Reply

FVS338 routing over VPN

B3dr0ck
Aspirant

FVS338 routing over VPN

Is there a way to route LAN traffic over a Gateway to Gateway VPN?

 

I want to have some IP addresses route through the VPN out the GW of the remote VPN location.  (easily done on more advanced firewalls)

And ... at somepoint I'd like to establish a common broadcast domain (Layer 2 network).  It says it will forward netBIOS but always wanting Bonjour etc...

 

both end points are FVS338 firewalls

Gateway VPN works fine

Message 1 of 11

Accepted Solutions
DaneA
NETGEAR Moderator

Re: FVS338 routing over VPN

Hi B3dr0ck,

 

What you want to achieve is possible but it is not something supported solely on the device. You would need to setup a proxy server at the remote side, and change the local machines gateway (or use a route) to route traffic to that server, over the VPN, and then to out the WAN of the remote device and then back again. The FVS338 only provides remote subnet access. This is why a Proxy Server is needed, as the FVS338 does not have that functionality.

As far as the layer 2, though it says NetBIOS, it is only layer 3 traffic that will cross the VPN on the FVS338 (NetBIOS over TCP/IP). Layer 2 traffic has never worked and is not implemented. Regarding this, you may submit a feature request via NETGEAR Support  or you may post it on the Idea Exchange for Business here.
But even then, the FVS338 is already EOL or End-Of-Life and it would not get that feature if the engineering team adds it.  The feature request might be possibly implemented to NETGEAR ProSAFE VPN firewall devices that are not yet EOL.  

 


Regards,

 

DaneA
NETGEAR Community Team

View solution in original post

Message 4 of 11

All Replies
DaneA
NETGEAR Moderator

Re: FVS338 routing over VPN

Hi B3dr0ck,

 

I think this link below might help you as reference guide to achieve what you want to accomplish:

 

http://kb.netgear.com/ci/fattach/get/81/1261408182/redirect/1/filename/Routing%20multiple%20subnets%...

 

 

Hope it helps.  Welcome to the community! Smiley Happy

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 2 of 11
B3dr0ck
Aspirant

Re: FVS338 routing over VPN

This would allow traffic from one VPN to another sub VPN.  This does not do anything for what I am trying to do.

 

I am trying to route specific traffic across the VPN to the other VPN as a default gateway.  So that some identified traffic on one network uses the internet connection on the opposite side VPN.

 

I want the VPN Firewall 1 to be a proxy for some (or all if necessary) internet bound traffic from LAN2 over the VPN.

 

It would seem all you would need to do is put one routing statement in with a source of LAN2 IP with a Gateway of the opposite side VPN, but the only routing that can be added is a destination IP address, and I can't figure a way to do a default/catch all/wildcard address.

 

This basically works with the VPN client, but not with the site the site VPN.

Message 3 of 11
DaneA
NETGEAR Moderator

Re: FVS338 routing over VPN

Hi B3dr0ck,

 

What you want to achieve is possible but it is not something supported solely on the device. You would need to setup a proxy server at the remote side, and change the local machines gateway (or use a route) to route traffic to that server, over the VPN, and then to out the WAN of the remote device and then back again. The FVS338 only provides remote subnet access. This is why a Proxy Server is needed, as the FVS338 does not have that functionality.

As far as the layer 2, though it says NetBIOS, it is only layer 3 traffic that will cross the VPN on the FVS338 (NetBIOS over TCP/IP). Layer 2 traffic has never worked and is not implemented. Regarding this, you may submit a feature request via NETGEAR Support  or you may post it on the Idea Exchange for Business here.
But even then, the FVS338 is already EOL or End-Of-Life and it would not get that feature if the engineering team adds it.  The feature request might be possibly implemented to NETGEAR ProSAFE VPN firewall devices that are not yet EOL.  

 


Regards,

 

DaneA
NETGEAR Community Team

View solution in original post

Message 4 of 11
B3dr0ck
Aspirant

Re: FVS338 routing over VPN

Thanks for the reply.

 

That is what I thought.  Some outside clarity helps.

Message 5 of 11
SamirD
Prodigy

Re: FVS338 routing over VPN

One way to do this that's a bit dirty is to have the clients on the lan1 that you want going out the wan of lan2 connect to lan2's router l2tp or ssl server over the vpn tunnel.  This way, you don't have to expose lan2's vpn services to the outside world and you don't have to worry about compression or encryption to keep speeds up.

 

I have made a configuration like this using the cisco rv-series, but by doing exactly the same thing I described.  

 

I'm sure there's a way to get this working by also altering the vpn tunnel configuration and some static routes, but I'm not familiar enough with those methods to know how.

Message 6 of 11
fordem
Mentor

Re: FVS338 routing over VPN

Research "split" & "full" tunneling.

 

Split tunneling routes only the network traffic intended for the LAN at the far side of the VPN connection through the tunnel, and allows all other traffic out to the internet - full tunneling routes ALL the traffic through the tunnel so that any internet traffic will use the gateway at the far end - NO PROXY SERVER REQUIRED.

 

Full tunneling is quite common in situations where it is intended to enforce corporate internet usage policies at the branch office level, using a firewall located at the corporate head office.

 

Can it be done via a "gateway to gateway" VPN - YES - I have done it with an FVS318N at one end and an FVS336G at the other.  Unfortunately, that was quite some time ago, and the configurations have long since been changed, however it is possible.


Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.
Message 7 of 11
SamirD
Prodigy

Re: FVS338 routing over VPN

Bingo!  

 

Do you happened to recall how you got it working--routes, vpn profiles?  I remember reading for hours on this topic once just out of curiosity, but never tried anything (and hence forgot most of what I learned).

Message 8 of 11
fordem
Mentor

Re: FVS338 routing over VPN

Like I said - it was a long time ago.

 

Experiment with the VPN Policy, traffic selection settings  - I think that's where it was done.

 


Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.
Message 9 of 11
SamirD
Prodigy

Re: FVS338 routing over VPN

I think on the old forum there was a thread that said how it could be done--and it might have been as simple as messing with the subnet mask on the vpn configs, but that's just a guess.  I can't remember either. Smiley Sad

Message 10 of 11
B3dr0ck
Aspirant

Re: FVS338 routing over VPN

I dont think it is possible without putting a proxy on an edge, or using the VPN client.

 

I imagine you could create a PC on LAN2 with the VPN client.  It would have an IP address on LAN1.  Then you could have it as the gateway and do DHCP for a LAN.  That might be a way to have a layer2 VPN, but at least route out LAN1.

 

What if you messed with the subnet mask and superneted LAN 2 with a proxy of somesort?  That way it would include LAN1 and you could set LAN1's gateway on the proxied Lan2 devices.

Message 11 of 11
Top Contributors
Discussion stats
  • 10 replies
  • 5203 views
  • 0 kudos
  • 4 in conversation
Announcements