VPN on Netgear FVS336G

_007
_007 used Ask the Experts™
on
Hello- I have a netgear prosafe FVS336G firewall router that I VPN to using the built in web client (accessed via a dyndns updated IP).  When using the web client, I can only access the IPs attached to the router exclusively (and not any other websites, connections, etc).  This is not the experience I have with other VPNs.  I regularly need both Internet and connections to devices on this network simultaneously.

Can anyone guide me through setting up this connection so that it routes traffic only for the devices on that network to the VPN connection and others to my regular internet connection?  Or, alternatively, can the router be set to share its WAN traffic?

Thank you!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017

Commented:
I am unfamiliar with the web client you mentioned nor the netgear itself.  

The question is whether you are trying to use the web client to access both the resources on the remote LAN as well as the internet versus using the web client to access the resources of the remote LAN while using your local web browser to access the internet?

What you need to look for in the configuration of the built-in VPN is that it secures only the netgear LAN IPs rather than all.
When the SSL VPN is established, look at the output from netstat -rn (system's routing table).
What you are looking to see is whether the VPN IP is reflected as the default gateway.  This will indicate whether the VPN policy is to secure all networks (forcing everything through the VPN) or whether the VPN secures just the remote LAN traffic.

My guess is that if you want all traffic flowing through the VPN, you would need to configure the netgear to pass traffic received via the VPN to get out to the net or use a proxy on the remote LAN as the passthrough of your requests.

Check which VPN configuration you are using i.e. whether you are using Full Tunnel or split tunnel.

http://www.netgear.com/Products/VPNandSSL/WiredVPNFirewallRouters/FVS336G.aspx
http://tools.netgear.com/landing/gui/security/fvs336g/simulators/v_2.2.0_59.9/sslvpn_client.htm
You should change your SSL VPN to split tunnel by explicitly adding the LAN network segment while unchecking the Full tunnel support.






Author

Commented:
Hi- thanks for the reply.  I am looking to use the resources of the remote LAN while using my local web browser & connection to access the internet.

I set the full tunnel support off, which prevented any connection to a device on the remote network.  If I add the device IPs to the routing table, I can connect, but the local internet does not resolve.

Any ideas?

Thank you!

Author

Commented:
Also, the default gateway with netstat -rn is the vpn client not the router.  That is with full tunnel support off and a route added to the router ip
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Distinguished Expert 2017

Commented:
Did you disconnect and reconnect after making this change?
Whenver the VPN IP is reflected as the default gateway, it means that all but the local traffic is sent through the VPN.
I.e. your Local LAN is 192.168.0.0/24 and the Netgear remote LAN is 192.168.1.0/24

only traffic within the 192.168.0.0/24 will not go through the VPN when the default gateway is the VPN IP 192.168.1.x.

Please reference the example GUI I posted in the second link.
Using the prior example, the static route you need to have is:
192.168.1.0 255.255.255.0
The effect will be on your local system you will have a route
192.168.1.0 255.255.255.0 192.168.251.x
while the default gateway will remain 192.168.0.1.
This way only traffic bound for the remote resource will travel via the VPN while everything else will flow unsecured through your local router.

Post the netstat -rn from the client that establishes the VPN connection following the change.

Author

Commented:
Attached is a screen shot of the settings- I set a route at the VPN gateway.  The normal remote LAN range is 10.0.0.1-20, with 1 being the router.

Also attached is the netstat -rn -- defualt gateway is still the connection ip

Thanks again for the help- I'm probably just missing something from above- my apologies if that is the case
vpn.gif
netstat.jpg
Distinguished Expert 2017
Commented:
What is the local network behind the netgear?
You have the VPN client IPs as 10.0.1.1-5 ( you should not use the same VPN IP as you use on the LAN.)
The network you should define as 10.0.1.0 255.255.255.0.  Change the VPN IP to be something else 192.168.251.x and see if it makes a difference.
I think because your static rout is invalid, the full tunnel applies.

Author

Commented:
Changing the network from 10.0.0.1 to 10.0.0.0 did the trick.

Many Thanks!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial