VPN tunnel issue

I have two locations, each one has a Netpoia 33xx dsl box attached to a Linksys WRV54G. One location has 4 PC's and a Win2003 server, the other just has 2 PC's. I need to create a VPN tunnel between locations using the Linksys devices. I believe I have them configured correctly. I tried setting the Netopia to bridging using info I found on the Netopia site, however if I uncheck the IP Gateway box, I can't get to the internet. The IP scheme on one end is 192.168.1610 and the remote end is The real IP address's for the Netopia is through PPOE to SBC. I picked the lowest usable address of the subnet for a static IP on the Linksys. I have both WAN and LAN/Wireless routing set up so I can get to the internet from each end. I have the tunnels set correct on each end with security. If I do a whatsmyip from each location, it returns the real IP address that I have a ssigned the Linksys device. I can ping the Netopia and the SBC DNS entries from the Linksys, but cannot ping or traceroute from the Netopia's back to the Linksys. I need this to work by Monday. I've talked with Linksys support ..... no help there. They blame it on the Netopia setup.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


Look at the bottom of this page:


let me know if it helps...
JerryS39Author Commented:
Sorry that isn't exactly what i'm looking for.
Rob WilliamsCommented:
Which Netopia 33xx do you have? i.e. what does  xx=

-On the unit I looked at (on-line manual) you need to enable "Bridged 1483" on the "DSL Line Configuration Screen" page to enable bridging. This is very important.

-If your WAN connection is configured with a public IP and whatismyIP returns that IP, as you have stated, the basic configuration should be fine.

-By IP Gateway, I assume you mean default IP gateway ? If so, you cannot remove this. That needs to be the gateway provided by your ISP.

->>"The real IP address's for the Netopia is through PPOE to SBC. I picked the lowest usable address of the subnet for a static IP "
Do you have a true static IP? This is not common with a PPPoE connection. You have to be assigned a static IP you cannot simply choose one. SBC sometimes assigns a "sticky" IP. Is this the case? If so and you do not know the IP and/or gateway, re-enable the original NAT mode of the Netopia and go to whatismyIP to confirm the WAN IP. Then go to http://tstools.co.uk/ipcalc.php  and enter  <your IP>/29 and click calculate. The Gateway should be the "Host Min" .  IP's are usually assigned in blocks of 5. If so yours would be the 5 above the host min.

-As a next/first step, if you believe the above is configured properly, enable remote management of the Linksys unit/s in the administration section, and see if you can log on to the management console remotely using the WAN IP. If so you can continue to work on the VP part if not you need to get the basic set up corrected.

I know I have more questions than answers above, but knowing a little more we can continue.

Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

JerryS39Author Commented:
One is a Cayman3546 WAN: ADSL LAN: 4-port Switch  OS is 6.4.0R2
The other is Netopia Model 3346N DSL Ethernet Switch  OS 7.4.0r6

The IP Gateway setting is a check box on the Configure - WAN  screen.

Yes they both get the public IP addrresses using PPOE

 One block is 104 - 111     the other is 208 - 215

When I change it to Bridged 1483 will the current IP address be assigned to the Linksys device if I have it configured to obtain it using PPOE information?
Rob WilliamsCommented:
Jerry, looking at your other last question I guess the main issue here right now is what type of connection do you have. Is it static or Dynamic. we can deal with either way, but it needs to be handled differently. Also need to know Netopia model.
JerryS39Author Commented:
They are static IP's
The model numbers were at the top of my comment
Rob WilliamsCommented:
Whoops, you posted while I was posting last message.

>>"When I change it to Bridged 1483 will the current IP address be assigned to the Linksys device if I have it configured to obtain it using PPOE information?"
Yes put the Netopia in bridged mode and then configure the PPPoE section with your UserName and password. The Linksys should then obtain an IP automatically. I am assuming this is a dynamic IP, if it is a "sticky" simulated Static IP let me know.

