Making another network see and access another one!

By htcz
in Smart Home, Network & Security

 Share

Recommended Posts

Mentor

htcz

Posted
  • Author
Posted

how exactly are you setting up your pc to pc vpn? You may not be allowing IP traffic across the vpn (as simple as that may sound it isnt that simple). What are you using? As you can imagine there are a million and one different vpn solutions and some are much more configurable than others.

For instance if it were cisco, it would probably be a nat issue. the vpn traffic needs to be taken out of nat or be put into a no nat rule. Also another issue would be if the pc had an interface that has the same ip range as the vpn'd network. Though it could be one of the 15 other rules needed to have a successful tunnel up...that is just one that gets missed.

We dont have the equipment yet per say. Since we have seen that the routers Ive mentioned (NB2500 and NB1600) are working off a OpenWRT base and currently there are no alternatives for the siutation at hand, then we are testing on OpenWRT VMs.......

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

post up your config, obscure your ip addresses if you want.

here is a write up. sorry it took so long to respond back, was in deep do doo yesterday.

https://forum.openwr....php?pid=145557

something sounds as if it is missing..

here are the instructions, may take a few days to read through to fully understand what is going on.

http://wiki.openwrt.org/doc/howto/vpn.overview

Mentor

htcz

Posted
  • Author
Posted

post up your config, obscure your ip addresses if you want.

here is a write up. sorry it took so long to respond back, was in deep do doo yesterday.

https://forum.openwr....php?pid=145557

something sounds as if it is missing..

here are the instructions, may take a few days to read through to fully understand what is going on.

http://wiki.openwrt....to/vpn.overview

Thanks :)

I wanted to try this with VMs but the other day I accidently touched something in my OpenWRT VM and the DHCP server on it (dnsmasq) overrid the network's DHCP and started to hand out its own IPs so I had to take it off line :(

Anyways I already saw and tried the first link and it is outdated as now opkg is the package manager. Is there any way to download this external and put it on the VM to test it out?

Mentor

htcz

Posted
  • Author
Posted

diagram3.png

The yellow dots are equipment I have control over (the switch on the left side problably also)

On the bottom side, with have 2 PCs and a router. Nothing else.

On the top side, with have a already in place router. The right side (crossing the red line) is a office area which I have no access to and the right side should not know about the left side and visaversa. The "problem" is that (initially) I dont have access to that first router. Moving on: On the left side of the top side of that first router, we have a router running OpenWRT (possibly the NB2500) and a switch (again that switch I will problably have access to). Later those are end clients but they are NOT PCs. As a matter of fact, NOTHING on the left side at all will be a PC. They are simply machines. They DO however (if the NB1600 is chosen) have a configuration with OpenWRT.

Also, this is a industrial type setup. Reason why I cant just go with DD-WRT routers and call it a day (I dont think I would even convince my boss and anyways we need something like the NB1600)

Continue on that last line, the main probelm is the NB1600. I need that form factor/type of product for the machine they are attached to.

sc302, thank you for all your help and I hope this hast description helps you out on understanding and giving me a bit more information :)

Thank you!

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

The router that is hosting vpn needs to be on the edge, not behind another router that is doing nat. this can and will create issues if not done correctly. If you can have your router that you have control of access the outside directly that would be ideal, perhaps in a dmz that is not natted.

Would need to see the config one way or the other to try and make sense of what is going wrong. There are a lot of things that can stop you from commuicating, no routes setup, natting enabled on vpn traffic, and a few other things. to get down to the bottom of it as quickly as possible and to point you in the right direction I would need to see your config. I have given you the docs, even if old, that would get you there....and I am sure if you look at youtube you can find a video that will step you through the entire process. The technology doesn't change, the screens or places to check may.

Mentor

htcz

Posted
  • Author
Posted

The router that is hosting vpn needs to be on the edge, not behind another router that is doing nat. this can and will create issues if not done correctly. If you can have your router that you have control of access the outside directly that would be ideal, perhaps in a dmz that is not natted.

Would need to see the config one way or the other to try and make sense of what is going wrong. There are a lot of things that can stop you from commuicating, no routes setup, natting enabled on vpn traffic, and a few other things. to get down to the bottom of it as quickly as possible and to point you in the right direction I would need to see your config. I have given you the docs, even if old, that would get you there....and I am sure if you look at youtube you can find a video that will step you through the entire process. The technology doesn't change, the screens or places to check may.

Related to that, this is the setup that was shown to us by a 3rd party (the distributor of this equipment) and this does indeed work:

diagram4.png

Its a little different but one of the routers we always have control over physically instead of having it remotely. The one that would "host" VPN would be the one on the bottom on our side (bottom). The rest would basically be clients.

