Orbi WiFi 7 RBE973
Reply

Re: Site to Site tunnel working (only ping)

thxbox1138
Aspirant

Site to Site tunnel working (only ping)

I have 2 BR200 routers and 2 locations
I set up site to site IPsec vpn
Tunnel is green
I can ping IP's from either site back and forth

I cannot however map drives to my server from remote site to HQ
I cannot however map drives to a desktop at remote site from HW

I can ping but that's about it, I called Comcast which both sites have and I had them disable modem firewalls because I thought that might cause issues, they disabled firewalls at both location so comcast is not in the way at all

I rebuilt the tunnel same thing I can ping but thats it no mapping works by DNS name or IP address

What am I missing is there any other additional steps that need to be performed on these routers besides building the tunnel because thats the only thing I can think of now?Screenshot 2021-03-13 165225.jpg

Message 1 of 30
MrJoshW
NETGEAR Expert

Re: Site to Site tunnel working (only ping)

Hello,

 

Are you able to ping the clients/servers in question? What firmware version is the BR200 on?

Message 2 of 30
thxbox1138
Aspirant

Re: Site to Site tunnel working (only ping)

I am able to ping a machine from HQ to remote

I am able to ping a machine from remote to HQ

I am able to tracert from both locations and its 3 hops 

HQ router

Remote router

machine

I just cant do anything else, my question is do I need to create any addtional traffic rules to allow the remote subnet machine to access the HQ network machine on the BC200 router or is that all taken care of once you create the IPSEC tunnel in the BC200's

 

meaning create the tunnel and done, no post rules or configuration?

 

I have no firewalls or anything in the way at this moment

Message 3 of 30
MrJoshW
NETGEAR Expert

Re: Site to Site tunnel working (only ping)

Hello,

 

The issue is, on the BR200/500 we have disabled NATloopback due to performance. We do have a firmware that does address the NATloopback and will allow you to connect to the remote resources but please note that there will be a performance hit due to this. Please let me know if you wish to install the firmware for testing and I can send it to you through a private message.

Message 4 of 30
thxbox1138
Aspirant

Re: Site to Site tunnel working (only ping)

I guess I have a couple questions 

 

why would you limit a site to site tunnel since the very reason why people setup a site to site tunnel is to connect to the remote resources? and then why would the only way to to connect to the remote resources would be I would have to settle for crappy performance? why cant I have the option to connect to the remote resources and have great performance?

 

what is the difference between setting up a site to site VPN tunnel like I have and doing it though the insight manager with a VPN group are they the same I was going to keep insight premiere pro if this is the case

 

honestly if you say the only way to access remote resources from one site to the other is with crappy performance I might rethink your solution all together, who buys site to site tunnel solutions to be able to use just ping? this makes absutely no sense?

Message 5 of 30
MrJoshW
NETGEAR Expert

Re: Site to Site tunnel working (only ping)

Hello,

 

Other possible workarounds if you are unable to use the firmware and this should not interfere performance compared to using a lower firmware version with NATloopback fix:

 

  • Configure the clients hosts file to map the domain name to a static local IP of the server.
  • Use a separate DNS server that can handle accessing public resources from an internal network.
Message 6 of 30
thxbox1138
Aspirant

Re: Site to Site tunnel working (only ping)

take DNS out of the mix I am not able to map drives by IP at all, I think I included that in my first post

 

If i were to apply firmware you are suggesting I would want to rollback if it did not work would that be possible?

 

And when you say perfomacne would not be as good can please explain what you mean by that?

 

also as I was asked prior should I be creating a VPN group within insight manager so these routers can talk to eachother instead of the site to site tunnel I have built locally? what is the difference between the two?

Message 7 of 30
MrJoshW
NETGEAR Expert

Re: Site to Site tunnel working (only ping)

If i were to apply firmware you are suggesting I would want to rollback if it did not work would that be possible?

Yes, it can be upgraded to the latest at any time.

And when you say perfomacne would not be as good can please explain what you mean by that?

The WAN to LAN speed would drop from 970Mbps to 400Mbps.

also as I was asked prior should I be creating a VPN group within insight manager so these routers can talk to eachother instead of the site to site tunnel I have built locally? what is the difference between the two?

Insight VPN uses a proxy server to establish the connection and handle the routing between the two sites. IPSEC does not have a proxy to handle the routing and must be setup and established between both sites.

Message 8 of 30
thxbox1138
Aspirant

Re: Site to Site tunnel working (only ping)

I would like to go the proxy insight way how can I get this all set up it sounds like this would be the better way to go and would help with the mapped drive issues, I also would be adding another router as well, we currently have insight premiere support and if we can do it this way we would plan on paying for this service going forward so I assume I can call support and get this all setup? I saw a option to give support access to the routers also
Message 9 of 30
MrJoshW
NETGEAR Expert

Re: Site to Site tunnel working (only ping)

As long as you have entitlements on the product for support, yes you can reach out to support to open a case. You can view the products entitlements under your my products section in MYNETGEAR.

