Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4812
  • Last Modified:

LAN and WAN gateway problem

Good Morning...

I think I'm in the middle of something that has me at my wits...And I am in need of help.

I have a network

Local 10.16.231.0
255.255.255.0
gateway for internet 10.16.231.200

VPN Router 10.16.231.101 that takes me to a remote 10.16.230.101 to see 10.16.230.0 network

If I plug in the VPN router, all traffic for internet wants to use 10.16.231.101 as gateway even tho
I have the gateway set in the computer as 10.16.231.200. I'm using 255.255.255.0 for all subnet
settings.
I can't program the VPN router, but I can tell the company who put it in what I need if I need to.
I can program my internet router and have tried to point just the VPN traffice back to the VPN router
with no luck...The VPN router is still taking over my gateway on all my local pc's.

I'm wondering if I have my subnet all wrong?

Can you give me any ideas?
0
Mitsu_SpyDr
Asked:
Mitsu_SpyDr
  • 7
  • 5
  • 5
  • +7
3 Solutions
 
lrmooreCommented:
Have the company that put in the VPN router to disable proxy arp on the LAN interface.
Be sure to ENable proxy arp on the Internet router gateway.
What kind of "VPN router" is it?
What kind of internet router is it?
0
 
Mitsu_SpyDrAuthor Commented:
VPN Router -- Siemens SB5830

Internet -- Netopia Cayman 3347W
0
 
Mitsu_SpyDrAuthor Commented:
Netopia -

I see a setting for a static ARP, but nothing about proxy...
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
Where exactly is the VPN router physically in your network?  Does your traffic hit that before being passed to your existing router?  What type of VPN is this?  If you are using a Windows VPN to access the other connection, then to prevent the other end from being the remote gateway, you must go into the VPN connection Settings, TCP/IP Properties and under the advanced properties, Uncheck "use remote gateway".

If you are using some other type of VPN client, it is very possible you have that same setting there too.  This will over ride your default settings and explain what you are experiencing.
0
 
Mitsu_SpyDrAuthor Commented:
The router is plugged into the switch that the pc's are connected and the Internet router is connected.

When the internet router is by itself - internet traffic is fine. When I plug the VPN router into the switch, it seems the internet router looses it's dns and gateway. The VPN works fine, but when I do a tracert from a pc, it gives me the vpn router as the first hit. when I uplug the vpn router, run a tracert, the internet router is the first hit....

i hope this all makes since, as it does not to me...

I'm not using any clients, just a router at the remote and at the local.

0
 
JonShCommented:
The way I see it is this:


                                    ________________________
Internet <--------------->|   10.16.230.200 Router      |
                                    ----------------------------------
                                                     |
                                                     |
                                    ----------------------------------
 LAN 10.16.230.n<----->| Switch                             |<------->[VPN Router 10.16.230.101] <----------> LAN 10.16.231.n
                                    ----------------------------------


So I would try doing the following on a PC:
Route delete 0.0.0.0
route add 10.16.231.0 10.16.230.101
route add 0.0.0.0 10.16.230.200

this should point default traffic out the internet gateway and specific traffic for 10.16.231.n through the VPN.
0
 
JonShCommented:
hmmm...and then I'd redesign the network so the user lan only sees a single router (afterthought).

0
 
kidomanCommented:
Hi Man,

I am sorry that you had to recreate this question.... u cant program the VPN router?!?! Ok so that basically puts you at square one.

One should always try and find router based solutions before going to every PC and setting static router. There isnt a way in the world that One router can take over another router. This is prolly what is going wrong.

Are you using DHCP to assign IP addresses. Because of the presence of two router, there could be a conflict as to who assigns the addresses. But that is only in case you are using DHCP. Otherwise, if u can program you Internet router, then do these in whatever way is suitable for ur router (refer the manual):

- define a static route for the network 10.16.231.0/24 via address 10.16.230.101
- enable DHCP (if u r using it) on only the internet router and disable it on ur VPN router (is it possible or not?)
- if u r using DHCP and disabling DHCP in the VPN router (the Siemens router is very legacy IMHO, I didnt find any online manual....) then revert to using static IP addresses. again this is a PC-to-PC configuration and should be ur last option.
- if u can reconfigure ur network so that the VPN router is directly connected to the INET ROUTER and the rest of the LAN is connected to another diff. port on the Inet router. So any communication has to happen across the INET router which will perform the routing operations properly.

