Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Ronski]

My brother has recently purchased two Draytek Vigor 2926 routers on my advice. One for his home (site 1 -dynamic IP address*) and one for his partners (site 2 - static IP address).

As he spends his time between both sites he needs easy access to each sites devices from the other.

Site 1 is on the subnet of 192.168.1.x
Site 2 is on the subnet of 192.168.3.x

Now he's set up the site to site VPN following this guide (you need to login) I believe. Now it is connecting, and he can access the other sites routers, but can not access the PC there, or even get a response when pinging it.

Any ideas please, or do you need more info?

*When his current contract is up for renewal in a few months he will move to an ISP with static IP.

[d2d4j]

Hi ronski

You only need 1 static ip at one end of the site to site (I take you set it up as lan to lan vpn) and the dynamic you get to make the call to create the vpn to the static

Once connected, all devices should be accessible at both ends

More details would be needed though but please remember, you access devices/shares as though your on their network eg lan 1 192.168.1.x or 192.168.3.x

You can even create the printers to work at both ends

If you cannot ping devices, have a look at vpn connection status to make sure it’s fully connected.

I hope that makes sense

Many thanks

John

[Ronski]

Thanks John.

He sent me this overnight.

OK,it because the Lan2Lan VPN requires that each end be on a different subnet but then Windows firewall rules require them to be on the same subnet. Aghhh! Turn off Windows FW and it works.
But what's the correct solutuion?

He's using Windows 7 and 10. Any thoughts please?

[g3uiss]

John’s the expert on this!

I’ve never had any firewall issues. However it would be a simple rule to allow the connection in both directions on all ports restricted to the 2 sub nets. 

If you use Ipconfig/all you should see the sub nets on both ends. Are you using site to site or is one end accessing the others router ?

Tony

[d2d4j]

Hi

@ guise many thanks but I never consider myself an expert sorry. I think we all learn (or relearn) new things everyday. I also know your knowledge is extremely high

I think it might be a lack of understanding how vpn works sorry

The vpn joins the 2 networks and each are on there own subnet

If as an example on lan 1 they wanted to use RDP on a pc from lan 2. Then they would use the internal IP address for the pc on lan 1

So pc 192.168.1.100

Lan 2 pc 192.168.3.10

From lan 2 pc you open RDP and use server address as 192.168.1.100 and connect

Now if this fails, it would mean RDP has not been opened in the pc firewall (test by using an internal pc on the .1 lan)

The above is also same for shares from pc etc...

I am guessing the vpn is still in nat and route mode but either should work for there purpose

What is it they are trying to achieve

Many thanks

John

[Ronski]

Hi John, thanks for the reply, I'll get my brother to look at your reply.

Whichever site he's at he's trying to access a PC at the other site via RDP. He was previously using VPNs from within Windows, which did work but was problematic due to dynamic IP addresses, one site has been transferred to static now though.

[d2d4j]

Hi

Many thanks

I think he needs to relax his RDP from NLA to allow using any version of RDP

This should then allow RDP

Many thanks

John

[Ronski]

Hi John, not quite sure if the above is relevant as mentioned earlier we've established its Windows firewall blocking the traffic.

Some more info, he can reach the NAS without issue, if he turns the Windows firewall off he can access the shared drives on the PC, if he creates rules on each respective PC to allow all traffic from the other subnet then everything works.

But what's the best/safest way to stop the firewall from blocking traffic from other subnets?

[d2d4j]

Hi ronski

I am sorry, not knowing the full setup or number of pc etc it’s kind of hard to say

However, based on 2 pc in 2 different locations connected by vpn I would

Open port 3389 incoming/outgoing

Remove the current rule which I assume was created using server to server

I prefer to keep things simple as possible and as long as RDP has not been opened to the outside world, and both pc have passwords then above should do the job

If you goto windows firewall, allow a program or feature through firewall and make sure RDP is enabled home/work private and public on each of the 2 pc

Make sure from system remote settings allow connections from computers running any version of Remote Desktop

Make sure any rules have been disabled or removed

Test

All should work

Outside world should not be routed to RDP in routers

Or if your rule sets work, then your good and do not have to make any more changes

Please remember any RDP attack then would come from internal network (but it is very easy to establish a remote connection to a different pc on same network then start RDP protocol to gain access to other pc)

Many thanks

John

[d2d4j]

Hi ronski

Sorry just reread and I think I understand better what you’ve posted sorry

Sorry I should say I have a very bad cold and cannot stop coughing which causes my head to hurt sorry

I think it may be a case that the firewall is only open to private and public, so place ticks in public for the shared and RDP and it should start to work on all networks except outside world unless it has been setup on firewall to allow external connections to them

Many thanks

John