Link to home
Start Free TrialLog in
Avatar of _007
_007

asked on

VPN on Netgear FVS336G

Hello- I have a netgear prosafe FVS336G firewall router that I VPN to using the built in web client (accessed via a dyndns updated IP).  When using the web client, I can only access the IPs attached to the router exclusively (and not any other websites, connections, etc).  This is not the experience I have with other VPNs.  I regularly need both Internet and connections to devices on this network simultaneously.

Can anyone guide me through setting up this connection so that it routes traffic only for the devices on that network to the VPN connection and others to my regular internet connection?  Or, alternatively, can the router be set to share its WAN traffic?

Thank you!
Avatar of arnold
arnold
Flag of United States of America image

I am unfamiliar with the web client you mentioned nor the netgear itself.  

The question is whether you are trying to use the web client to access both the resources on the remote LAN as well as the internet versus using the web client to access the resources of the remote LAN while using your local web browser to access the internet?

What you need to look for in the configuration of the built-in VPN is that it secures only the netgear LAN IPs rather than all.
When the SSL VPN is established, look at the output from netstat -rn (system's routing table).
What you are looking to see is whether the VPN IP is reflected as the default gateway.  This will indicate whether the VPN policy is to secure all networks (forcing everything through the VPN) or whether the VPN secures just the remote LAN traffic.

My guess is that if you want all traffic flowing through the VPN, you would need to configure the netgear to pass traffic received via the VPN to get out to the net or use a proxy on the remote LAN as the passthrough of your requests.

Check which VPN configuration you are using i.e. whether you are using Full Tunnel or split tunnel.

http://www.netgear.com/Products/VPNandSSL/WiredVPNFirewallRouters/FVS336G.aspx
http://tools.netgear.com/landing/gui/security/fvs336g/simulators/v_2.2.0_59.9/sslvpn_client.htm
You should change your SSL VPN to split tunnel by explicitly adding the LAN network segment while unchecking the Full tunnel support.






Avatar of _007
_007

ASKER

Hi- thanks for the reply.  I am looking to use the resources of the remote LAN while using my local web browser & connection to access the internet.

I set the full tunnel support off, which prevented any connection to a device on the remote network.  If I add the device IPs to the routing table, I can connect, but the local internet does not resolve.

Any ideas?

Thank you!
Avatar of _007

ASKER

Also, the default gateway with netstat -rn is the vpn client not the router.  That is with full tunnel support off and a route added to the router ip
Did you disconnect and reconnect after making this change?
Whenver the VPN IP is reflected as the default gateway, it means that all but the local traffic is sent through the VPN.
I.e. your Local LAN is 192.168.0.0/24 and the Netgear remote LAN is 192.168.1.0/24

only traffic within the 192.168.0.0/24 will not go through the VPN when the default gateway is the VPN IP 192.168.1.x.

Please reference the example GUI I posted in the second link.
Using the prior example, the static route you need to have is:
192.168.1.0 255.255.255.0
The effect will be on your local system you will have a route
192.168.1.0 255.255.255.0 192.168.251.x
while the default gateway will remain 192.168.0.1.
This way only traffic bound for the remote resource will travel via the VPN while everything else will flow unsecured through your local router.

Post the netstat -rn from the client that establishes the VPN connection following the change.
Avatar of _007

ASKER

Attached is a screen shot of the settings- I set a route at the VPN gateway.  The normal remote LAN range is 10.0.0.1-20, with 1 being the router.

Also attached is the netstat -rn -- defualt gateway is still the connection ip

Thanks again for the help- I'm probably just missing something from above- my apologies if that is the case
vpn.gif
netstat.jpg
ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of _007

ASKER

Changing the network from 10.0.0.1 to 10.0.0.0 did the trick.

Many Thanks!