RV082 VPN Firewall

[Grenage]

We currently have two sites, well more than two but for the sake of simplicity I'll limit this to two. Both sites have an ADSL line, a 2wire Hg1800 gateway/router and a Linksys RV082 VPN router. Each connection has a range of IP addresses, of which two are used (one for the HG1800 and one for the RV082).

The HG1800 is connected to the ADSL line, which in turn is connected to the RV082 (WAN port 1). This is the same for both sites.

The VPN works perfectly and we have no connectivity issues, my problem is regarding firewall rules (or my understanding of them on a VPN device). By default the RV082 allows all traffic out but no traffic in, obviously this does not apply to VPN requests because I can establish a connection from either end... Does anyone know whether the firewall sits in front or behind the VPN layer/section/module (sorry, my terminology is poor here)?

I ask because when applying what I would normally deem perfectly normal rules, connectivity continues as before but then fails shortly afterwards. The VPN connection is still established but network traffic does not get through, this would lead me to believe the firewall affects traffic after/behind the VPN (which is great).

My second question is: When defining firewall rules, is the HG1800 effectively transparent? I have been working on the assumption that it is and wonder if this might be the cause of my rule problems.

Apologies for such a long-winded post, any suggestions will be gratefully received.

Russell.


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.

 

[jakewaldo]

Hi Russell,
did you get anywhere with this setup.
I am trying to setup exactly the same scenario with a 2Wire HG1800 and an RV082. I have been having problems just getting the RV082 internet access.
I would be interested in any help you can offer in regards to what you did to get this setup working.

I hope your still monitoring this thread.

 

[Grenage]

Hi there,

You will want to configure the HG1800 to not use NAT and to specify the IP range it is to give out via DHCP. I feel your pain because the 2Wire is an absolute bastard to set up the first time, the manual helps a fair bit but it's hardly insightful. If you are really stuck I might be able to grab a tablet and check out the HG1800's settings but it won't be this morning, for what it's worth here are my RV082 settings:

Setup/Network:
Hostname: RV082
Domain: SME (not actually our domain, I recall this is default?)
Device IP address: 192.168.100.1/255.255.255.0 (will obviously vary)
Dual WAN/DMZ: Dual WAN
WAN1: Obtain IP automatically, DNS not specified.
WAN2: Obtain IP automatically, DNS not specified.

Setup/Time:
Using NTP from uk.pool.ntp.org

Setup/DMZ Host:
Private DMZ IP address: 192.168.100.0

Setup/Forwarding:
None specified

Setup/UpnP:
UpnP function: No

Setup/One-to-One NAT:
One-to-One NAT: Not enabled

Setup/MAC Clone:
User defined both, I did not specify these so they must be the adapter default addresses.

Setup/DDNS:
DDNS Service: Disable
DDNS Service: Disable

Setup/Advanced Routing:
Working Mode: Gateway
RIP: Disabled
Static Routing: None specified

DHCP/Setup:
Disabled

System Management/Dual-WAN:
Smart Link Backup, primary connection being WAN1
Network Detection Service: Disabled

Port Management/Port Setup:
All default, auto negotiation

Firewall/General:
Firewall: Enable
SPI: Enable
DoS: Enable
Block WAN request: Enable
Remote Management: Disable
HTTPS: Disable
Multicast Pass Through: Disable
MTU: Auto
Block: None

Firewall/Rules:
I won't list mine but I know that the default rules do work, and that they deny internet traffic while allowing VPNs to establish.

Firewall/Content Filter:
All disabled.

VPN/Everything:
Ssince your problem is internet access I'll leave these out for now.


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.

 

[jakewaldo]

Russell you are a star for responding so promptly.

I've got internet access lan side and wan side. I.E. I can now bring up the RV082 remotely by putting the wan ip into a browser.
To get that far I disabled DHCP on the HG1800 and found that an IP was still assigned to the RV082. This IP was from the default range that would be given out if the DHCP was enabled (172.16.1.33). huh
I then went to the firewall settings for the HG1800 and in the drop down was an option to choose either a blank box or the IP for the pc I was working from. I chose the blank and then set that to DMZ. Now the RV082 is assigned the WAN IP (I only have a single static WAN IP available).

