0

site to site vpn setup when behind isp wifi router image

enter image description here

I've read through many site to site vpn posts on this site but I still haven't found a solution to my issue. Here is the situation. I was asked to connect two sites together so the remote site B's users can print to printers and access the file shares at site A. Both sites are using comcast business modems, and have been for quite some time so turning the ISP modems to bridge mode is an absolute last resort option.

I'm not entirely clear on how to go about setting up the vpn router to allow traffic from the xfinity business modems to see each other over the site to site vpn connection. Both sites connect, but I can't ping either one.

Here's what I've done so far: 1. at both the remote site and the main site I've gone in to the isp cable modem and changed the local ip ranges so they are different, site A local up range is 10.1.10.X and site b is range is 10.20.30.X

  1. I've gone in to the tp-link interfaces and setup WAN 1 to a static IP on the local subnet for each site. Tp link at site A wan1 is set to 10.1.10.215 and site b is 10.20.30.233

  2. On both comcast modems I've setup port fowarding for the respective static ips of the tp-link devices so that ports 4500 and 500 UDP are open

  3. I've gone in the admin panel of the tplink r600vpn routers and setup the site to site ipsec and connected both sites together. Both sites have static internet/public ip addresses which are placed in to the proper fields. I'm using WAN1 as the adapter in the settings.

This is where things fall apart for me. I can see that the vpn connection is working from the control panel on the tp-link routers, but I cannot ping the local IP addresses on either site from computers connected to the cable modems. Pings to 10.1.10.X network from site B time out, and vice versa.

I've read about static routing, but I don't understand if I need to set this up on just the tp-link routers, or if I need to set this up on the comcast modem router or both. I tried messing with this already but it didn't work either. I tried making the static routing destination for the tp-link at site b as 10.1.10.0 with hop 1 at 10.20.30.1 on WAN1 as the interface but that didn't work. Is there a firewall rule I need to look for that might prevent this from working?

I'm also having a hard time understanding which physical network ports need to be connected. Right now I have the tp-r600vpn routers connected via the WAN1 port only. Do I need to instead have this device connected on one of the 4 lan ports instead?

I'll keep googling for answers, but I've yet to find one that explains this type of setup and figured I would ask.

davidgo
  • 5,964
  • 2
  • 21
  • 38
Binxalot
  • 1
  • 2
  • If the tunnels are up and you can't "ping", then you don't have routes. You either need to configure static routes or configure a route propagation protocol such as BGP on the routers for them to do it automatically. – Florin Asăvoaie Sep 19 '19 at 00:37

1 Answers1

0

The issue is that data is not flowing from the clients to the TPLink routers.

A more conventional would (depending on your ISP and requirements) be to ditch the ISP router aand replace it with the TPLink router, or - as you say - convert the ISP router into a bridge. Another (less then ideal, but sometimes most practical) option would be to use "double NAT", ie connect the Internet to the ISP router, and a LAN port of the ISP router to the WAN port of the TPLink router on both sides. You would need to disable WIFI on the ISP router and enable it on the TPLink (or get an AP). You would want to change the ISP router LAN to be in the 19.168.X range in each case.

An alternative which may work - depending on your particular routers, would be to add routes from the ISP router to the TP-Link router. This is not ideal because you are going to induce asymetric routing and some firewalls and other stuff can break - ie packets going out will go from PC -> ISP router -> TP-Link Router -> VPN while packets returning will go VPN - TPLink router -> PC (not seen as going through the ISP router because the traffic, because the VPN abstracts the VPN hop)

davidgo
  • 5,964
  • 2
  • 21
  • 38
  • So in the double nat option you're describing, this sounds like what I have setup already, but I have the tp-link plugged in from the WAN1 port to the switch, but you're saying instead I'd plug it directly in to one of the 4 free lan ports on the back of the comcast router. The wifi issue wouldn't be a problem at the remote site since they're using wifi aps already, but could I instead change the Tp-link router to be in the 10.20.30.x range instead of the isp modem to 192.168? – Binxalot Sep 19 '19 at 13:40
  • also If I do switch the tp-link to the 10.20.30.x range would I need to divide the open ports in to separate ranges? Like on the tp-link router it would only be dhcp on 10.20.30.200-254 and on the isp modem have it dhcp as 10.20.30.2-199? – Binxalot Sep 19 '19 at 13:43
  • If your picture is correct, I don't see where double nat is coming from (switches do not do nat). I'm saying the ONLY thing you should plug into your ISP router is the internet connection on the WAN site and the Wan side of the TPLink router to the LAN side of the ISP router. Everything else currently in the ISP router needs to be moved to the LAN of the TPLink router or switch. (on both sides) – davidgo Sep 19 '19 at 22:32
  • On the ISP modem you would not be running 10.20.30 at all. You really need someone to help you to understand network fundamentals - you really need to learn about subnets, DHCP etc, and this is not the appropriate place to have that discussion (and its been discussed to death on superuser.com) – davidgo Sep 19 '19 at 22:34