Extend local network across a secondary network using 2 x ER605

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Extend local network across a secondary network using 2 x ER605

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Extend local network across a secondary network using 2 x ER605
Extend local network across a secondary network using 2 x ER605
2023-02-03 16:21:46
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.0.0 Build 20220106 Rel.56391

Hello there.

 

I got a little stuck trying to find an optimal setup for the following situation. I would like to ask if anyone has any good tips for me.

 

Our organisation has two locations that are relatively close to eachother.

A different network than our own runs through the buildings of both locations with high speed switches on either side belonging to the same LAN.

That is a local network ran by one of the other businesses, but i have permission to use the infrastructure to extend our own network across it.

Naturally we want to seperate our own network from the other businesses' network, so i have purchased two ER605 routers to set up a VPN tunnel i can run across the external network so we can securely extend our own headquarters network to the secondary location and provide it with internet access from our primary location.

 

Our primary location has a decent internet connection with a pfsense firewall. So the goal is not only to extend our own network across the VPN but also to allow the secondary location to use the VPN for internet access using our headqarters line. The following schematic shows my intended use for these units. I want hosts at both Location A and Location B to reach eachother as if connected locally, and i want the hosts at location B to be able to access the internet as well through the tunnel.

 

INTERNET

|

PFsense Firewall HQ Location A [10.10.10.1]

|

<LAN LOCATION A [10.10.10.0/24] >

|

(LAN [10.10.10.15] )

[[ ER605 ]]

(WAN [172.30.30.30/30] )

|

>>Untrusted LAN<<

|

(WAN [172.30.30.30.29/30] )

[[ ER605 ]]

(LAN [10.20.20.1])

|

<LAN LOCATION B [10.20.20.0/24]>

 

Now i have set up a lan-lan ipsec vpn, and this does work partially. I can reach all the hosts on either LAN. But hosts at location B are not able to reach the PFsense firewall IP, or indeed the internet, across this ipsec tunnel. I have played around with gateway and dns settings for the tunnel and LAN on the ER605 in Location B, but i cannot seem to get any connectivity to the internet router or DNS server at Location A. I suspect there is something i am missing about lan-lan IPSEC tunnels in general, or the specific implementation in these routers that is prohibiting me to achieve my goal here. Should i attempt a different type of VPN, or is there anything else obvious i am missing ?

Any help to point me in the right direction would be greatly appreciated. Thanks in advance

  0      
  0      
#1
Options
3 Reply
Re:Extend local network across a secondary network using 2 x ER605
2023-02-06 08:18:18 - last edited 2023-02-06 08:19:07

  @NetworkInPlux 

 

ER605 won't use IPSec VPN as the WAN. So clients in LOCATION B will try to get Intenret through the"Untrust LAN", that's not correct.

 

You can try L2TP LAN-to-LAN connection on these two TP-Link routers. Then set up a policy routing on Location B router(as VPN client). On Policy routing you can force the clients using VPN to obtaion Intenret(set up VPN tunnel as the clients' WAN).

 

But you know, I did not really test it. I just "think" why it did not work and how to solve it. Don't blame me if it's not the issue XD

  0  
  0  
#2
Options
Re:Extend local network across a secondary network using 2 x ER605
2023-02-16 14:18:57 - last edited 2023-02-16 14:21:06

Thanks for your suggestion, @Somnus , based on what you wrote i have been playing around with the two ER605 units a little more.

 

I have now also set them up as L2TP server on Location A, and client on Location B, while both units have only an IP address and a subnet mask on their WAN port. This also works in part, the units will set up an L2TP VPN nicely. And i am able to ping the internet router through the VPN. DNS requests from hosts in Location B are resoved by the firewall in location A through the VPN. 

However web browsing or reaching anything else on the internet past the Internet Firewall on location A from a client on Location B, on the the far side of the VPN behind one of the ER605, seems to still not work.

 

I suppose it would be more logical if the WAN port on the unit in Location B directly worked as a dialup for the L2TP connection. But if i have the L2TP setup described above working, and change Location B's ER605 from VPN client, to the WAN port acting directly as a dial up WAN port to the L2TP server on the ER605 in Location A, i can not get it to connect at all. 

 

It is strange to me, as it seems like a pretty common use for these VPN routers, to extend your private network over an untrusted network, and in my case to share the internet connection infrastructure and existing firewall security from Location A with Location B over it. But somehow i am not managing to get this to work properly with these units.

  0  
  0  
#3
Options
Re:Extend local network across a secondary network using 2 x ER605
2023-03-10 13:55:55

  @NetworkInPlux 

I am completely lost here. I set up a firewall policy allowing all traffic in all directions on both units.

 

After this i have tried setting the two units up as L2TP client and server, the tunnel estabishes correctly, but on the client side none of the clients on the LAN can reach anything on the other side.

I have also tried setting up an OpenVPN connection between the two units, with the server side set to full mode. Again the tunnel sets up correctly, but none of the hosts on the lan side of the client unit can reach anything on the server side.

 

I just need to set up a VPN across a foreign network, to extend our HQ LAN and share our internet infrastructure with the second location. I did not think it would be this much of an issue to accomplish this. Can anyone point me in the right direction, so i can extend my headquarters LAN over a foreign LAN using these VPN routers? Or should i bin them?

  0  
  0  
#4
Options