NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
FVS338 routing over VPN
Is there a way to route LAN traffic over a Gateway to Gateway VPN?
I want to have some IP addresses route through the VPN out the GW of the remote VPN location. (easily done on more advanced firewalls)
And ... at somepoint I'd like to establish a common broadcast domain (Layer 2 network). It says it will forward netBIOS but always wanting Bonjour etc...
both end points are FVS338 firewalls
Gateway VPN works fine
Hi B3dr0ck,
What you want to achieve is possible but it is not something supported solely on the device. You would need to setup a proxy server at the remote side, and change the local machines gateway (or use a route) to route traffic to that server, over the VPN, and then to out the WAN of the remote device and then back again. The FVS338 only provides remote subnet access. This is why a Proxy Server is needed, as the FVS338 does not have that functionality.
As far as the layer 2, though it says NetBIOS, it is only layer 3 traffic that will cross the VPN on the FVS338 (NetBIOS over TCP/IP). Layer 2 traffic has never worked and is not implemented. Regarding this, you may submit a feature request via NETGEAR Support or you may post it on the Idea Exchange for Business here.
But even then, the FVS338 is already EOL or End-Of-Life and it would not get that feature if the engineering team adds it. The feature request might be possibly implemented to NETGEAR ProSAFE VPN firewall devices that are not yet EOL.
Regards,DaneA
NETGEAR Community Team
10 Replies
Hi B3dr0ck,
I think this link below might help you as reference guide to achieve what you want to accomplish:
Hope it helps. Welcome to the community! :smileyhappy:
Regards,
DaneA
NETGEAR Community Team
This would allow traffic from one VPN to another sub VPN. This does not do anything for what I am trying to do.
I am trying to route specific traffic across the VPN to the other VPN as a default gateway. So that some identified traffic on one network uses the internet connection on the opposite side VPN.
I want the VPN Firewall 1 to be a proxy for some (or all if necessary) internet bound traffic from LAN2 over the VPN.
It would seem all you would need to do is put one routing statement in with a source of LAN2 IP with a Gateway of the opposite side VPN, but the only routing that can be added is a destination IP address, and I can't figure a way to do a default/catch all/wildcard address.
This basically works with the VPN client, but not with the site the site VPN.
Hi B3dr0ck,
What you want to achieve is possible but it is not something supported solely on the device. You would need to setup a proxy server at the remote side, and change the local machines gateway (or use a route) to route traffic to that server, over the VPN, and then to out the WAN of the remote device and then back again. The FVS338 only provides remote subnet access. This is why a Proxy Server is needed, as the FVS338 does not have that functionality.
As far as the layer 2, though it says NetBIOS, it is only layer 3 traffic that will cross the VPN on the FVS338 (NetBIOS over TCP/IP). Layer 2 traffic has never worked and is not implemented. Regarding this, you may submit a feature request via NETGEAR Support or you may post it on the Idea Exchange for Business here.
But even then, the FVS338 is already EOL or End-Of-Life and it would not get that feature if the engineering team adds it. The feature request might be possibly implemented to NETGEAR ProSAFE VPN firewall devices that are not yet EOL.
Regards,DaneA
NETGEAR Community Team
One way to do this that's a bit dirty is to have the clients on the lan1 that you want going out the wan of lan2 connect to lan2's router l2tp or ssl server over the vpn tunnel. This way, you don't have to expose lan2's vpn services to the outside world and you don't have to worry about compression or encryption to keep speeds up.
I have made a configuration like this using the cisco rv-series, but by doing exactly the same thing I described.
I'm sure there's a way to get this working by also altering the vpn tunnel configuration and some static routes, but I'm not familiar enough with those methods to know how.
Research "split" & "full" tunneling.
Split tunneling routes only the network traffic intended for the LAN at the far side of the VPN connection through the tunnel, and allows all other traffic out to the internet - full tunneling routes ALL the traffic through the tunnel so that any internet traffic will use the gateway at the far end - NO PROXY SERVER REQUIRED.
Full tunneling is quite common in situations where it is intended to enforce corporate internet usage policies at the branch office level, using a firewall located at the corporate head office.
Can it be done via a "gateway to gateway" VPN - YES - I have done it with an FVS318N at one end and an FVS336G at the other. Unfortunately, that was quite some time ago, and the configurations have long since been changed, however it is possible.
Bingo!
Do you happened to recall how you got it working--routes, vpn profiles? I remember reading for hours on this topic once just out of curiosity, but never tried anything (and hence forgot most of what I learned).
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
