Kitz Forum
Computers & Hardware => Networking => Topic started by: Ronski on December 18, 2019, 08:30:38 PM
-
My brother has recently purchased two Draytek Vigor 2926 routers on my advice. One for his home (site 1 -dynamic IP address*) and one for his partners (site 2 - static IP address).
As he spends his time between both sites he needs easy access to each sites devices from the other.
Site 1 is on the subnet of 192.168.1.x
Site 2 is on the subnet of 192.168.3.x
Now he's set up the site to site VPN following this guide (you need to login) (https://www.draytek.co.uk/support/guides/kb-lantolan-ipsec)I believe. Now it is connecting, and he can access the other sites routers, but can not access the PC there, or even get a response when pinging it.
Any ideas please, or do you need more info?
*When his current contract is up for renewal in a few months he will move to an ISP with static IP.
-
Hi ronski
You only need 1 static ip at one end of the site to site (I take you set it up as lan to lan vpn) and the dynamic you get to make the call to create the vpn to the static
Once connected, all devices should be accessible at both ends
More details would be needed though but please remember, you access devices/shares as though your on their network eg lan 1 192.168.1.x or 192.168.3.x
You can even create the printers to work at both ends
If you cannot ping devices, have a look at vpn connection status to make sure it’s fully connected.
I hope that makes sense
Many thanks
John
-
Thanks John.
He sent me this overnight.
OK,it because the Lan2Lan VPN requires that each end be on a different subnet but then Windows firewall rules require them to be on the same subnet. Aghhh! Turn off Windows FW and it works.
But what's the correct solutuion?
He's using Windows 7 and 10. Any thoughts please?
-
John’s the expert on this!
I’ve never had any firewall issues. However it would be a simple rule to allow the connection in both directions on all ports restricted to the 2 sub nets.
If you use Ipconfig/all you should see the sub nets on both ends. Are you using site to site or is one end accessing the others router ?
Tony
-
Hi
@ guise many thanks but I never consider myself an expert sorry. I think we all learn (or relearn) new things everyday. I also know your knowledge is extremely high
I think it might be a lack of understanding how vpn works sorry
The vpn joins the 2 networks and each are on there own subnet
If as an example on lan 1 they wanted to use RDP on a pc from lan 2. Then they would use the internal IP address for the pc on lan 1
So pc 192.168.1.100
Lan 2 pc 192.168.3.10
From lan 2 pc you open RDP and use server address as 192.168.1.100 and connect
Now if this fails, it would mean RDP has not been opened in the pc firewall (test by using an internal pc on the .1 lan)
The above is also same for shares from pc etc...
I am guessing the vpn is still in nat and route mode but either should work for there purpose
What is it they are trying to achieve
Many thanks
John
-
Hi John, thanks for the reply, I'll get my brother to look at your reply.
Whichever site he's at he's trying to access a PC at the other site via RDP. He was previously using VPNs from within Windows, which did work but was problematic due to dynamic IP addresses, one site has been transferred to static now though.
-
Hi
Many thanks
I think he needs to relax his RDP from NLA to allow using any version of RDP
This should then allow RDP
Many thanks
John
-
Hi John, not quite sure if the above is relevant as mentioned earlier we've established its Windows firewall blocking the traffic.
Some more info, he can reach the NAS without issue, if he turns the Windows firewall off he can access the shared drives on the PC, if he creates rules on each respective PC to allow all traffic from the other subnet then everything works.
But what's the best/safest way to stop the firewall from blocking traffic from other subnets?
-
Hi ronski
I am sorry, not knowing the full setup or number of pc etc it’s kind of hard to say
However, based on 2 pc in 2 different locations connected by vpn I would
Open port 3389 incoming/outgoing
Remove the current rule which I assume was created using server to server
I prefer to keep things simple as possible and as long as RDP has not been opened to the outside world, and both pc have passwords then above should do the job
If you goto windows firewall, allow a program or feature through firewall and make sure RDP is enabled home/work private and public on each of the 2 pc
Make sure from system remote settings allow connections from computers running any version of Remote Desktop
Make sure any rules have been disabled or removed
Test
All should work
Outside world should not be routed to RDP in routers
Or if your rule sets work, then your good and do not have to make any more changes
Please remember any RDP attack then would come from internal network (but it is very easy to establish a remote connection to a different pc on same network then start RDP protocol to gain access to other pc)
Many thanks
John
-
Hi ronski
Sorry just reread and I think I understand better what you’ve posted sorry
Sorry I should say I have a very bad cold and cannot stop coughing which causes my head to hurt sorry
I think it may be a case that the firewall is only open to private and public, so place ticks in public for the shared and RDP and it should start to work on all networks except outside world unless it has been setup on firewall to allow external connections to them
Many thanks
John