Hope I am of some actual help this time,

Cheers,

Karen
0
 
NetoMeter ScreencastsCommented:
Can you post the result of route print on that PC?

NetoMeter
0
 
JonShCommented:
to Kidoman:  I absolutely agree with you except I don't want him ending up with a one-armed router solution.....Jon
0
 
Mitsu_SpyDrAuthor Commented:
This is how it is set up now...
                                    ----------------------------------
Internet <--------------->|   10.16.231.200 Router      |
                                    ----------------------------------
                                                     |
                                                     |
                                    ----------------------------------
 LAN 10.16.231.n<----->| Switch                             |<------->[VPN Router 10.16.231.101] <----------> LAN 10.16.230.n
                                    ----------------------------------

And this is the way it needs to be....

                                   ----------------------------------
Internet <--------------->|   10.16.231.200 Router      |<------->[VPN Router 10.16.231.101] <----------> LAN 10.16.230.n
                                    ----------------------------------
                                                     |
                                                     |
                                    ----------------------------------
 LAN 10.16.231.n<----->| Switch                              |
                                    ----------------------------------

I have tried this and get the same results

Ok...
When I looked earlier today...The route print does not show the 10.16.231.101 router nowhere...I'd print you one, but I'm not at the office right now...


I'm not running DHCP on any router, and cannot due to the fact that our software server needs to hand an IP itself to a couple of port replicators on the network...so it has to be the DHCP server...
The server is set as thus...
10.16.231.150
255.255.255.0
GW - 10.16.231.101 (to communicate with the server on the 10.16.230.0 network!!!)
***Could this be my problem??? The DHCP is on the server be causing the route change when I plug in the VPN Router?***


So here is my thoughts - see if I'm warm... The guys that setup the vpn router, set it up to broadcast its info or something like arp on the lan side, so my cheap internet router is catching this, and using the vpn router as a gateway to the internet.

After I get them to fix this, I still need to add an IP route to the internet router to tell all traffic bound for the remote local to go to the vpn router...

Let me know if I'm on the right track here...

PS Karan - I've been reading a little...
0
 
kidomanCommented:
Hi,

See this for a description of ARP: http://www.experts-exchange.com/Networking/Q_21182517.html

I cant see how ARP config (proxy in ur case could be causing ur little problem.) All the nodes will directly send the data to their default gateway, i.e. the LAN side of ur Internet router. Have u double checked that the default gateway on the nodes (PCs) are set to the Internet router at all times and do not point to the VPN server at any point? Please first check without connecting the VPN server and then recheck after connecting it. Yes the second layout you have shown is the ideal solution (VPN router connected to the Internet router directly).

I have to run to college....will get back when i return.

Cheers,

Karan
0
 
sanjoybasuCommented:
I support JonSh's solution
Route delete 0.0.0.0
route add 10.16.231.0 10.16.230.101
route add 0.0.0.0 10.16.230.200
0
 
hoonexpertCommented:
What is the operating system in your PC. If it is Windows 9x it has similar problem called IRDP (ICMP Router Discovery Protocol) which is enabled by default. So if u try on other PC it will be solved ????

Otherwise follow the solution above. Goto command prompt.

C:\>route print - would gv u all the routes

C:\>route delete 0.0.0.0 - will delete the default route

C:\>route add 10.16.231.0 netmask 255.255.255.0 10.16.230.101 - not need but still u may give. You dont need to give defaul t gateway for ur own subnet as it is broadcasted anyway.

C:\>route add 0.0.0.0 netmask 0.0.0.0 10.16.231.200 - new default gateway. Remember the default gateway should be of same subnet and reachable.

Change the ips as per your requirement.

Manish.
Baroda.
India.


0
 
JonShCommented:
sanjoybasu, my solution is incorrect because I have the LANs in the wrong places per the diagram that Mitsu Spy_Der provided.  Workstations in the 230 subnet need only default route through the VPN.  The problem should be workstations in the 231 network hitting the VPN router as the default gateway.  And hoonexpert could be right, it might be an IRDP issue I've been bitten by windows like that before.

Im general, I'm backing away from this question because we have too many people working on it, and it's going to get confusing.  I'm especially curious about this VPN solution that doesn't use the existing ISP gateway but instead uses a different pipe to a remote location - implying the remote location can't get internet access but can get access to the 3rd party VPN?  Seems strange to me, the VPN should simply be a feature of the edge device for each LAN.
0
 
AutoSpongeCommented:
Make the VPN router's LAN interface passive.
0
 
Mitsu_SpyDrAuthor Commented:
Karan -

I am 100% sure that the pc's on the network are using the internet router as their gateway.

