Linux backup system and VPN connectivity issues

My work network is 10.1.x.x. My home network is 192.168.10.x. I have a TP-Link TL-ER604W router that maintains an always on IPSec VPN connection to my work Sonicwall firewall using IKE. I can ping any IP address at work from home and any IP address at home from work. It has been working fine for a year. I recently put together a backup system consisting of a Dell Optiplex running CentOS (IP 10.1.4.60) with a WD DL4100 NAS (IP 10.1.4.61) that connects to the Dell with iSCSI. The Dell is running a software version of the WD Arkeia backup. I have an Arkeia appliance at work as well. Once I fill up the Dell/NAS with backups from the Arkeia appliance I intend to take those two devices home to fill the role of cloud backup away from work and replicate to them. I would like to just take the Dell/NAS home and connect them to my home network with no IP changes since it would be convenient to be able to take the Dell/NAS back and forth but this will not work. I tested it by taking a laptop home and assigning it IP 10.1.4.100. I was hoping since I could ping both ways that I could ping to or from 10.1.4.100 but since this is not on my home network, the packets don't know where to go. Is there any way to configure my home router to allow the Dell/NAS systems to communicate without changing them to my home IP network scheme? I know if I changed the Dell/NAS boxes to 192.168.10.x it would work fine from home. I do not know Linux very well so making these IP address changes is difficult for me especially if I end up taking it back to work now and then?
Mark RecobIT ManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Duncan RoeSoftware DeveloperCommented:
Networks 10/8 and 192.168/16 are reserved for private use - see for instance Wikpedia.
Either are fine for home use - could you change over to using network 10 at home? You might want to use the same netmask as your work - people often use the 255.255.255.0 "default" but 255.0.0.0 is valid for network 10.
You could run net 10 on a 2nd NIC if you have one - but I'm guessing you don't.
It's really not feasible to mix 192.168 traffic with 10 traffic on the same cable.
Mark RecobIT ManagerAuthor Commented:
The VPN allows me to mix the traffic. From my home PC, 192.168.10.2 I can ping my backup unit at work, 10.1.4.60 with no problem. I can also do the reverse from work to home. What I cannot do is put a device at home on 10.1.4.70 and ping any ip at work, 10.1.x.x. I worry that changing my home network to the same as work might confuse my hardware vpn at home.
Duncan RoeSoftware DeveloperCommented:
If you can do that, you must have a route configured to 10.1.x.x from home to work via the VPN. The VPN is one internet interface: your regular home LAN is another.
You can have your home LAN use the same network number as work (I did that at one time) but you have to be careful with routing (and with host numbers - avoid clashes).
What you have to do is have host routes for all devices at home. Everything else to 10.1.x.x goes down the VPN.
You have to add / remove the host route for your backup unit as you move it from one location to the other.
The backup unit itself can be left alone (no reconfiguration needed).
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Mark RecobIT ManagerAuthor Commented:
The problem I see is that there is no physical 10.1.x.x  interface on my home router for the VPN to connect devices. I have a laptop at home as a substitute for my backup devices for troubleshooting purposes. If I give the laptop a static IP of 10.1.4.101 those packets have nowhere to go. Can I assume by "host routes" you mean static routes in my home router? I do not see how a static route would work if I have no 10.1.x.x interface for my laptop/backup unit to connect to.  There are all sorts of warnings on the net about having the same network on both sides of a VPN. Most say this will not work and would be considerable trouble to reconfigure all devices at home.
Duncan RoeSoftware DeveloperCommented:
There are all sorts of warnings on the net about having the same network on both sides of a VPN Could you post a few URLs please?
I don't see anything special about a VPN compared to any other kind of network interface.
If your home network has the same network ID as the network available through the VPN, then you need to configure the endpoint of the VPN  not to forward packets destined for devices on your home network.
Can you configure your "hardware VPN" to do that?
Assuming you can, you would need to reconfigure treatment of the backup unit as it moves between home and work.
Duncan RoeSoftware DeveloperCommented:
A totally alternative approach is to have a second system on your network acting as a router and have a separate LAN just for the backup device. Using NAT, the backup device could be given, say,  a 192.168.11 address for all other systems on your home network. The new system could be router or a PC with 2 NICs. Since the backup unit is the only device on the new network apart from the router, you could connect it with a crossover cable.
Mark RecobIT ManagerAuthor Commented:
I tried something like this yesterday. I bought a second router and gave it a WAN ip from my first router's LAN (192.168.10.2) and a LAN IP of 10.1.4.100. My laptop on that second LAN has 10.1.4.101. I added a static route to the first router but packets still will not go through from the second router to through the VPN to any IP at work. The second router can access the Internet no problem. After doing this the first router can still ping work except for 10.1.4.x. The thing I cannot figure out is how to get the second router to use the first router's vpn interface.
Duncan RoeSoftware DeveloperCommented:
Leave your laptop on 192.168.10.0/24
NAT the backup unit to look like another host on 192.168.10.0/24
Mark RecobIT ManagerAuthor Commented:
The whole point of this exercise is to keep from having to change the IP addresses of the 10.1.4.x backup unit and storage. For sure if I change the backup units to 192.168.10.x that will work fine but making this change in two linux boxes with iSCSI connection is not trivial and I prefer not to do it if possible every time the box moves from work to home and vice versa. The laptop is acting as a stand in for the backup units which are at work now being filled up so the laptop must have an IP in 10.1.4.x and be able to contact work on 10.1.1.x.
Duncan RoeSoftware DeveloperCommented:
I did not suggest you change the IP addresses of the 10.1.4.x backup unit (and storage, that I hadn't realised you has as well).
In your new router, use NAT (Network Address Translation) to make these systems appear to be hosts on your home network 192.168.10.0/24.
Mark RecobIT ManagerAuthor Commented:
That sounds interesting but if my second router has a WAN ip of 192.168.10.2 and LAN ips of 10.1.4.x, I am not sure how to configure my router to maintain those addresses yet make 10.1.4.60/61 (backup pc and storage unit) appear as 192.168.10.60/61. This should work for my test laptop as well if I can figure out how to do it. I should mention that the storage unit is an iSCSI target for the backup PC. I think what you might be talking about is One to One NAT. This article talks about public to private one to one but since I am using a second router, I think this should work for private to different private. What do you think?
http://www.tp-link.com/lk/article-381.html
Duncan RoeSoftware DeveloperCommented:
The devices behind the new router will not be visible as separate devices. You always connect to 192.168.10.2 (the address of the router). DNAT (destination NAT) will translate this destination address depending on the port you specified in the call.
You also need SNAT (source NAT) to modify the source addresses of packets leaving interface 192.168.10.2.
The above terminology is from Linux iptables, which is the router I'm familiar with. I expect TPL can do much the same thing
Duncan RoeSoftware DeveloperCommented:
Alternatively you can make one interface host multiple IP addresses. That might be what 1:1 natting does. I could set it up on a Linux system but don't know TP-Link routers
Mark RecobIT ManagerAuthor Commented:
Sadly I have little knowledge of Linux. I picked up a Netgear FVS318G VPN Firewall that the manual says will do one to one NAT. I will see how that works next.
Mark RecobIT ManagerAuthor Commented:
Work System on Sonicwall = 10.1.1.50 255.255.0.0
Sonicwall to router1 VPN set up so pings go both ways