HG1800 network is set to its default range of 172.16.0.0/255.255.0.0

My RV082 settings are as follows:
Setup/Network:
Hostname: blank
Domain: blank
Device IP address: Default: 192.168.1.1/255.255.255.0
Dual WAN/DMZ: Dual WAN
WAN1: Obtain IP automatically, DNS set to ISP assigned address.
WAN2: not setup yet, eventually this will be on Satellite.

Setup/Time:
not setup yet

Setup/DMZ Host:
Private DMZ IP address: 192.168.1.0

Setup/Forwarding:
None specified

Setup/UpnP:
UpnP function: No

Setup/One-to-One NAT:
One-to-One NAT: Not enabled

Setup/MAC Clone:
User defined both, default addresses.

Setup/DDNS:
DDNS Service: Disable
DDNS Service: Disable

Setup/Advanced Routing:
Working Mode: Gateway
RIP: Disabled
Static Routing: None specified

DHCP/Setup:
Disabled
1 computer setup in Static Entry using mac address.

System Management/Dual-WAN:
Smart Link Backup, primary connection being WAN1
Network Detection Service: Default

Port Management/Port Setup:
All default, auto negotiation

Firewall/General:
Firewall: Enable
SPI: Enable
DoS: Enable
Block WAN request: Enable
Remote Management: Enabled for test purposes.
HTTPS: Disable
Multicast Pass Through: Disable
MTU: Auto
Block: None

Firewall/Rules:
default

Firewall/Content Filter:
default


As to the VPN.
I have enabled "PPTP Server" with a simple user/password and this work fine with windows network VPN through which I can also VNC (remote desktop). Although when I setup a remote Draytek 2600 using PPTP I get a VPN but cannot VNC. What gives man, what gives.

I also setup up a user under "VPN Client Access" and have tried using the "Linksys VPN Client" application but after numerous attempts I have only connected once, and this dropped after a few seconds.

Anyway I feel some progress has been made but a couple of things I want are,
to be sure that I have the internet side of things setup ok and to be able to use the more secure IPsec VPN. Although to be honest I haven't played with IPSec much.

Again many thanks for responding and posting your setup, thought I was going mad until I saw your setup.

Jake

 

[Grenage]

Hi Jake, good to hear that you're having some success!

Those HG1800 are horrible, aren't they? If it helps in the future, upon installation of a BT DSL line, we now request the Siemens routers instead. They are much better and serve only to give out static WAN addresses. No 'features' to get in the way.

We had problems with the Linksys VPN client not connecting, it wouldn't pass through the XP SP2 firewall properly. I 'think' they resolved that in a later version. At the time we simply installed netgear DSL routers at the client's home and established a VPN gateway to gateway.

If the VPN tunnel is establishing but you can't get any VNC connection, can you ping the VPN host at all? Most of the problems we've had with connectivity has been due to DNS lookups not being possible.

Anyhow, glad to hear that it's going well.

Russell.


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.

 

[jakewaldo]

Horrible! I think your first description was closer "absolute bastard" Mind you the RV082 isn't the easiest thing I've worked with either so having the two together has made for some real 'fun'. Both boxes seem quite fussy and unpredictable.
But yes it does feel good to be getting a bit further.

I have downloaded the latest Linksys VPN client and even though it's connecting I cannot ping anything on the remote network including the VPN host. The same goes for the PPTP connection via Draytek to RV082. But to be honest I'm not to fussed about the linksys client, just a test tool really.
But, as mentioned before, the windows XP VPN client works a treat.

Question for you: How important is it to have remote networks on different subnets?

Oh and a 2nd question: do you have a model number for those Siemens Routers?

Ta Jake

 

[Grenage]

Hi again, Jake.

I believe that it's absolutely necessary to have different subnets, without them the devices/machines will not be able to distinguish between a computer on the remote VPN and a local computer.

With regards to the router, I don't at the moment but I will have a look when I am in the server room this afternoon. I think BT 'might' ship them under the name of Voyager, although that might just be the residential flavour.

Glad the new QuickVPN software worked I shall post back later with the router specs for your future use.

Russell.


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.

 

[jakewaldo]

Hi Russell,
first off, many thanks for all your help.

In regards to an earlier question I don't think I was technically prescise in my description. When I asked how important it is for networks to be on different subnets I should have said Subnet Masks. My mistake, I didn't realise that the first network ID address (I.E 192.168.1.0) is refered to as a subnet. So much to learn.

