loveit
asked on
Advice needed on how to investigate a VPN/Firewall problem
The original setup:
2 Windows XP PC's connected via 100Mbit network switch.
Broadband internet connection provided by a router.
The PC's each have standard 100Mbit network cards, TCP/IP and default gateway/IP Address/DNS information loaded from the router via DHCP.
Can ping each PC and Router from eachother without any problems (all on 192.168 network)
The change to one of the PCs:
Installed AT&T Global Network Client and Firewall configured for VPN access over my existing Internet connection.
Configured the AT&T Firewall software to be enabled only on the Wan Miniport (i.e., the VPN) connection and NOT the local network card.
The problem following the change:
Everything works find when the VPN connection is not connected.
Upon connection, the PC that is connected can no longer ping the other PC and vice versa.
The VPN connection itself works fine and I can ping other remote systems on the connected network.
Once VPN is disconnected, I can ping to/from the PC as normal again.
ipconfig when connected via VPN:
The local network card shows its DHCP allocated 192.168.x.x IP address (from the router) and the router as the default gateway, i.e., no change to when not connected.
The Wan Miniport connection shows its DHCP allocated 192.168.x.x IP address (from AT&T) not conflicting with any local addresses and a blank default gateway.
Can anyone suggest how I can continue to use my local network whilst connected over VPN to a remote network?
If not, can anyone suggest what steps I can take to find out where/how the pings are getting blocked when connected, i.e., how far does the traffic get, what are the responses? Is there any network diagnostic software (preferably freeware) that is recommended for resolving this type of issue.
Any help would be much appreciated.
2 Windows XP PC's connected via 100Mbit network switch.
Broadband internet connection provided by a router.
The PC's each have standard 100Mbit network cards, TCP/IP and default gateway/IP Address/DNS information loaded from the router via DHCP.
Can ping each PC and Router from eachother without any problems (all on 192.168 network)
The change to one of the PCs:
Installed AT&T Global Network Client and Firewall configured for VPN access over my existing Internet connection.
Configured the AT&T Firewall software to be enabled only on the Wan Miniport (i.e., the VPN) connection and NOT the local network card.
The problem following the change:
Everything works find when the VPN connection is not connected.
Upon connection, the PC that is connected can no longer ping the other PC and vice versa.
The VPN connection itself works fine and I can ping other remote systems on the connected network.
Once VPN is disconnected, I can ping to/from the PC as normal again.
ipconfig when connected via VPN:
The local network card shows its DHCP allocated 192.168.x.x IP address (from the router) and the router as the default gateway, i.e., no change to when not connected.
The Wan Miniport connection shows its DHCP allocated 192.168.x.x IP address (from AT&T) not conflicting with any local addresses and a blank default gateway.
Can anyone suggest how I can continue to use my local network whilst connected over VPN to a remote network?
If not, can anyone suggest what steps I can take to find out where/how the pings are getting blocked when connected, i.e., how far does the traffic get, what are the responses? Is there any network diagnostic software (preferably freeware) that is recommended for resolving this type of issue.
Any help would be much appreciated.
Pete Long
Is this VPN using a particular port number?? if so you will need the router to forward all imcominf traffic on that port number to the client on YOUR network :)
ASKER
The router is acting correctly when connected to the VPN in that all access to the VPN connected network is fully working. It is accessing PCs on my local area network, to/from the PC that has the active VPN connection at the time, that is failing. Can I conclude therefore that the router allowing incoming traffic on the VPN port is not the problem?
Everything is working as it should be, for security purposes most vpn clients disable lan access when connected. This prevents tunnel hijacking from people inside the lan. This is by design, though some clients and tunnels allow what is called split tunneling, you can check and see if the client has this option.
ASKER
The VPN client software does not appear to have any options to split or re-enable LAN access whilst connected.
Are there any other suggestions as to how I might acheive simultaneous access to my LAN and the VPN from a single PC? Would a second network card make any difference?
Are there any other suggestions as to how I might acheive simultaneous access to my LAN and the VPN from a single PC? Would a second network card make any difference?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks. I guess I will just have to live with this or have a seperate PC for VPN access.
You might be able to switch your internal lan network to a 10.xxx.xxx.xxx network and then using a route statement get local lan access. How hard would it be to change the ip addressing scheme, i.e. how many clients?
ASKER
It's all DHCP so I can just change the pool to a 10.x.x.x network. From your suggestion, I assume that the VPN only closes down access to addresses on the same network and not to the LAN card iself so trying a new network may work. I'll report back with the outcome when I get a chance to re-boot my net.
Yes we may need to tweek the routing table.
ASKER
Progress Report:
I have changed my local network to a 10.x.x.x addressing scheme. This has improved matters in that I can now ping other PC's successfully by from the PC that is connected to the VPN and use the VPN as normal. However, when connected there are a couple of other problems. I still can't ping the connected PC from another PC (both ping and tracert timeout) plus I can't ping outward from the VPN connected PC using the hostname of another PC, e.g., "ping otherpc", as I could before I was connected (I have to use the actual IP address). So, a few steps forward but still a name resolution problem and an inability to ping in to the connected PC.
Out of interest, excluding VPN for a moment, given that I have no DNS server or static hosts file, how does Windows resolve a ping to a PC by name on the Windows network, e.g., 2 PC's connected, no DNS server, one has a Windows Node Name of abc and the other of xyz, why does "ping xyz" from abc correctly work out the IP address of xyz?
I have changed my local network to a 10.x.x.x addressing scheme. This has improved matters in that I can now ping other PC's successfully by from the PC that is connected to the VPN and use the VPN as normal. However, when connected there are a couple of other problems. I still can't ping the connected PC from another PC (both ping and tracert timeout) plus I can't ping outward from the VPN connected PC using the hostname of another PC, e.g., "ping otherpc", as I could before I was connected (I have to use the actual IP address). So, a few steps forward but still a name resolution problem and an inability to ping in to the connected PC.
Out of interest, excluding VPN for a moment, given that I have no DNS server or static hosts file, how does Windows resolve a ping to a PC by name on the Windows network, e.g., 2 PC's connected, no DNS server, one has a Windows Node Name of abc and the other of xyz, why does "ping xyz" from abc correctly work out the IP address of xyz?
I think the firewall of the at&t client is prventing the ping try disabling all firewall functions and see if the ping gets through. The vpn is probably using the remote dns for name resolution. As for your other question is that it uses the browsing service, I find this link to be extremely useful in explaining and troubleshooting browsing issues. http://labmice.techtarget.com/networking/browsersrvc.htm
Even though it says domain this works for small peer to peer networks as well.
ASKER
Ok, there is no simple answer to this one but I have now worked around it by running the services that I need all on the same PC so no need to network outside. Thank you for all the advice.