Solved

LAN and WAN gateway problem

Posted on 2004-10-31
4,785 Views
Last Modified: 2013-11-30
Good Morning...

I think I'm in the middle of something that has me at my wits...And I am in need of help.

I have a network

Local 10.16.231.0
255.255.255.0
gateway for internet 10.16.231.200

VPN Router 10.16.231.101 that takes me to a remote 10.16.230.101 to see 10.16.230.0 network

If I plug in the VPN router, all traffic for internet wants to use 10.16.231.101 as gateway even tho
I have the gateway set in the computer as 10.16.231.200. I'm using 255.255.255.0 for all subnet
settings.
I can't program the VPN router, but I can tell the company who put it in what I need if I need to.
I can program my internet router and have tried to point just the VPN traffice back to the VPN router
with no luck...The VPN router is still taking over my gateway on all my local pc's.

I'm wondering if I have my subnet all wrong?

Can you give me any ideas?
0
Question by:Mitsu_SpyDr
    27 Comments
     
    LVL 79

    Expert Comment

    by:lrmoore
    Have the company that put in the VPN router to disable proxy arp on the LAN interface.
    Be sure to ENable proxy arp on the Internet router gateway.
    What kind of "VPN router" is it?
    What kind of internet router is it?
    0
     

    Author Comment

    by:Mitsu_SpyDr
    VPN Router -- Siemens SB5830

    Internet -- Netopia Cayman 3347W
    0
     

    Author Comment

    by:Mitsu_SpyDr
    Netopia -

    I see a setting for a static ARP, but nothing about proxy...
    0
     
    LVL 16

    Expert Comment

    by:samccarthy
    Where exactly is the VPN router physically in your network?  Does your traffic hit that before being passed to your existing router?  What type of VPN is this?  If you are using a Windows VPN to access the other connection, then to prevent the other end from being the remote gateway, you must go into the VPN connection Settings, TCP/IP Properties and under the advanced properties, Uncheck "use remote gateway".

    If you are using some other type of VPN client, it is very possible you have that same setting there too.  This will over ride your default settings and explain what you are experiencing.
    0
     

    Author Comment

    by:Mitsu_SpyDr
    The router is plugged into the switch that the pc's are connected and the Internet router is connected.

    When the internet router is by itself - internet traffic is fine. When I plug the VPN router into the switch, it seems the internet router looses it's dns and gateway. The VPN works fine, but when I do a tracert from a pc, it gives me the vpn router as the first hit. when I uplug the vpn router, run a tracert, the internet router is the first hit....

    i hope this all makes since, as it does not to me...

    I'm not using any clients, just a router at the remote and at the local.

    0
     
    LVL 4

    Expert Comment

    by:JonSh
    The way I see it is this:


                                        ________________________
    Internet <--------------->|   10.16.230.200 Router      |
                                        ----------------------------------
                                                         |
                                                         |
                                        ----------------------------------
     LAN 10.16.230.n<----->| Switch                             |<------->[VPN Router 10.16.230.101] <----------> LAN 10.16.231.n
                                        ----------------------------------


    So I would try doing the following on a PC:
    Route delete 0.0.0.0
    route add 10.16.231.0 10.16.230.101
    route add 0.0.0.0 10.16.230.200

    this should point default traffic out the internet gateway and specific traffic for 10.16.231.n through the VPN.
    0
     
    LVL 4

    Expert Comment

    by:JonSh
    hmmm...and then I'd redesign the network so the user lan only sees a single router (afterthought).

    0
     
    LVL 2

    Expert Comment

    by:kidoman
    Hi Man,

    I am sorry that you had to recreate this question.... u cant program the VPN router?!?! Ok so that basically puts you at square one.

    One should always try and find router based solutions before going to every PC and setting static router. There isnt a way in the world that One router can take over another router. This is prolly what is going wrong.

    Are you using DHCP to assign IP addresses. Because of the presence of two router, there could be a conflict as to who assigns the addresses. But that is only in case you are using DHCP. Otherwise, if u can program you Internet router, then do these in whatever way is suitable for ur router (refer the manual):

    - define a static route for the network 10.16.231.0/24 via address 10.16.230.101
    - enable DHCP (if u r using it) on only the internet router and disable it on ur VPN router (is it possible or not?)
    - if u r using DHCP and disabling DHCP in the VPN router (the Siemens router is very legacy IMHO, I didnt find any online manual....) then revert to using static IP addresses. again this is a PC-to-PC configuration and should be ur last option.
    - if u can reconfigure ur network so that the VPN router is directly connected to the INET ROUTER and the rest of the LAN is connected to another diff. port on the Inet router. So any communication has to happen across the INET router which will perform the routing operations properly.

    Hope I am of some actual help this time,

    Cheers,

    Karen
    0
     
    LVL 11

    Expert Comment

    by:NetoMeter Screencasts
    Can you post the result of route print on that PC?

