Home

Forums

Stories

Knowledge Base

Business Community > All Threads > ER605 - VPN passthrough vs one domain

< All Threads

ER605 - VPN passthrough vs one domain

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

ER605 - VPN passthrough vs one domain

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Xexus

2024-01-20 08:11:03 - last edited 2024-02-29 01:39:13

Posts: 7

Helpful: 1

Solutions: 1

Stories: 0

Registered: 2024-01-20

ER605 - VPN passthrough vs one domain

2024-01-20 08:11:03 - last edited 2024-02-29 01:39:13

Tags: #VPN #Routing

I have an unusual issue. My work requires I first connect to the company VPN, and then to a Cisco AnyConnect VPN to access other tools. With the ER605 having VPN passthough on my default, all used to work fine. Then sometime last year, I find that some sites and apps that once worked over AnyConnect no longer do. My solution was to add a second router (A NetGear in this case) that connects to the same ER605. It seems to only fail getting do a small (but important) number of svcs on the work network, and only when AnyConnect is engaged.

I don't do anything special with this ER605 other than assign static IPs on the LAN. I've tried putting the PC in the DMZ without success. Even tried putting the ER605 to factory defaults once, and still no luck. Our engineers didn't have a solution except to suggest adding a second router on the DMZ. The DMZ didn't seem to matter though, I've disabled it and the second router still functions fine.

As I have a working solution, I'm loathe to blame anything outside of my LAN. Typically I'd include all the specs and firmware info, but really I'm just interested in anyone's thoughts on why adding a second router between the PC and ER605 vs a direct connection to the ER605 would be actually be a solution.

13 Reply

Xexus

LV1

2024-01-31 12:30:29 - last edited 2024-01-31 12:39:13

Posts: 7

Helpful: 1

Solutions: 1

Stories: 0

Registered: 2024-01-20

Re:ER605 - VPN passthrough vs one domain

2024-01-31 12:30:29 - last edited 2024-01-31 12:39:13

@MR.S

sorry for the late reply.

The list of routes is quite large, including large swaths of 10.x.x.x subnets. I also use 10.x.x.x on my LAN.

Someone once suggested that could be an issue, but I figured that surely many people use the 10.x.x.x scheme. Perhaps I should give that another thought. I do see a range that's not in the unsecured list, and changing a static IP on the LAN side is certainly a small enough amount of effort to give it a try later today.

Edit: That said, the list of secured routes includes: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16, so maybe I shouldn't raise my expectations too high on that

#12

MR.S

LV5

2024-01-31 13:38:58

Posts: 2133

Helpful: 770

Solutions: 271

Stories: 0

Registered: 2018-08-17

Re:ER605 - VPN passthrough vs one domain

2024-01-31 13:38:58

@Xexus

if you use the whole rfc1918 (all private ips) then you will have problems if you want to reach other private ip networks outside vpn tunnel, so if you can limit which ip is secure then it might work :-)

#13

Xexus

LV1

2024-02-27 12:20:36 - last edited 2024-02-27 12:23:52

Posts: 7

Helpful: 1

Solutions: 1

Stories: 0

Registered: 2024-01-20

Re:ER605 - VPN passthrough vs one domain-Solution

2024-02-27 12:20:36 - last edited 2024-02-27 12:23:52

@MR.S

Just wanted to follow up and note that I did find a solution.

First I upgraded to an ER7302: which by itself didn't fix the issue, but that alone increased my VPN speeds nearly twice fold.

Then I created a VLAN in the router to issue DHCP addresses in the 198.168.x.x range to the VLAN members. Although the AnyConnect routes listed all private IP ranges as secure, this was the change that worked.

Thanks for exploring this with me :)

ER605 - VPN passthrough vs one domain

ER605 - VPN passthrough vs one domain

Information

Voters 0

Tags