router1 LAN = 192.168.10.0 GW=192.168.10.1 WAN = Comcast IP
Home System on router1 = 192.168.10.101

router2 LAN = 10.1.4.0 WAN = 192.168.10.2
router2 1to1 Incoming firewall rule says send 192.168.10.110 to 10.1.4.110
Home Laptop on router 2 LAN = 10.1.4.110

I can ping 192.168.10.110 from Home System through router2 to Home Laptop (the 1to1 mapping is working)
and I can ping 192.168.10.60 from Work System (and other router1 IPs so VPN is working fine)
but I cannot ping 192.168.10.110 from Work System (this makes no sense but even if it did work it would not solve my goal of pinging 10.1.4.101 from work though I might be able to set up a 1to1 mapping for this in the Sonicwall.

It would be alot of trouble since I do not know Linux well to set up a Linux box with IPchains doing what router2 is doing but the above tells me it would not work either. There seems to be a disconnect between the VPN tunnel in router1 and the router2 1to1 mapping. Also, I tried several static routes in router1 that did not work.

I am coming to the conclusion that it would be less trouble to produce a document with all the necessary steps to change IPs in my backup computer and its NAS. What do you think?
Duncan RoeSoftware DeveloperCommented:
How  you set IP addresses on a Linux system varies with Distribution (Red Hat, Suse, Slackware, Ubuntu, Debian, ...) but they pretty much all have a script file or files to set it up. You would want to make an alternative script file for home use and have a command to copy in the right script for the systems' location.

As for the end-to-end ping, if you wanted to pursue it further I'd suggest investigating whether it is the ping itself or the reply that gets lost. Perhaps you could observe on your laptop whether the ping arrives (maybe with wireshark, which I don't myself use because I prefer tcpdump but you won't have that on a Windows system)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mark RecobIT ManagerAuthor Commented:
Even if I spent more time investigating where the pings go wrong I would still be left with routers that need to be configured differently to allow connectivity which at this point I am not sure is possible. I think I have spent enough time on this. I thank you, Duncan, for your assistance. I will accept your last message as the "solution".
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.