1

My working company has this router (Cisco RV042G Gigabit Dual WAN VPN Router) and it has the IP 192.168.1.1 with subnet mask 255.255.255.0. It has 3 devices directly connected to its LAN ports, an ASUS access point 192.168.1.245, a D-Link access point 192.168.1.246 and a network printer 192.168.1.247.

I have setup the VPN (PPTP) in the Cisco router in the IP range of 192.168.1.253 - 192.168.1.254. And this range is excluded from the Cisco router DHCP range.

From my home computer (physical line directly connected to the modem), I can connect to the company Cisco router successfully and gets assigned the IP 192.168.1.253. I can ping the Cisco router and the network printer without any problem. However, I cannot ping the two access points and cannot access their web admin interface.

I try to ping them from the Cisco router and find that they can respond the ping request. So I can confirm that the Cisco router can actually reach them. Also, other computer hosts in the company can access the internet through these two access points without any problem. And they can ping and access the web admin interface of these two access points.

I also tried to turn off the firewall in the Cisco router to make sure it's not the cause but it still does not solve the problem.

So why can't my home computer ping and access the web admin interface of the access points when it's connected by VPN?

Konrad Gajewski
  • 1,498
  • 3
  • 15
  • 29
bobo
  • 599
  • 2
  • 8
  • 24
  • here is the good explanation, I already try to my pptp server http://pptpclient.sourceforge.net/routing.phtml#all-to-tunnel now I can shutdown my device from cellphone, all connected to one vpn server –  Nov 03 '15 at 04:38

1 Answers1

1

This is because the source address you are using to connect is in a different subnet and/or the APs don't allow packets having more than one hop. To circumvent this you should:

  1. Connect to the AP via some workstation on the LAN, by getting the remote desktop and using a web browser. This is pretty much the silver bullet.
  2. If you can't do the above, configure the default gateway on the AP, so it'll send the the traffic originating form outside the LAN to the router (yes, I'm aware of the address scheme you gave, and this will probably not work, because of ARP at play rather than IP routing)
  3. If this doesn't work, enable the remote access/remote management (or whatever it is called in your AP) in your APs.

Also, the question is, are you going to access those APs on regular basis, or is it just a once-in-a-while configuration?

Konrad Gajewski
  • 1,498
  • 3
  • 15
  • 29
  • What you mean is, when my home computer accesses the APs, they see the source IP as my home computer public IP rather than the 192.168.1.253 assigned by the Cisco router? I access these APs on regular basis. – bobo May 13 '15 at 15:11
  • 1
    No, they see it as 192.168.1.253 all right, but the APs generally refuse such packets on an IP level if they do not originate from the local network. – Konrad Gajewski May 13 '15 at 15:18
  • But after the VPN packets reach the Cisco router, it will unpack the packets before they reach the APs. So the APs should not know these packets in fact do not originate from the local network. Not true? – bobo May 13 '15 at 15:29
  • Do a traceroute to 192.168.1.253 from the local network. – Konrad Gajewski May 13 '15 at 16:12
  • I still haven't done this test but one thing I can confirm is that, when the access points are put in AP mode (yes, they have router / AP mode), the [allow remote management] tick box in the web admin interface will not be available. It seems it's common for different brands of routers to make this option unavailable when in AP mode. So it seems method 3 is not possible. – bobo May 14 '15 at 17:58
  • Method 1 is actually not possible because my working company don't have any workstation. It's a windows WORKGROUP rather than domain environment. – bobo May 14 '15 at 18:02
  • I have also checked that both APs currently already have default gateway set to `192.168.1.1`. – bobo May 14 '15 at 18:04
  • Since the problem is that the VPN IP `192.168.1.253` I get is in a different subnet. I am thinking about whether it's possible to do some settings in the Cisco router so that when I request the web admin page, it will request on behalf of me, thereby the access points will see it's `192.168.1.1` rather than `192.168.1.253` who requests the page and since it's the same subnet, they should not complain. – bobo May 14 '15 at 18:10
  • As a last resort you might switch the WANs on on the APs, create a VLAN on the Cisco (lets say 192.168.0.0/24), and connect them to the via some switch to the router (call it OOB management). – Konrad Gajewski May 14 '15 at 18:12