    NetoMeter
    0
     
    LVL 4

    Expert Comment

    by:JonSh
    to Kidoman:  I absolutely agree with you except I don't want him ending up with a one-armed router solution.....Jon
    0
     

    Author Comment

    by:Mitsu_SpyDr
    This is how it is set up now...
                                        ----------------------------------
    Internet <--------------->|   10.16.231.200 Router      |
                                        ----------------------------------
                                                         |
                                                         |
                                        ----------------------------------
     LAN 10.16.231.n<----->| Switch                             |<------->[VPN Router 10.16.231.101] <----------> LAN 10.16.230.n
                                        ----------------------------------

    And this is the way it needs to be....

                                       ----------------------------------
    Internet <--------------->|   10.16.231.200 Router      |<------->[VPN Router 10.16.231.101] <----------> LAN 10.16.230.n
                                        ----------------------------------
                                                         |
                                                         |
                                        ----------------------------------
     LAN 10.16.231.n<----->| Switch                              |
                                        ----------------------------------

    I have tried this and get the same results

    Ok...
    When I looked earlier today...The route print does not show the 10.16.231.101 router nowhere...I'd print you one, but I'm not at the office right now...


    I'm not running DHCP on any router, and cannot due to the fact that our software server needs to hand an IP itself to a couple of port replicators on the network...so it has to be the DHCP server...
    The server is set as thus...
    10.16.231.150
    255.255.255.0
    GW - 10.16.231.101 (to communicate with the server on the 10.16.230.0 network!!!)
    ***Could this be my problem??? The DHCP is on the server be causing the route change when I plug in the VPN Router?***


    So here is my thoughts - see if I'm warm... The guys that setup the vpn router, set it up to broadcast its info or something like arp on the lan side, so my cheap internet router is catching this, and using the vpn router as a gateway to the internet.

    After I get them to fix this, I still need to add an IP route to the internet router to tell all traffic bound for the remote local to go to the vpn router...

    Let me know if I'm on the right track here...

    PS Karan - I've been reading a little...
    0
     
    LVL 2

    Expert Comment

    by:kidoman
    Hi,

    See this for a description of ARP: http://www.experts-exchange.com/Networking/Q_21182517.html

    I cant see how ARP config (proxy in ur case could be causing ur little problem.) All the nodes will directly send the data to their default gateway, i.e. the LAN side of ur Internet router. Have u double checked that the default gateway on the nodes (PCs) are set to the Internet router at all times and do not point to the VPN server at any point? Please first check without connecting the VPN server and then recheck after connecting it. Yes the second layout you have shown is the ideal solution (VPN router connected to the Internet router directly).

    I have to run to college....will get back when i return.

    Cheers,

    Karan
    0
     

    Expert Comment

    by:sanjoybasu
    I support JonSh's solution
    Route delete 0.0.0.0
    route add 10.16.231.0 10.16.230.101
    route add 0.0.0.0 10.16.230.200
    0
     
    LVL 2

    Expert Comment

    by:hoonexpert
    What is the operating system in your PC. If it is Windows 9x it has similar problem called IRDP (ICMP Router Discovery Protocol) which is enabled by default. So if u try on other PC it will be solved ????

    Otherwise follow the solution above. Goto command prompt.

    C:\>route print - would gv u all the routes

    C:\>route delete 0.0.0.0 - will delete the default route

    C:\>route add 10.16.231.0 netmask 255.255.255.0 10.16.230.101 - not need but still u may give. You dont need to give defaul t gateway for ur own subnet as it is broadcasted anyway.

    C:\>route add 0.0.0.0 netmask 0.0.0.0 10.16.231.200 - new default gateway. Remember the default gateway should be of same subnet and reachable.

    Change the ips as per your requirement.

    Manish.
    Baroda.
    India.


    0
     
    LVL 4

    Expert Comment

    by:JonSh
    sanjoybasu, my solution is incorrect because I have the LANs in the wrong places per the diagram that Mitsu Spy_Der provided.  Workstations in the 230 subnet need only default route through the VPN.  The problem should be workstations in the 231 network hitting the VPN router as the default gateway.  And hoonexpert could be right, it might be an IRDP issue I've been bitten by windows like that before.

    Im general, I'm backing away from this question because we have too many people working on it, and it's going to get confusing.  I'm especially curious about this VPN solution that doesn't use the existing ISP gateway but instead uses a different pipe to a remote location - implying the remote location can't get internet access but can get access to the 3rd party VPN?  Seems strange to me, the VPN should simply be a feature of the edge device for each LAN.
    0
     
    LVL 5

    Assisted Solution

    by:AutoSponge
    Make the VPN router's LAN interface passive.
    0
     

    Author Comment

    by:Mitsu_SpyDr
    Karan -

    I am 100% sure that the pc's on the network are using the internet router as their gateway.

    It's only when I plug in the vpn router that the internet goes down. I'm sure the vpn router is broadcasting something that
    the internet router is picking up and trying to use.

