Connect to internet without VPN connection

I put in a new router in a branch location. They have a modem for internet there. They have our router. Our router has been setup with site to site VPN. It seems that with this router they can't access the internet without being connected here. It used to be that no matter what if the modem had internet then they had internet on their machine even if they couldn't connect here. This was actually pretty beneficial. Now if they are not connected to the site here then they don't have internet either. I have to have them plug a computer straight to the modem to get an internet connection to let me in. The previous router was very old, nothing I could go and review setting to setting with for the new router.
What am I missing? Has to be a setting in there that I have overlooked.
JenniferIT DirectorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Paul MacDonaldDirector, Information SystemsCommented:
There may be a setting in the router that forces all traffic through the VPN by causing the clients to use the default gateway on the remote network.  Look for setting that reads something like that and turn it off.
JenniferIT DirectorAuthor Commented:
I am not sure which setting this would relate to on a particular router. It is a TPLink R600 VPN. Any suggestions?
JenniferIT DirectorAuthor Commented:
I am still having this problem, does anyone else have any suggestions?
SD-WAN: Making It Work for You

As bandwidth requirements and Internet costs grow, businesses naturally want to manage budgets by reducing reliance on their most expensive connection types. Learn more about how to make SD-WAN work for your business in our on-demand webinar!

AkinsdNetwork AdministratorCommented:
You'll need to exclude internet traffic (port 80 or port 443) from traversing the VPN tunnel
This traffic should not be excluded from NAT.
Currently, it looks like all your traffic is excluded from NAT and routed through the tunnel
The router you placed is after the modem, what is the configuration on the router that you placed there? You may have left a static route from your testing such that it directs traffic to an IP that does not exists unless the VPN is up which was pointed out.

A router can be configured in many ways, a site to site usually does not "secureAllNetworks" so it seems the issue is a misconfiguration on the router itself.
Brian BEE Topic Advisor, Independant Technology ProfessionalCommented:
Before you try and allow the branch office to browse the internet directly without going through the VPN, make sure that head office is okay with that. Head office may have other web controls like security, filtering or tracking that they want the branch office to use. So they may want all traffic to go over the VPN.
JenniferIT DirectorAuthor Commented:
Thank you Akinsd I will take a look but I don't think that is the case.
Arnold, it may be a configuration on the router that needs to be changed however I am not finding the place to change it. This router is setup the same as the other branch office I have and I don't have the problem with the other router. They are different routers. That is why I asked if anyone was familiar with the TPLink R600 VPN router.
Brian B, I am the head office.

They should not lose internet to their office if the VPN tunnel is down. If the VPN tunnel goes down then they should not be connected here, agreed. This doesn't mean that they shouldn't have internet there. I need them to have internet whether they are connected here or not.
The issue on the remote site is that they might have a static route directing all traffic through the VPN.

Look at the routing table to see where the deafult route points to?
JenniferIT DirectorAuthor Commented:
I will take a look. I have to setup another of the exact same router so I will pay attention to it as well.
On the router, when the VPN is off, look at the routing table.
You may have a static route that directs all traffic to the other side of the VPN by IP.

What type of VPN do you establish between this location and the remote. PPTP?
JenniferIT DirectorAuthor Commented:
I will have to take a look. I can't turn the VPN off during normal hours or the users will not have access to our system.

I am using Site-to-Site VPN, Cisco ASA5510 on this side, and as I said previously TP-Link R600 VPN router on the other side.
Double check the VPN configuration. Are you eating the VPN to be the sole means of communication to the net?
based on your info, it sounds more like you have a remote VPN configuration rather than a site to site vpn

Please check the VPN configuration on each side masquerade the public IPs as needed.
JenniferIT DirectorAuthor Commented:
I have yet to figure out how to pull the running config for the TPLink. I can screen shot each page but that is it right now. I have put in a ticket with TPLink to see how to telnet to the equipment.

What part of the ASA running config would you want to see? I have attached the IPsec sa and the running tunnel group.

If I show static routes the only one is the main static for connection.

Side note, I did disable VPN on one of the routers. I could no longer connect to any of their equipment and they could no longer connect here nor could they connect to the internet.
Do you have access to the router when it is not connected to you, one thing is to check whether there is a default route defined that is not tied to the VPN.