It's only when I plug in the vpn router that the internet goes down. I'm sure the vpn router is broadcasting something that
the internet router is picking up and trying to use.

I have put the route 10.16.230.101 255.255.255.0 10.16.231.101 in my internet router to push all vpn traffic thru the vpn router...

I'm just waiting on the NOC to get into the vpn router and see what is going on with it...
 
0
 
lrmooreCommented:
> I'm sure the vpn router is broadcasting something that the internet router is picking up and trying to use.

Exactly. This is called "proxy arp" and it is killing you.
The exact same thing would happen if you dropped in a Cisco PIX Firewall as a VPN endpoint. Fortunately, on a PIX, you can simply disable proxy arp and be happy.

Perhaps AutoSponge's suggestion is specific to the Siemens SB5830?
0
 
kidomanCommented:
Hello lrmoore,

I have a little confusion how "Proxy ARP" is causing problems here. The VPN router (of a very exotic make) is connected to the 10.16.230.0 and the Inet (am I right or wrong?) So when a node (say A) want to send a packet to the Internet, it will:

- see the dest IP address (say 203.193.144.98) is not in its local subnet (10.16.230.0) and would there fore forward the packet to a local gateway (out Internet router.) The ARP message passing that occurs is the node trying to find the MAC address of the Inet router and the Inet router will reply properly. Proxy ARP in the case of VPN router would only happen if the Inet router's address (i.e. 10.16.230.200) present in one of its other interface (which is not the case....)

So i dont see how proxy ARP is affecting the procedure.

Mitsu_SpyDr, if u could just fix up a Linux box (even temporarily) then all of us would be highly benefitted because the 'tcpdump' command would tell us actually what was going on....?

Cheers,

Karan
0
 
kidomanCommented:
Hi Mitsu_SpyDr,

Check it out for some backgroud info. Very similar to ur situation.

http://www.experts-exchange.com/Networking/Linux_Networking/Q_21182471.html

Cheers,

Karan
0
 
lrmooreCommented:
The above link includes an explanation of proxy arp.
Since both the Internet router and the VPN device have a default route (presumably pointing to the same IP address),
then both are trying to "proxy" 0.0.0.0 - everything unknown to the local subnet, and the client get's the wrong router's MAC address as the next hop, overriding their default gateway setting.

0
 
kidomanCommented:
I read ur explanation above.... was informative. However,

if the node would try to resolve "0.0.0.0" then the possiblity of the wrong MAC address being associated with the correct gateway setting (in the node) would be there. However, the node noting the any address on the Inet is not on its configured subnet would directly try and resolve the default gateway set in the node itself. Which would be 10.16.230.200. So when would the VPN router get a chance to interfere. However, I am having a gut feeling that .... access is okay when VPN router not plugged in, but problems arise when it is plugged in. Is there some hocus pocus going on in there....? Soming like ICMP-redirect from the Inet router to the VPN router.

Linux would divulge the secrets, I guess.
0
 
kidomanCommented:
Hi again folks,

What a coincidence.... the first ever question i answered in EE (coupla days back) was regd ARP and RARP. A very "non-brief" explanation of how things are in the IP/MAC world.

See: http://www.experts-exchange.com/Networking/Q_21182517.html

Cheers,

karan

PS: This is not a grudge war....
0
 
JonShCommented:
I always liked cisco's explanation of proxy arp.  But you need to understand subnet masking to follow what's going on.  BTW, I *hate* proxy arp :)

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094adb.shtml



0
 
kidomanCommented:
Thanks JonSh,

You helped to get my point stronger. Because nodes use a 255.255.255.0 subnet mask they will broadcast ARP request only for nodes in their subnet. For anything else they would specifically request the MAC address of the Inet gateway. And it would reply. Whether or not proxy ARP is enables on the VPN router wouldnt matter because if the VPN router has any head (or proper people programmed it.) then it is not a candidate for replying its MAC address to ARP requests for 10.16.230.200 since they are not reachable via any of its other interfaces.

Lrmoore please confirm.

0
 
gmchenryCommented:
What protocol are the routers running?  OSPF, EIGRP??  That might also be causing an issue, along with the netmask.  Different routes are given a lower/higher cost based on connection.  Did you check into that?  Just some thoughts.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 7
  • 5
  • 5
  • +7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now