Q: How important is it to have remote networks on different subnet MASKS?
Q: The model of that Siemens Modem, it's not a Siemens/Fujitsu/Efficient 5861 is it?

Just when I thought I was getting somewhere the other day....unfortunatly I'm still having some problems here. The link between the 1800 and the RV082 keeps dropping and will not re-establish.
I wanted to have the IP for the 1800 on a subnet of my choice and set it to 192.168.150.1 but then found, with the DHCP disabled, an IP was not getting assigned to the RV082 (even though it was when on the default 172 range) which, of course, should be the expected outcome. So I setup a single DHCP range of 192.168.150.5 to 192.168.150.5 and the RV082 picked this up. I seem to have to setup this address in the DMZ in order to get internet access but the 1800 keeps dropping it back to firewall covered. It's enough to make a grown man cry I tells ya.

What I'm going to do is post my setup for the 1800 later today, as I'm not onsite and my memory is rubbish, and if you wouldn't mind letting me know the differences I would be very grateful to you.

Jake

 

[Grenage]

Sorry for the late reply, Jake! I will have a look at the HG1800 settings today and post them back for you to refer to.

Russell.


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.

 

[jakewaldo]

here the settings for the 1800HG
--------------------------------------
Internet Settings
IP set to be obtained automatically, although static.
DNS set to be obtained automatically.
--------------------------------------
Private Network
Configure manually : enabled
Router Address: 192.168.150.1
Subnet Mask: 255.255.255.0
Enable DHCP : enabled
First DHCP Address: 192.168.150.5 (RV082 address)
Last DHCP Address: 192.168.150.5
Set DHCP Lease: (1–24 hours): 24hours

Public Network: disabled
Bridge Network: disabled
---------------------------------------
Firewall Settings:- are, at the moment, set to maximum protection for all IP addresses. But I have been putting the RV082 unit onto DMZ because in the past I've been unable to gain internet access on the RV082 side unless I do so. One of the problems I've been having is that the 1800HG drops the RV082s IP from the DMZ and I cannot get internet access.
I've come to do some more work with this setup today and the bloody internet IS working even though the RV082 is not on the DMZ through the 1800HG. I've never knew hardware could be temperamental.

Firewall Configuration:- No Changes.
----------------------------------------
Advanced
Configure Services, all default
Enable Routing: enabled

Static Routes: no routes added here.
----------------------------------------
That's it for now I think but if there is anything you think I've missed please let me know.

Jake

 

[Grenage]

Hi Jake!

Here are some screenshots of my configuration. I have blanked the third IP notation for security purposes, but you should be able to see the whole configuration from that.

I hope that helps (and is easier than reading my written configuration), if not then let me know!


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.

 

[jakewaldo]

Russell
Judging by your screen shots and setups on both boxes my problem is due to having only a single static WAN IP. You appear to have multiple WAN IPs.
Tell me if I'm wrong but I don't think I can use a single WAN IP routed through to the RV082?

 

[Grenage]

Ouch, what if you use the firewall option of forwarding all traffic to the RV082, rather than using the DMZ?


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.

 

[oosoceroo]

Russel,
I was woundering how you like the Linksys RV082 as far as VPN solution goes. I'm intrested in setting up a VPN solution for a small business with about 5 workstations and a server all on a DSL line. I was reading some reviews and noticed some people were complaining about the VPN part of this router. How easy is it for client to connect to the VPN? Do you have to use a specific VPN client or can you use the built-in windows xp vpn client?

Thanks for taking your time.

Eric

 

[Grenage]

Hi Eric,

I have not tried with the windows VPN client, unfortunately. I can confirm that there were definitely problems with the Linksys client but apparently those have been fixed now. It was down to the Windows XP SP2 firewall not allowing certain IPSEC information through. In the end we established the client side of the connection using a Netgear router, so this would lead me to believe that the Windows VPN client should work too.

Russell.


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.

 

[smah]

I use the Linksys supplied VPN client regularly without any problems. If you search this forum for RV082[?/b] you will find serveral discussions about the problems with the earlier client software.

 

[oosoceroo]

Russell and Smah,

Thanks for the replies.

Smah- If I were to go out and purchase a VPN router and didn't want to spend the money on Cisco equip would you still recommend this Linksys model or would you recommend any other VPN routing solutions?

Thanks again.
Eric

 

[smah]

Yes, it's a good product for the price.