>>"The IP Gateway setting is a check box on the Configure - WAN  screen."
On the router or Netopia? I don't see it on either.
Shouldn't have to configure anything on the Netopia once in bridge mode. There is "Gateway IP" in the network section of the set up page of the Linksys. This is the local/LAN IP you want to assign the router 192.168.16x.x
JerryS39Author Commented:
They each have a little different set of chices about ethernet bridge settings.
Neither seem to have the RFC-1483 Bridged Ethernet vcc1 choice, is that a selection on a different menu?

I have to sign off for a few hours, thanks for the help. And if you can get me to where I can select the 1483 instead of the PPP I can get these set up. If you would like to look at them live I will send you the IP address for each one to your email address.
Rob WilliamsCommented:
If they are true static IP's, which would be assigned by the ISP, they should have given you the IP (possibly a group of 5), gateway, subnet mask and DNS server IP's. On the set up page choose Static IP and insert those values.

The concern I have is SBC, which we do not have here, sometimes uses what they call 'Sticky IPs". A Sticky IP is a dynamic IP using PPPoE, however they use a DHCP reservation to make sure you are always assign the same IP. If so that is fine, just use the PPPoE configuration with UserName and password, but when configuring the VPN use that IP.

Try enabling and using remote management page of the router as described above. If that is not working no point in going further, as it confirms the bridge mode is working and you have the correct IP.
I just saw last message about the bridge mode. I'll look int that for you.
JerryS39Author Commented:
The one Netopia has the following choices under ethernet bridging:

        Enable Bridging Function   (i have it checked)

        Enable WAN to WAN Bridging    (not checked)

                       Ethernet 100BT (LAN)

       Enable Bridging on port  (i have it checked)

              PPP over Ethernet vcc1 (WAN)

      Enable Bridging on port   (i have it checked)

      Filter PPPoE Only   (not checked)

The other one has less info

                      Enable Bridging Function  (i have it checked)

                              PPP over Ethernet vcc1 (WAN)

                    Enable Bridging on Port   (not checked)

Rob WilliamsCommented:
I am afraid the online manuals do not seem to show these options. They are likely older firmware versions.
I would recommend:
     Enable Bridging Function   (i have it checked)
as you have done but not enabling any others. Some of these units allow bridging between local subnets which is not what you want to do so I would NOT enable any other bridging options  such as  "Enable Bridging on port "

Glad to help but you may have to figure this part out on your own as I don't have any of these units or apparently up-to-date manuals.

I am out of here for a while as well but will check back. (-4 hours GMT here)

If you can get the bridging and remote management working I am willing to log on and check your VPN configuration if you like. E-mail address is on my profile.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JerryS39Author Commented:

I'll make the changes on the Netopia's and check with you in the morning.
Rob WilliamsCommented:
Let me know how you make out.
Rob WilliamsCommented:
The information you sent me I am afraid doesn't tell me much.
Have you confirmed on the Linksys end the WAN IP agrees with whatismyip ?
You also mentioned you cannot ping the Linksys. The Linksys will deny ICMP (ping) requests by default. For test purposes yo may want to disable "Block Anonymous Internet Requests" on the firewall configuration page to allow you to ping the devise.
hi, there

Just a small information on Microsoft Networks. Kerberos uses UDP per default and that can be changed to TCP.


Assuming the rest of your settings is ok I mean if you can ping the IP's and so on. try ythe Kerberos. Sorry gotta go the job is calling.


JerryS39Author Commented:
Well I managed to get the Netopia's into bridge mode and the Linksys have the PPOE assigned static address's. The VPN tunnel is defined, but It doesn't work. I try to ping an IP on the other end and get nothing, tried to ftp to the server on the other end and get nothing. From what I've read on this site, you shouldn't have any port forwarding going on either end ...... correct? The whole point of using these was the tunnel. Any pointers ...... I'd like to close this and award the points tonite.
Rob WilliamsCommented:
>>"you shouldn't have any port forwarding going on either end ...... correct? "

