Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[jeremiahfrench]

I hate to admit it but I can NOT figure this out...

My "home" network consists of 2 sites, my house and my parents house.  Both sites have the exact same setup:

A cable modem plugged in to the WAN port of Netgear FVS114 firewall.  Out from the FVS114's LAN port 1 and directly in to LAN port 1 of a D-Link DIR-655 wireless router.  The DIR-655 hosts both wireless and wired clients.

I have established an IPsec VPN between the 2 FVS114's.  Site 1 = 192.168.0.0 /24.  Site 2 = 192.168.10.0 /24.

Hosts in site 1 can ping ALL hosts in site 1 (including their local DIR-655) and ALL hosts in site 2 (EXCEPT the remote DIR-655).  The site 1 DIR-655 can ping ALL hosts in site 1 but cannot ping hosts in site 2.

Likewise, hosts in site 2 can ping ALL hosts in site 2 (including their local DIR-655) and ALL host in site 1 (EXCEPT the remote DIR-655).  The site 2 DIR-655 can ping ALL hosts in site 2 but cannot ping hosts in site 1.

Very frustrating.  I am 99% certain this has something to do with the fact that you cannot specify a gateway in the DIR-655 LAN configuration.  What I want to know is if I can configure static routes to solve this problem.  If so, can someone give me precise instructions on what entries I need to configure given the info above?

Thanks in advance,

Jeremiah

[EddieZ]

I hate to admit it but I can NOT figure this out...

My "home" network consists of 2 sites, my house and my parents house.  Both sites have the exact same setup:

A cable modem plugged in to the WAN port of Netgear FVS114 firewall.  Out from the FVS114's LAN port 1 and directly in to LAN port 1 of a D-Link DIR-655 wireless router.  The DIR-655 hosts both wireless and wired clients.

I have established an IPsec VPN between the 2 FVS114's.  Site 1 = 192.168.0.0 /24.  Site 2 = 192.168.10.0 /24.

Hosts in site 1 can ping ALL hosts in site 1 (including their local DIR-655) and ALL hosts in site 2 (EXCEPT the remote DIR-655).  The site 1 DIR-655 can ping ALL hosts in site 1 but cannot ping hosts in site 2.

Likewise, hosts in site 2 can ping ALL hosts in site 2 (including their local DIR-655) and ALL host in site 1 (EXCEPT the remote DIR-655).  The site 2 DIR-655 can ping ALL hosts in site 2 but cannot ping hosts in site 1.

Very frustrating.  I am 99% certain this has something to do with the fact that you cannot specify a gateway in the DIR-655 LAN configuration.  What I want to know is if I can configure static routes to solve this problem.  If so, can someone give me precise instructions on what entries I need to configure given the info above?

Thanks in advance,

Jeremiah

Please post a network topology map... makes it somewhat easier to see  what you mean.
thanks

[jeremiahfrench]

unfortunately I cannot upload an image attachment do here is a text version...

-----------------Site 1                                Site 2----------------------

DIR-655 <----> FVS114 <----VPN Tunnel----> FVS114 <----> DIR-655
192.168.0.2      192.168.0.10                        192.168.10.1    192.168.10.2

Thanks for looking!

[EddieZ]

When DHCP is enabled on the DIR, you can enter a gateway. Static routing in the LAN however is not supported. There's been some discussion about the removal of this feature, fact is that it is not there anymore. Only old firmware (don't know which version) still has it on board.

[jeremiahfrench]

Hmmm, good point.  I noticed that static routing is only available over the WAN port.  I am using the router in switch mode (ie no WAN configuration).

Darn, setting up 2 networks at each site is going to be a pain...

Thanks for your help.

[lotacus]

I can only think of two ways for doing it. Windows Server or a Linux box on each end or your going to have to do away with the dir-655 and purchase a VPN gateaway, or of course use the wan, disabling everything internally firewall, spi, etc.

It's frustrating I know, but sometimes we have to give in and use the products meant for that type of network typology.

You could download the 1.11 firmware, which includes the lan side routing i'm pretty sure.

[EddieZ]

By the looks of your config it should be a 30 minute, one time effort  
For a home network the hardware firewalls are a bit of an overkill, and Hamachi VPN might do a much better and easier job.

[jeremiahfrench]

Eddie-
I'm pretty satisfied with the firewalls (though I wish they had a bit more routing capabilities), especially  for the price point ($60 each).  They are necessary b/c I host AD, email, IIS and apache web servers, FTP, etc on 4-5 backend servers.  Let's just say it's a ...robust "home" network and I really didn't want to harden (and rely on) multiple software firewalls. 

Lotacus-
My VPN works fine and is definately not the problem.  I can contact every host other than the DIR-655's.  The 655 is a great router / WAP, but it makes a terrible switch!  Thanks for the tip about firware 1.11, I'm going to give that a try now...

[EddieZ]

Eddie-
I'm pretty satisfied with the firewalls (though I wish they had a bit more routing capabilities), especially  for the price point ($60 each).  They are necessary b/c I host AD, email, IIS and apache web servers, FTP, etc on 4-5 backend servers.  Let's just say it's a ...robust "home" network and I really didn't want to harden (and rely on) multiple software firewalls. 

Lotacus-
My VPN works fine and is definately not the problem.  I can contact every host other than the DIR-655's.  The 655 is a great router / WAP, but it makes a terrible switch!  Thanks for the tip about firware 1.11, I'm going to give that a try now...

That's why they call it a 'router' and Dlink sells switches which do the job you want the routers to do 

[jeremiahfrench]

Yes, thank you...  My point was that many home based 'routers' and access points can be dumbed down to simply provide WAP / and switch functionalities (if required, as in my case).  But, many of thos have other shortcomings too...

Given that the features of the 655 are richer than those on the FVS114, I may just create 2 networks. and use the LAN side of the FVS114 as a DMZ (not that I really need it but, hey, why not?).

[jeremiahfrench]

You could download the 1.11 firmware, which includes the lan side routing i'm pretty sure.

LAN side routing does not appear for me using v1.11.  I may try to back rev even further...  Hopefully this won't mean a loss of functionality elsewhere (email notifications?).  I'll let you know what I find.

[EddieZ]

You will lose Shareport, but I guess you don't use that. And speed might be less stable. But that's trial and error.

[jeremiahfrench]

Neither v1.10 or v1.11 had the LAN routing capabilities.  Do you suppose they modified the firmware available for ditribution?

[lotacus]

Sounds like they may have it may depend on your hardware revision. I don't remember my A2 having lan side routing when I purchased it. I think mine came with 1.10 1.02 just checked the box. Wish I could downgrade now to check out all the firmwares but with b05 firmware dont think it's possible to downgrade to that early of a release.

[RA25]

There is a way of enabling static routing :-)
See my new thread http://forums.dlink.com/index.php?topic=6422.0 (i've created that before I read this :-( )