    I have put the route 10.16.230.101 255.255.255.0 10.16.231.101 in my internet router to push all vpn traffic thru the vpn router...

    I'm just waiting on the NOC to get into the vpn router and see what is going on with it...
     
    0
     
    LVL 79

    Accepted Solution

    by:
    > I'm sure the vpn router is broadcasting something that the internet router is picking up and trying to use.

    Exactly. This is called "proxy arp" and it is killing you.
    The exact same thing would happen if you dropped in a Cisco PIX Firewall as a VPN endpoint. Fortunately, on a PIX, you can simply disable proxy arp and be happy.

    Perhaps AutoSponge's suggestion is specific to the Siemens SB5830?
    0
     
    LVL 2

    Expert Comment

    by:kidoman
    Hello lrmoore,

    I have a little confusion how "Proxy ARP" is causing problems here. The VPN router (of a very exotic make) is connected to the 10.16.230.0 and the Inet (am I right or wrong?) So when a node (say A) want to send a packet to the Internet, it will:

    - see the dest IP address (say 203.193.144.98) is not in its local subnet (10.16.230.0) and would there fore forward the packet to a local gateway (out Internet router.) The ARP message passing that occurs is the node trying to find the MAC address of the Inet router and the Inet router will reply properly. Proxy ARP in the case of VPN router would only happen if the Inet router's address (i.e. 10.16.230.200) present in one of its other interface (which is not the case....)

    So i dont see how proxy ARP is affecting the procedure.

    Mitsu_SpyDr, if u could just fix up a Linux box (even temporarily) then all of us would be highly benefitted because the 'tcpdump' command would tell us actually what was going on....?

    Cheers,

    Karan
    0
     
    LVL 2

    Assisted Solution

    by:kidoman
    Hi Mitsu_SpyDr,

    Check it out for some backgroud info. Very similar to ur situation.

    http://www.experts-exchange.com/Networking/Linux_Networking/Q_21182471.html

    Cheers,

    Karan
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    The above link includes an explanation of proxy arp.
    Since both the Internet router and the VPN device have a default route (presumably pointing to the same IP address),
    then both are trying to "proxy" 0.0.0.0 - everything unknown to the local subnet, and the client get's the wrong router's MAC address as the next hop, overriding their default gateway setting.

    0
     
    LVL 2

    Expert Comment

    by:kidoman
    I read ur explanation above.... was informative. However,

    if the node would try to resolve "0.0.0.0" then the possiblity of the wrong MAC address being associated with the correct gateway setting (in the node) would be there. However, the node noting the any address on the Inet is not on its configured subnet would directly try and resolve the default gateway set in the node itself. Which would be 10.16.230.200. So when would the VPN router get a chance to interfere. However, I am having a gut feeling that .... access is okay when VPN router not plugged in, but problems arise when it is plugged in. Is there some hocus pocus going on in there....? Soming like ICMP-redirect from the Inet router to the VPN router.

    Linux would divulge the secrets, I guess.
    0
     
    LVL 2

    Expert Comment

    by:kidoman
    Hi again folks,

    What a coincidence.... the first ever question i answered in EE (coupla days back) was regd ARP and RARP. A very "non-brief" explanation of how things are in the IP/MAC world.

    See: http://www.experts-exchange.com/Networking/Q_21182517.html

    Cheers,

    karan

    PS: This is not a grudge war....
    0
     
    LVL 4

    Expert Comment

    by:JonSh
    I always liked cisco's explanation of proxy arp.  But you need to understand subnet masking to follow what's going on.  BTW, I *hate* proxy arp :)

    http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094adb.shtml



    0
     
    LVL 2

    Expert Comment

    by:kidoman
    Thanks JonSh,

    You helped to get my point stronger. Because nodes use a 255.255.255.0 subnet mask they will broadcast ARP request only for nodes in their subnet. For anything else they would specifically request the MAC address of the Inet gateway. And it would reply. Whether or not proxy ARP is enables on the VPN router wouldnt matter because if the VPN router has any head (or proper people programmed it.) then it is not a candidate for replying its MAC address to ARP requests for 10.16.230.200 since they are not reachable via any of its other interfaces.

    Lrmoore please confirm.

    0
     

    Expert Comment

    by:gmchenry
    What protocol are the routers running?  OSPF, EIGRP??  That might also be causing an issue, along with the netmask.  Different routes are given a lower/higher cost based on connection.  Did you check into that?  Just some thoughts.
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Learn The Basics of Ethical Hacking & Pen Testing

    Computer and network security is one of the fastest growing and most essential industries in technology, meaning companies will pay big bucks for ethical hackers. This is the perfect course to leap into this lucrative career, learning how to use ethical hacking to reveal ...

    Please see preceding article here: http://www.experts-exchange.com/Networking/Operating_Systems/A_11209-Root-Bridge-Election.html Figure 1 After Root Bridge has been elected, then what?..... Let's start by defining a Root Port in la…
    Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
    Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
    After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    884 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now