If you disable ""Block Anonymous Internet Requests"" on the Linksys, can you ping it now?
Also best test once you think you have the VPN established is to ping the LAN side of the Linksys. This eliminates any routing or software firewall issues on the remote end for your initial testing.
JerryS39Author Commented:
I disabled "Block Anonymous Internet Requests" and yes I can ping it, but still no vpn as far as I can tell. The strange thing is I can manage one location over the internet using the 8080 port, but the other one won't let me in for some reason. However, going to dnsstuff and checking some things .... it says on a traceroute that the last couple routers are blocking access .... they look like they belong to SBC. I'll get you (RobWill) the ip address to you in an email and you can look at it.
Rob WilliamsCommented:
Sounds like you may now have a basic connection if you can ping in both directions. Next is to get the VPN working. You say you can manage one router remotely but not the other. Do they both use 8080? Lots of routers use different WAN ports for that. As for tracert not working, that is often common with some routers, I wouldn't be concerned about that.

For the record, when the VPN is established, the Linksys VPN page opposite were it says status, will change from connect to disconnect. You can try clicking the connect 'button' to force a connection.
Must say though you can expect difficulties connecting these two different brands to create the tunnel. Once working there will be no problem but not surprised there are difficulties setting it up.
JerryS39Author Commented:
Yes both Linksys devices are set to 8080. Both ends say "waiting for connection". Trying disconnect then connect does not form a connection. Friday, I will probably reset / reconfigure the problem end. In the meantime, I have a third Linksys located at my house. I will try to set up a VPN betwen one or the other sites that are up. I will then try to connect using the Linksys QuickVPN software to see if eiter of them will let in a connection.
Rob WilliamsCommented:
Jerry, when I posted above I was thinking you were using 2 different makes of routers. I turn 50 this month, I guess my mind is starting to go. <G>
Actually connecting should be quite easy with similar units once basic connection is made to WAN side. Very odd you can connect to one WAN interface but not the other. Sounds like something is still blocking the traffic at one end.
JerryS39Author Commented:
Tommorrow I will be back on site, so I will reset the Netopia and reconfigure it . then I will make sure the Linksys configuration is set to the recommendations you gave. If there is still the connectivity issues, i will call SBC to see if they are blocking any ports.
JerryS39Author Commented:
The Netopia has been reset. Both ends say "waiting for connection". I can connect using the QuickVPN client, but before I can do anything, it drops from the connection.
JerryS39Author Commented:
Thanks to RobWill, I have deduced what you really need in the WRV54G configuration to make the VPN work. Both ends now have a "Disconnect" button. If only there was true documentation from the manufacturers.

                                                            Thanks again,
Rob WilliamsCommented:
Glad to hear you have finally been able to resolve. Sorry I haven't been available much the last 2 days. I agree, documentation is pretty scarce, and Linksys support is non-existent.
Thanks for the points,
JerryS39Author Commented:
            After testing the current config, the VPN is still not functioning. Sent you an email last nite. Let me know if you get it.
Rob WilliamsCommented:
I see a few things when I log on. #1 is very important and is likely the problem
1)  !!!!  On  x.x.x.214 under VPN configuration You have used a subnet mask of with subnet option. Needs to be changed to The other router is fine.

Everything else looks OK, but you may want to look at changing:
2) Highly recommend upgrading firmware to newest version, I believe 2.37
3) You do not need IPSec, PPTP, L2TP forwarding enabled. Disable that. It is for use with a VPN server behind the router such as a Windows VPN server
4) Your pre-shared key contains alpha-numeric characters. I don't know for sure but most require ASCII. If working great, but if not try using 1-0 and A-F
5) You have Access Restrictions enabled, but allow everyone at all times. Since there are no filters, you may want to simply disable access restrictions
6)  In the VPN configuration under advanced options, you might want to try aggressive mode (on both) rather than main mode. Aggressive is slightly less secure, but it will usually negotiate a connection more easily
7)  Some very odd quirks, of some services not working, have been reported when you enable NetBIOS broadcast in the advanced VPN configuration. You might want to try disabling
8)  Noticed you have only 5 DHCP addresses allowed. Nothing to do with connection, but is that enough?

Rob WilliamsCommented:
ps- If the above resolves the problem and there is no need for me to login again. Please change the access password.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.