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

how are you routing data? do you have layer 3 switches in place to be able to handle routes? or are your specifically adding routes into the client pcs to state where to steer traffic to?

for simplicity sake, on the edge, there is less to troubleshoot when something fails. but if you really know what you are doing, how traffic works, and how to make things go it can be anywhere...how much troubleshooting to you know how to do? do you have a full understanding of how routing works, how port traffic works, and where things can get hosed along the way? If not, keep it as simple as possible with the least amount of possiblity to block and route along the way.

Mentor

htcz

Posted
  • Author
Posted

how are you routing data? do you have layer 3 switches in place to be able to handle routes? or are your specifically adding routes into the client pcs to state where to steer traffic to?

for simplicity sake, on the edge, there is less to troubleshoot when something fails. but if you really know what you are doing, how traffic works, and how to make things go it can be anywhere...how much troubleshooting to you know how to do? do you have a full understanding of how routing works, how port traffic works, and where things can get hosed along the way? If not, keep it as simple as possible with the least amount of possiblity to block and route along the way.

The thing is that this is not something I choose. This is the setup already given and I cant change it as we dont do tech stuff. We just setup the configuration on our end.

The current setup (without VPN equipment) is something like:

diagram5.png

I put R1 and R2 because after talking to my boss, it might have seem that the other company mixed up details and instead of 2 routers, there is only one.

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

Depending on the client, you could have a pc establish a VPN connection to the router, but from what you said you wanted an entire site to site VPN. You need to be specific in what you want and you also need to be specific as to what the client pcs are.

Site to site requires 2 edge VPN routers. Client to site requires 1 edge VPN router and a client that can be configured for VPN either natively or through add on software. If the client is a serial connection then that cannot be configured, the machine that that connects to would have to be configured. You lack a bit of details to get this working, and I am trying to ask the right questions to help you.

Mentor

htcz

Posted
  • Author
Posted

Depending on the client, you could have a pc establish a VPN connection to the router, but from what you said you wanted an entire site to site VPN. You need to be specific in what you want and you also need to be specific as to what the client pcs are.

Site to site requires 2 edge VPN routers. Client to site requires 1 edge VPN router and a client that can be configured for VPN either natively or through add on software. If the client is a serial connection then that cannot be configured, the machine that that connects to would have to be configured. You lack a bit of details to get this working, and I am trying to ask the right questions to help you.

I apoligize for not giving correct answers to your questions.

The end clients are basically industrial machines. Running on propiratory software, we want this system to able to do two things: Remote support and also transfer predone files (basically files, which are binary files that the machine understands) from our end to over there.

The USB port on the routers I mentioned (NB2500 and NB1600) allow to have some temporal space to transfer those files and read it via a share.

I BELIEVE Im not leaving out any details. If you need any more, just ask :)

Thanks and once again I apoligize for not answering your questions.

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

Although the usb ports on the routers allow for transfer of files, they are usually designed for a harddrive or a printer to be connected and configured. I do not know how it will connect up with another device that doesn't sound like one of the 2 devices that I have mentioned.

Again edge would be ideal without a great deal of troubleshooting to function properly. And by troubleshooting, meaning that if the config looks right we would need to go up the line to the next device to make sure it is passing traffic properly.

You are best off to connect a pc to the usb device, then through the pc you will have access for remote support as well as being able to setup a tunnel between the pc and the other host. Now technically there shouldn't be any difference between a pc router in this config, but the pc isn't doing any form of nat which makes it one less thing to have to troubleshoot to function properly. Keep it as simple as possible.

Mentor

htcz

Posted
  • Author
Posted

Although the usb ports on the routers allow for transfer of files, they are usually designed for a harddrive or a printer to be connected and configured. I do not know how it will connect up with another device that doesn't sound like one of the 2 devices that I have mentioned.

Again edge would be ideal without a great deal of troubleshooting to function properly. And by troubleshooting, meaning that if the config looks right we would need to go up the line to the next device to make sure it is passing traffic properly.

You are best off to connect a pc to the usb device, then through the pc you will have access for remote support as well as being able to setup a tunnel between the pc and the other host. Now technically there shouldn't be any difference between a pc router in this config, but the pc isn't doing any form of nat which makes it one less thing to have to troubleshoot to function properly. Keep it as simple as possible.

I explained incorrectly :) In the USB port there will be a small flash drive inserted (not 24/7 though)

The data protocal EDGE or something else? Im not familiar with the term. I have heard something about "edge servers".

The problem with these machine is that they are pretty expensive so adding a PC would increase the end cost. Thats why the configuration that was being looked at is one of these routers as they are embedded directly into the machine and can give remote access at a lower (overall) price.