To only other possibility is that the clients on the network all have your HQ office DNS servers defined without which they can not resolve any domain name.

Have them try while the VPN is off access (experts-exchange SITE)

Prior to the configuration of the VPN where they able to access the internet?

What is the source of IPs/DNS servers on the LAN?
Check those settings just to be sure.  I do not believe it is an issue with your VPN.
JenniferIT DirectorAuthor Commented:
There are no static routes on either. Your DNS comment brought up a good point. One location used to have it's own DNS server. It does not now so the only active DNS connection on each machine is here. I will adjust the DNS on each of the machines and test to see if this fixes the problem.
JenniferIT DirectorAuthor Commented:
So each of the machines points to both HQ DNS. I have two controllers. These locations do not have their own DNS server. So is it best to say, sorry you have no internet if you can't connect to the HQ, or is there someway I can setup a connection for them; without the cost of putting DC in each location?
Double check whether they can use their internet provide's DNS though they will run into issues on the other end when dealing with resources when the VPN is established.

What resources are available at the remote location? Using an older system with Linux can be setup with DNS server that includes a forwarder for the AD domain... It can be setup in a virtual environment as well.
JenniferIT DirectorAuthor Commented:
The routers are using the ISP static IP and DNS so I would assume I could use that in place of my second DNS...
I don't really have any extra resources at either location nor do I have any I can send. I think it happens so infrequently that if there isn't an easy solution then I will leave as is. Having an internet connection when VPN is not connected would help me to troubleshoot issue but like I said it doesn't happen that often so I think they can go without if needed.
AkinsdNetwork AdministratorCommented:
As it stands, all the traffic is traversing the VPN. You need to exclude web traffic from traversing VPN. Research and implement Split tunneling in your VPN policy
JenniferIT DirectorAuthor Commented:
I assume you are referring to doing this in the router at the branch...I am not sure how doing this in the firewall would help. I understand what you are saying and I can research but that is one of the reasons I was asking here...

They have a modem, they have a router, they have computers and those computers have that router as their gateway, their router has a static route to the modem, their router has a VPN tunnel setup that connects to the firewall here. If I completely take out the VPN tunnel within the router should they not be able to connect to the internet?

Maybe it just isn't possible with this router. I can't even pull a config file from it.
AkinsdNetwork AdministratorCommented:
If I completely take out the VPN tunnel within the router should they not be able to connect to the internet?

Yes they should be able to connect to the internet if you remove the VPN connection. It's possible for the tunnel to go down but still have policies set. It means the bridge they're supposed to cross is down and they neither will have connection to your firewall nor the internet. A reset of the router should get them connected to the internet. If the router does not have split tunnel configuration, then you will need to get one that does
The images of the policies you posted, all of them appear to be standard LAN to LAN policies and not appear to reflect a SecureAll Tunnel scheme.
One thing to check on the TPlink setup is what DNS server the DHCP server is pushing to the clients.
I think in a prior comment you answered that they workstations at the branch all point to the HQ dns which can be queried only when the VPN is established.  I thought you were changing that.  Realize depending on how those settings are set will make it more or less difficult to fix. i.e. if this is a LAN DHCP setting where the HQ DNS are entered to be set on the client, making the change, will be in effect after the next reboot, or network disconnect of the client.
If however, those entries were set through static, you could use netsh to remotely switch them.........

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JenniferIT DirectorAuthor Commented:
Everything is static, no DHCP. I didn't change the DNS because I can't afford them to have issues with the VPN. The VPN tunnel is more important than then having access to the internet when not connected to VPN. This is/was all just trying to figure out why after switching to a new router they could no longer connect to the internet without having a connection here too.

The work around is...if they lose connection here but still need internet...
disable IPsec, change the router to DHCP, change each machine to auto IP configuration including DNS, reboot modem, reboot router...I believe this is what did it last time. This just sucks because I then have to reconfig everything back once they reconnect

As I can't have them not connected here so it is hard to test and them not having internet if they can't connect here is not more of an importance.

Thanks for the info but I am going to leave as is for now.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.