Home

Forums

Stories

Knowledge Base

Business Community > Routers > ER8411 - troubles with L2TP VPN

< Routers

ER8411 - troubles with L2TP VPN

ANAWA

2025-05-06 10:45:10 - last edited 2025-05-07 08:38:19

Posts: 5

Helpful: 1

Solutions: 1

Stories: 0

Registered: 2025-05-06

ER8411 - troubles with L2TP VPN

2025-05-06 10:45:10 - last edited 2025-05-07 08:38:19

Tags: #VPN #Routing

Model: ER8411

Hardware Version: V1

Firmware Version: 1.1.0 Build 20230705 Rel.64091

I'm stuck!

This is my network configuration:

network configuration

On the LAN side everything works fine - I can reach every share I have to reach, I can access the internet.

Problem with my VPN is that I can get to VPN server, I get IP address for PC VPN client, I can reach resources on PC in VLAN1 (RTR), I can ping interfaces 172.25.1.253 and 172.25.1.254. And this is all I can reach.

I can't reach neither VLAN2 (OFFICE2) nor VLAN3 (OFFICE3)!

And now I'm stuck.

What am I missing?

What's wrong with my configurarion?

On the PC VPN Client (Windows 10) I have the box "Use default gateway in remote network" checked in the VPN network adapter settings.

VPN network adapter gets IP as shown above (and it should be this way), DNS's as configured in VPN Users for testuser, default gateway is 0.0.0.0.

I can access the internet from PC VPN Client (via remote network).

Can anyone help me?

Please, help me!

Pawel

1 Accepted Solution

ANAWA

LV1

2025-05-07 07:54:28 - last edited 2025-05-07 08:38:19

Posts: 5

Helpful: 1

Solutions: 1

Stories: 0

Registered: 2025-05-06

Re:ER8411 - troubles with L2TP VPN-Solution

2025-05-07 07:54:28 - last edited 2025-05-07 08:38:19

@GRL

@MR.S

I think everything works fine! Thank you!

Here's what I did:

at L2TP server I've changed Local Network Type to Custom IP and I've added Local Networks I need to reach,

at VPN IP pool I've changed scope to 172.25.20.11 - 172.25.20.11

at VPN Users I've changed Local IP Address to 172.15.1.253 (LAN side IP of the router)

And it works, just like I said before :)

Now I have to upgrade the firmware.

Thanks again.

I think the topic may be considered closed.

Pawel

Recommended Solution

8 Reply

MR.S

LV5

2025-05-06 11:11:18 - last edited 2025-05-06 11:18:48

Posts: 2700

Helpful: 964

Solutions: 372

Stories: 0

Registered: 2018-08-17

Re:ER8411 - troubles with L2TP VPN

2025-05-06 11:11:18 - last edited 2025-05-06 11:18:48

@ANAWA

start by upgrading your router, it is so old and outdated and many problems have been fixed, the latest official version is 1.3.0

you can find it here

https://support.omadanetworks.com/en/product/er8411/v1/?resourceType=download

and I see you have overlapping networks, don't use a vpn ip pool that overlaps any of the other networks you have

You should also not create manual routers for VPN servers.

GRL

LV4

2025-05-06 11:51:11

Posts: 584

Helpful: 237

Solutions: 64

Stories: 0

Registered: 2022-01-02

Re:ER8411 - troubles with L2TP VPN

2025-05-06 11:51:11

@ANAWA

You also need to include all vlan ranges / networks in the "local networks" part of the VPN config.

And yes, update the firmware!

Main: ER8411 x1, SG3428X x1, SG3452 x1, SG2428LP x1, SG3210 x1, SG2218P x1, SG2008P x3, ES208G x1, EAP650 x6 Remote: ER7206 v2 x1, ER605 v2 x3, SG2008P x2, EAP650 x2, ES205G x1 Controller: OC300

ANAWA

LV1

2025-05-06 17:33:49

Posts: 5

Helpful: 1

Solutions: 1

Stories: 0

Registered: 2025-05-06

Re:ER8411 - troubles with L2TP VPN

2025-05-06 17:33:49

@GRL

GRL wrote

@ANAWA

You also need to include all vlan ranges / networks in the "local networks" part of the VPN config.

Well, I have just one VLAN on my ER8411 created by me: in my example this is VLAN1 (RTR) - the router ER8411 was meant to be "a router on the stick".

Other VLANs are configured on DGS switches physical stack and they connect with the world via VLAN RTR (see Default route in DGS configuration).

I may be a m*r*n (this forum did not allow me to write a whole word, even about me), but I realy don't understand your suggestion...

Anyway, thank you, hoping for more detailed explication.