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

Edge of Internet, not behind a nat firewall. I am pretty sure it isn't going to work as designed...the other side will not see the VPN gateway as an addressable device, it will see a computer behind the VPN gateway. If it were a VPN client, not a firewall, then it should see it. You need a computer to connect to.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Major Xbox layoffs may claim South of Midnight developer Compulsion entirely

      By Abercrombe · Posted

      I agree. I also think Phil stayed too long. They should definitely fire whoever thought all a console platform needed was Call of Duty, Elder Scrolls, and Fallout to survive. Asha and crew are still saying they need more Elder Scrolls and Fallout games. They simply don't get it.
    • Samsung is shutting down yet another app used by millions

      By Krieg · Posted

      wtf cares
    • Microsoft announces 12th-gen Surface Pro with Snapdragon X2 processors

      By tsupersonic · Posted

      Macbook Air is an appealing option, as are plethora of Windows devices with various different CPU's
    • Mozilla highlights Firefox Nova 2026 redesign and more upcoming features with new roadmap

      By hellowalkman · Posted

      Mozilla highlights Firefox Nova 2026 redesign and more upcoming features with new roadmap by Sayan Sen Last month Mozilla confirmed that Firefox was set to get a major redesign this year. Dubbed "Project Nova", it can already be tested and will roll out to all users later this year.The idea is to keep the browser competitive in a rapidly evolving internet landscape. As such the revamp focuses on improving privacy, usability, performance, accessibility, and customization. Key privacy features including the built-in VPN, private browsing mode, and Enhanced Tracking Protection, will be more visible and easier to manage, while users will have the option to disable AI features entirely through a dedicated kill switch. Additionally, the redesign promises faster page loading, the return of Compact mode, expanded personalization options, and stronger accessibility support. You can find the full details in the dedicated piece linked above. In a new blog post today the company once again reiterated on Nova and also emphasized other new and upcoming features like the settings revamp that is intended to make it easier for users to understand browser settings. In order to make it simpler for users to keep up with such features Mozilla today is launching Firefox roadmap. Hence enthusiasts and interested users will be able to check out what's cooking and also share feedback about the upcoming additions. Alongside the roadmap announcement, Mozilla also highlighted what's new in Firefox 152. One of the biggest additions is the arrival of Tab Groups on Android. The feature, which has already been helping desktop users organize large numbers of tabs, is now beginning to roll out on mobile. Users will be able to group related tabs together, assign names and colors to them, and return to them later. Mozilla says support for iOS will arrive later this year. Firefox 152 also introduces the aforementioned redesigned Settings experience. The company says the changes are meant to make controls easier to find and help users discover features they may not have previously known about. Existing preferences are not changing, though they are now better organized. Another notable addition is the new Blocked Tracker Widget, which provides a visual overview of Firefox's privacy protections by showing how many trackers have been blocked over time and the types of tracking activity the browser has stopped. Looking ahead, Mozilla revealed several upcoming roadmap features. They include customizable keyboard shortcuts, as well as enhanced PDF editing tools that will allow documents to be split, merged, and reorganized directly within Firefox. The company is also working on bringing Multi-Account Containers into the native Firefox experience thus removing the need for a separate extension. Meanwhile Firefox's built-in VPN is set to expand to mobile devices. Mozilla is also developing AI-powered features like Quick Answers, which can provide concise responses to voice queries, and Smart Window, its optional AI browsing experience that is now available without a waitlist. Finally, a new Power Saving Mode is in the works and will help reduce the impact of resource-heavy tabs on mobile devices in order to extend battery life. The video below summarizes the upcoming changes in an easy to understand format: You can find the announcement blog post here on Mozilla's official website.
    • Microsoft unveils new Surface Laptop with improved trackpad, Snapdragon X2, and more

      By tsupersonic · Posted

      Dead on arrival at that price. Like they missed the mark by multiple hundreds of dollars - this should actually undercut the Macbook Air at $899 if they want any sort of sales / further adoption of WoA

  • Recent Achievements

    • One Year In
      Console General earned a badge
      One Year In
    • One Year In
      Twozo Technologies earned a badge
      One Year In
    • One Month Later
      Twozo Technologies earned a badge
      One Month Later
    • Week One Done
      Twozo Technologies earned a badge
      Week One Done
    • Veteran
      branfont went up a rank
      Veteran

  • Popular Contributors

    1. 1
      +primortal
      511
    2. 2
      +Edouard
      199
    3. 3
      PsYcHoKiLLa
      109
    4. 4
      Steven P.
      89
    5. 5
      Nick H.
      71
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!