Link to home
Create AccountLog in
Avatar of Mark Recob
Mark RecobFlag for United States of America

asked on

Linux backup system and VPN connectivity issues

My work network is 10.1.x.x. My home network is 192.168.10.x. I have a TP-Link TL-ER604W router that maintains an always on IPSec VPN connection to my work Sonicwall firewall using IKE. I can ping any IP address at work from home and any IP address at home from work. It has been working fine for a year. I recently put together a backup system consisting of a Dell Optiplex running CentOS (IP with a WD DL4100 NAS (IP that connects to the Dell with iSCSI. The Dell is running a software version of the WD Arkeia backup. I have an Arkeia appliance at work as well. Once I fill up the Dell/NAS with backups from the Arkeia appliance I intend to take those two devices home to fill the role of cloud backup away from work and replicate to them. I would like to just take the Dell/NAS home and connect them to my home network with no IP changes since it would be convenient to be able to take the Dell/NAS back and forth but this will not work. I tested it by taking a laptop home and assigning it IP I was hoping since I could ping both ways that I could ping to or from but since this is not on my home network, the packets don't know where to go. Is there any way to configure my home router to allow the Dell/NAS systems to communicate without changing them to my home IP network scheme? I know if I changed the Dell/NAS boxes to 192.168.10.x it would work fine from home. I do not know Linux very well so making these IP address changes is difficult for me especially if I end up taking it back to work now and then?
Avatar of Duncan Roe
Duncan Roe
Flag of Australia image

Networks 10/8 and 192.168/16 are reserved for private use - see for instance Wikpedia.
Either are fine for home use - could you change over to using network 10 at home? You might want to use the same netmask as your work - people often use the "default" but is valid for network 10.
You could run net 10 on a 2nd NIC if you have one - but I'm guessing you don't.
It's really not feasible to mix 192.168 traffic with 10 traffic on the same cable.
Avatar of Mark Recob


The VPN allows me to mix the traffic. From my home PC, I can ping my backup unit at work, with no problem. I can also do the reverse from work to home. What I cannot do is put a device at home on and ping any ip at work, 10.1.x.x. I worry that changing my home network to the same as work might confuse my hardware vpn at home.
If you can do that, you must have a route configured to 10.1.x.x from home to work via the VPN. The VPN is one internet interface: your regular home LAN is another.
You can have your home LAN use the same network number as work (I did that at one time) but you have to be careful with routing (and with host numbers - avoid clashes).
What you have to do is have host routes for all devices at home. Everything else to 10.1.x.x goes down the VPN.
You have to add / remove the host route for your backup unit as you move it from one location to the other.
The backup unit itself can be left alone (no reconfiguration needed).
The problem I see is that there is no physical 10.1.x.x  interface on my home router for the VPN to connect devices. I have a laptop at home as a substitute for my backup devices for troubleshooting purposes. If I give the laptop a static IP of those packets have nowhere to go. Can I assume by "host routes" you mean static routes in my home router? I do not see how a static route would work if I have no 10.1.x.x interface for my laptop/backup unit to connect to.  There are all sorts of warnings on the net about having the same network on both sides of a VPN. Most say this will not work and would be considerable trouble to reconfigure all devices at home.
There are all sorts of warnings on the net about having the same network on both sides of a VPN Could you post a few URLs please?
I don't see anything special about a VPN compared to any other kind of network interface.
If your home network has the same network ID as the network available through the VPN, then you need to configure the endpoint of the VPN  not to forward packets destined for devices on your home network.
Can you configure your "hardware VPN" to do that?
Assuming you can, you would need to reconfigure treatment of the backup unit as it moves between home and work.
A totally alternative approach is to have a second system on your network acting as a router and have a separate LAN just for the backup device. Using NAT, the backup device could be given, say,  a 192.168.11 address for all other systems on your home network. The new system could be router or a PC with 2 NICs. Since the backup unit is the only device on the new network apart from the router, you could connect it with a crossover cable.
I tried something like this yesterday. I bought a second router and gave it a WAN ip from my first router's LAN ( and a LAN IP of My laptop on that second LAN has I added a static route to the first router but packets still will not go through from the second router to through the VPN to any IP at work. The second router can access the Internet no problem. After doing this the first router can still ping work except for 10.1.4.x. The thing I cannot figure out is how to get the second router to use the first router's vpn interface.
Leave your laptop on
NAT the backup unit to look like another host on
The whole point of this exercise is to keep from having to change the IP addresses of the 10.1.4.x backup unit and storage. For sure if I change the backup units to 192.168.10.x that will work fine but making this change in two linux boxes with iSCSI connection is not trivial and I prefer not to do it if possible every time the box moves from work to home and vice versa. The laptop is acting as a stand in for the backup units which are at work now being filled up so the laptop must have an IP in 10.1.4.x and be able to contact work on 10.1.1.x.
I did not suggest you change the IP addresses of the 10.1.4.x backup unit (and storage, that I hadn't realised you has as well).
In your new router, use NAT (Network Address Translation) to make these systems appear to be hosts on your home network
That sounds interesting but if my second router has a WAN ip of and LAN ips of 10.1.4.x, I am not sure how to configure my router to maintain those addresses yet make (backup pc and storage unit) appear as This should work for my test laptop as well if I can figure out how to do it. I should mention that the storage unit is an iSCSI target for the backup PC. I think what you might be talking about is One to One NAT. This article talks about public to private one to one but since I am using a second router, I think this should work for private to different private. What do you think?
The devices behind the new router will not be visible as separate devices. You always connect to (the address of the router). DNAT (destination NAT) will translate this destination address depending on the port you specified in the call.
You also need SNAT (source NAT) to modify the source addresses of packets leaving interface
The above terminology is from Linux iptables, which is the router I'm familiar with. I expect TPL can do much the same thing
Alternatively you can make one interface host multiple IP addresses. That might be what 1:1 natting does. I could set it up on a Linux system but don't know TP-Link routers
Sadly I have little knowledge of Linux. I picked up a Netgear FVS318G VPN Firewall that the manual says will do one to one NAT. I will see how that works next.
Work System on Sonicwall =
Sonicwall to router1 VPN set up so pings go both ways

router1 LAN = GW= WAN = Comcast IP
Home System on router1 =

router2 LAN = WAN =
router2 1to1 Incoming firewall rule says send to
Home Laptop on router 2 LAN =

I can ping from Home System through router2 to Home Laptop (the 1to1 mapping is working)
and I can ping from Work System (and other router1 IPs so VPN is working fine)
but I cannot ping from Work System (this makes no sense but even if it did work it would not solve my goal of pinging from work though I might be able to set up a 1to1 mapping for this in the Sonicwall.

It would be alot of trouble since I do not know Linux well to set up a Linux box with IPchains doing what router2 is doing but the above tells me it would not work either. There seems to be a disconnect between the VPN tunnel in router1 and the router2 1to1 mapping. Also, I tried several static routes in router1 that did not work.

I am coming to the conclusion that it would be less trouble to produce a document with all the necessary steps to change IPs in my backup computer and its NAS. What do you think?
Avatar of Duncan Roe
Duncan Roe
Flag of Australia image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Even if I spent more time investigating where the pings go wrong I would still be left with routers that need to be configured differently to allow connectivity which at this point I am not sure is possible. I think I have spent enough time on this. I thank you, Duncan, for your assistance. I will accept your last message as the "solution".