Pawel

GRL

LV4

2025-05-06 17:50:37 - last edited 2025-05-06 17:58:26

Posts: 584

Helpful: 237

Solutions: 64

Stories: 0

Registered: 2022-01-02

Re:ER8411 - troubles with L2TP VPN

2025-05-06 17:50:37 - last edited 2025-05-06 17:58:26

@ANAWA

You have to include ALL vlan ip ranges you want accessible to a vpn in its "local networks" config, either as "networks" for vlans that are set as interfaces on the router itself, or as an IP range - which is more useful as you can include anything

If you dont add a IP range as locally accessible to a VPN, the router wont route traffic between the vpn and the vlan or IP address

Here is one of mine. Top entry is a subnet remote to this router over another router<>router VPN
second entry is a supernet of all my remote site LANs
third entry is my modems lan side IP for GUI access remotely, upstream of this routers WAN port

last entry is the LAN of this actual router

As long as the router has routes of any kind (whether static return routes to switch only vlans, hosted interface vlans, or virtualaddress it doesnt host that exist on the other side of a VPN) you can include those ranges in the VPN. If you dont, the VPN clients will not ever be able to communicate with those ranges / IPs

If you are needing to add switch-only vlans to the VPN, it usually helps to specifically include them in the switch default route as well, so, where you would normally have 0.0.0.0/0 > Router interface IP, you can also add 10.10.10.10/24 (example IP pool of a vpn) > router interface IP

Main: ER8411 x1, SG3428X x1, SG3452 x1, SG2428LP x1, SG3210 x1, SG2218P x1, SG2008P x3, ES208G x1, EAP650 x6 Remote: ER7206 v2 x1, ER605 v2 x3, SG2008P x2, EAP650 x2, ES205G x1 Controller: OC300

ANAWA

LV1

2025-05-06 17:59:38

Posts: 5

Helpful: 1

Solutions: 1

Stories: 0

Registered: 2025-05-06

Re:ER8411 - troubles with L2TP VPN

2025-05-06 17:59:38

@MR.S

Upgrading the router seems to be a good first step, but I have to have a physical access to the router. In a few days, I think.

Now, by "overlaping networks" you meant that my VPN Address pool is in the same network that my RTR vlan is? 172.25.1.0?

Let's say I will change VPN Address pool to 172.25.10.11-172.25.10.11. What should be the Local IP Address (in the VPN Users section)? 172.25.1.252 or 172.25.1.253? The second one is the existing IP address of the LAN side of the router.

"You should also not create manual routers for VPN servers." - I think you meant "manual routes". Anyway, do you suggest tha I shoul delete my static routes in Transmission -> Routing section? In my example configuration: section Routing, routes OFF2 and OFF3.

Thank you for responding so quickly.

Pawel

ANAWA

LV1

2025-05-06 18:06:57

Posts: 5

Helpful: 1

Solutions: 1

Stories: 0

Registered: 2025-05-06

Re:ER8411 - troubles with L2TP VPN

2025-05-06 18:06:57

@GRL

OMG!

You're so quick!

Your answer explains everything, I suppose ;)

I'll try this tomorrow and I'll get back to you.

Thanks

Pawel

GRL

LV4

2025-05-06 18:08:43 - last edited 2025-05-06 18:19:24

Posts: 584

Helpful: 237

Solutions: 64

Stories: 0

Registered: 2022-01-02

Re:ER8411 - troubles with L2TP VPN

2025-05-06 18:08:43 - last edited 2025-05-06 18:19:24

@ANAWA

Lt me clarify Mr S's comment

Firstly, your VPN IP pools should be something completely seperate to any actual vlans (whether hosted on the router or on a switch). Its perfectly fine to put them in somethign radically different. I see you are using 172.whatever, put the VPN pool in somehting else, like a 192.168.whatever

Also, you have a default route that points to .253? what is that? the router is .252 is it not? i cant make heads or tails of your IPs on the diagram

EDIT:

If it were me, i would set your gateway routes like this

192.168.2.0 /23 > 172.25.1.254 (the IP of the switch). ,or you can just supernet it into 192.168.0.0/16 > switch to cover future expansion

Main: ER8411 x1, SG3428X x1, SG3452 x1, SG2428LP x1, SG3210 x1, SG2218P x1, SG2008P x3, ES208G x1, EAP650 x6 Remote: ER7206 v2 x1, ER605 v2 x3, SG2008P x2, EAP650 x2, ES205G x1 Controller: OC300

ANAWA

LV1

2025-05-07 07:54:28 - last edited 2025-05-07 08:38:19

Posts: 5

Helpful: 1

Solutions: 1

Stories: 0

Registered: 2025-05-06

Re:ER8411 - troubles with L2TP VPN-Solution

2025-05-07 07:54:28 - last edited 2025-05-07 08:38:19

@GRL

@MR.S

I think everything works fine! Thank you!

Here's what I did:

at L2TP server I've changed Local Network Type to Custom IP and I've added Local Networks I need to reach,

at VPN IP pool I've changed scope to 172.25.20.11 - 172.25.20.11

at VPN Users I've changed Local IP Address to 172.15.1.253 (LAN side IP of the router)

And it works, just like I said before :)

Now I have to upgrade the firmware.

Thanks again.

I think the topic may be considered closed.

Pawel

ER8411 - troubles with L2TP VPN

ER8411 - troubles with L2TP VPN

Information

Voters 0

Tags