly. And by troubleshooting, meaning that if the config looks right we would need to go up the line to the next device to make sure it is passing traffic properly.

You are best off to connect a pc to the usb device, then through the pc you will have access for remote support as well as being able to setup a tunnel between the pc and the other host. Now technically there shouldn't be any difference between a pc router in this config, but the pc isn't doing any form of nat which makes it one less thing to have to troubleshoot to function properly. Keep it as simple as possible.

[htcz]

Although the usb ports on the routers allow for transfer of files, they are usually designed for a harddrive or a printer to be connected and configured. I do not know how it will connect up with another device that doesn't sound like one of the 2 devices that I have mentioned.

Again edge would be ideal without a great deal of troubleshooting to function properly. And by troubleshooting, meaning that if the config looks right we would need to go up the line to the next device to make sure it is passing traffic properly.

You are best off to connect a pc to the usb device, then through the pc you will have access for remote support as well as being able to setup a tunnel between the pc and the other host. Now technically there shouldn't be any difference between a pc router in this config, but the pc isn't doing any form of nat which makes it one less thing to have to troubleshoot to function properly. Keep it as simple as possible.

I explained incorrectly :) In the USB port there will be a small flash drive inserted (not 24/7 though)

The data protocal EDGE or something else? Im not familiar with the term. I have heard something about "edge servers".

The problem with these machine is that they are pretty expensive so adding a PC would increase the end cost. Thats why the configuration that was being looked at is one of these routers as they are embedded directly into the machine and can give remote access at a lower (overall) price.

[sc302 Veteran]

Edge of Internet, not behind a nat firewall. I am pretty sure it isn't going to work as designed...the other side will not see the VPN gateway as an addressable device, it will see a computer behind the VPN gateway. If it were a VPN client, not a firewall, then it should see it. You need a computer to connect to.