Can Site to Site VPN work with 2xER605 but only main branch has public ip?

Can Site to Site VPN work with 2xER605 but only main branch has public ip?

Can Site to Site VPN work with 2xER605 but only main branch has public ip?
Can Site to Site VPN work with 2xER605 but only main branch has public ip?
2022-09-15 03:24:37 - last edited 2022-09-16 15:23:05
Tags: #VPN
Model: ER605 (TL-R605)  
Hardware Version: V1
Firmware Version: 1.2.1 Build 20220512 Rel.76748

Can Site to Site VPN work with 2xER605 but only main branch has public ip?

  0      
  0      
#1
Options
1 Accepted Solution
Re:Can Site to Site VPN work with 2xER605 but only main branch has public ip?-Solution
2022-09-16 06:04:25 - last edited 2022-09-16 15:23:05

  @shifter 

 

Under normal circumstances, a public IP at both ends is best. This is because we need to ensure that the WAN IPs at both sides are accessible to each other.

However, there are special cases where the WAN IP at one end is a private IP, so the public IP at the other end has no access to the private IP, which means that it can not establish the VPN tunnel.

In this moment, we need to open a port for this private IP on the device in front of this private IP, and then use the public WAN IP of this device in front of this private IP to set up a VPN with the WAN IP at the other end.

 

Public WAN IP----------------VPN----------------Front device(Public WAN IP---SET port forwarding)---Private WAN IP

Recommended Solution
  0  
  0  
#4
Options
3 Reply
Re:Can Site to Site VPN work with 2xER605 but only main branch has public ip?
2022-09-15 09:17:52

  @shifter 

 

Yes, you can use 2 ER605 to set the site-to-site VPN, just need to note that set the port forwarding rule on the NAT device in front of ER605 which has private IP.

Open the port for R605's WAN IP on the front-end devices.

  0  
  0  
#2
Options
Re:Can Site to Site VPN work with 2xER605 but only main branch has public ip?
2022-09-15 20:31:59
Does this mean that public ip is required on both ends? The problem is that remote site only has fixed LTE internet source that uses CGNAT. I have no way forwarding port from its public ip directly to the ER605. Is there a work around? Can the Omada Cloud Controller solve this?
  0  
  0  
#3
Options
Re:Can Site to Site VPN work with 2xER605 but only main branch has public ip?-Solution
2022-09-16 06:04:25 - last edited 2022-09-16 15:23:05

  @shifter 

 

Under normal circumstances, a public IP at both ends is best. This is because we need to ensure that the WAN IPs at both sides are accessible to each other.

However, there are special cases where the WAN IP at one end is a private IP, so the public IP at the other end has no access to the private IP, which means that it can not establish the VPN tunnel.

In this moment, we need to open a port for this private IP on the device in front of this private IP, and then use the public WAN IP of this device in front of this private IP to set up a VPN with the WAN IP at the other end.

 

Public WAN IP----------------VPN----------------Front device(Public WAN IP---SET port forwarding)---Private WAN IP

Recommended Solution
  0  
  0  
#4
Options

Information

Helpful: 0

Views: 81

Replies: 3

Tags

Related Articles