ER8411 FW 1.3.3 & 1.3.6 - ER605v2 FW 2.3.1 - VPN Passthrough on Windows / macOS not working
ER8411 Firmware 1.3.3, 1.3.5 and 1.3.6 & ER605 v2 Firmware 2.3.1 – VPN Passthrough issues
Testing began on a completely factory reset ER8411 running 1.3.6 – no configs. Not even the initial login user/password set, standalone mode.
Identical testing on ER605 v2 running 2.3.1 with the exact same results. Documenting ER8411 here.
Topology:
Modem <WAN 4> ER8411 <LAN 11> PC
No other devices on network
From the factory reset state.
IPSec Client to Site VPN connected successfully – Connected to VPN server on ER7206 at independant location - not an omada site, Client-To-Site mode, Target IP range 192.168.1.X
--- Success – can ping and access remote devices and GUIs ---
Now, Gateway will have its default LAN changed to match my omada site management vlan and adopted to controller with its proper IP
VPN is now reconnected – Remote range still 192.168.1.X
Ping to the remote gateway 192.168.1.1 is successful
CANNOT load the GUI for it, or for anything else on that network
All ACLs are disabled, there are no NAT rules
Disabling IDS/IPS – no change
Disabling All ER8411 VPNs – no change
I have attached a wireshark capturing VPN connection and then attempting to load web GUIs of devices over the VPN
Results replicated on ER605v2 FW 2.3.1 as well in an identical scenario
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Things get more bizzare!
I hooked up my factory reset 605 running 2.3.1, running it totally in standalone mode
Default MTU of 1500 - all VPNs work to Omada and Draytek Gateways (pure IPsec only VPNs though)
WAN MTU of 1352 - optimal for my ISP and was broken on ER8411 - all vpns work properly
Remote ER605 running 2.3.1 pure IPsec dial in VPNs - working on all WAN MTU
Remote ER605 running 2.3.1 L2TP VPNs - not working with any WAN MTU, at either end
I think we have 2 issues
ER605 2.3.1 - broken L2TP VPN MTU size
ER8411 1.3.3/1.3.6 - WAN MTU settings effect VPNs on clients
- Copy Link
- Report Inappropriate Content
Well, I'm a little confused here now, I'm behind a UX7 from Unifi, so it, like the ER8411 and ER605, can't connect, but I set up an L2TP server on an ER706w which also has an MTU of 1380. but I can connect to it, I can't connect to the ER707-M2 with an MTU of 1380. so I don't really understand what's going on.
I have disabled SD-WAN and all other VPNs on the routers I'm testing with.
I think I'll wait until you're done with your test :-)
but I think an MTU of 1400 would have been a better choice for the Omada routers L2TP Server
L2TP to a ER706W
- Copy Link
- Report Inappropriate Content
High strangeness indeed!
I think its safe to say that ER605 2.3.1 has a broken L2TP implementation though, definitely something wrong with it...
ER8411 has a Broken WAN MTU implementation since i dont see the same issue on ER605....
- Copy Link
- Report Inappropriate Content
I'm sure there is something. But for me it's not a problem. I stopped using L2TP many years ago, but it might be good to report our findings to the Omada team.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 271
Replies: 24
Voters 0
No one has voted for it yet.