Message 10 of 30
thxbox1138
Aspirant

Re: Site to Site tunnel working (only ping)

Please send me the link for the 5.9 code for my BR200 I dont see it under downloads on main site

Message 11 of 30
thxbox1138
Aspirant

Re: Site to Site tunnel working (only ping)

please send me the link to the 5.9 firmware thanks I opened up a ticket but dont want to sit on the phone for hours to simply get a link, not sure why support does not just handle requests by email and phone (not phone only)

Message 12 of 30
schumaku
Guru

Re: Site to Site tunnel working (only ping)

Head to https://my.netgear.com/  -> My Support  (https://www.netgear.com/mynetgear/portal/mySupport.aspx) ... there you have "chat support" (not live) with Netgear's support organisation.

 

Not sure where the 5.9 reference does come from, however @MrJoshW I would join the trial.

Message 13 of 30
MrJoshW
NETGEAR Expert

Re: Site to Site tunnel working (only ping)

Hello,

 

Please send me a private message with your email so that I can forward you the firmware file.

Message 14 of 30
jj2021
Aspirant

Re: Site to Site tunnel working (only ping)

I would also like the firmware

Message 15 of 30
nasgulch
Aspirant

Re: Site to Site tunnel working (only ping)

I am in the same boat.

2 BR200 trying to set up VPN tunnel 

How can I get that FW?

Erik

Model: BR500|Insight Instant VPN Router
Message 16 of 30
MrJoshW
NETGEAR Expert

Re: Site to Site tunnel working (only ping)

Hello,

 

I am working with engineering to have the BR200 FW added to the support page. Once it is available I will post the link in the community.

Message 17 of 30
nasgulch
Aspirant

Re: Site to Site tunnel working (only ping)

Great. Will keep looking

 

Message 18 of 30
MrJoshW
NETGEAR Expert

Re: Site to Site tunnel working (only ping)

Hello,

 

FW version 5.7.10.5 with NATloopback fix is now available for download:

 

Please note that WAN to LAN and LAN to WAN throughput is limited to 400Mbps when using this firmware.

 

https://kb.netgear.com/000063683/BR200-Firmware-Version-5-7-10-5-Supports-NAT-Loopback-Feature

Message 19 of 30
nasgulch
Aspirant

Re: Site to Site tunnel working (only ping)

Well I still cannot get that tunnel green.

 

I may be confused with the local and remote subnet.

since bith BR200 are attached to an existing router which provides the internet connection the WAN adress of the BR200 are respectively

on a LAN subnet of the router. 192.168.1.0 (Office) and 192.168.20.0 (remote)

Both BR create their own LAN subnet. 192.168.11.0 (Office) and 192.168.21.0 (remote)

 

Which LAN subnet is to be used in the Ipsec config? 

Screenshot 2021-05-28 115304.jpg

Which ports shall be forwarded from the Internet router. 500 and 4500 are the ones I used

 

 

Message 20 of 30
MrJoshW
NETGEAR Expert

Re: Site to Site tunnel working (only ping)

Hello,

 

Are both BR devices behind a router? If so the issue would be double NAT and the route is not able to complete directly. Can you verify when both routers are not being another router if the tunnel does complete? You can follow the guide below to make sure your tunnel is correctly configured:

 

https://kb.netgear.com/000060839/How-do-I-set-up-a-site-to-site-IPSec-VPN-on-my-NETGEAR-BR500-Busine...

 

If the tunnel does come up after removing the other router we can troubleshoot the double NAT issue if needed.

Message 21 of 30
nasgulch
Aspirant

Re: Site to Site tunnel working (only ping)

Thanks for your input.

Yes both are behind routers. Unfortunately I do not have the possibility of removing those since they are the ones providing internet access.

the guide talks about that case on page 23:

 

Your router connects to anotherrouterin your network. Enterthe IP address
and IP subnet mask for the LAN subnet of the other router. The gateway is the
same gateway that the other router is using for its LAN subnet

 

I followed the guide for the setup.... I think. 🙂

 

 

Message 22 of 30
MrJoshW
NETGEAR Expert

Re: Site to Site tunnel working (only ping)

Hello,

 

Can you send me screenshots of the configuration on each side in a private message? I can take a look at it then.

Message 23 of 30
jj2021
Aspirant

Re: Site to Site tunnel working (only ping)

Thanks for the offer, but it's already "resolved" by Netgear.  It's a known issue that any recent firmware on this router won't do a IPsec tunnel to a Fortigate (and who knows how many other vendors).  The "solution" is to make me sign a waiver of liability so they can send me a "beta" firmware (which, looking at the version numbering, is actually a fairly old firmware).  They also made me sign an agreement that I won't send anyone else a copy of the firmware - so if you're having the same issue you need to call them [EDIT: I guess they got tired of handing it out and posted it, now you can get it from Downloads].  Thier "fix" seems okay in theory, but there are two major drawbacks:

 

1. There were performance improvements in the newer firmwares that were needed in order to get anything close to the advertised speed, but the ancient version that they sent me to "solve" our problem won't go faster than about 45Mbps over IPsec.

 

2. The last two firmwares on the website mention security fixes, so I can logically see that previous versions must be vulnerable to something.  But when I ask about this, they assure me that the "beta firmware" (old version) I was provided with has no known vulnerabilities.  Yeah, I'll believe that when my poo turns purple and smells like rainbow sherbert.

 

So, the actual solution in our case is going to be puchasing a FortiGate or other reputable-brand device for that site and removing what was our first and will be our last Netgear.

Message 24 of 30
jj2021
Aspirant

Re: Site to Site tunnel working (only ping)

What else is different about these firmware versions other than NATLoopback?  When we were testing with the latest version before we rolled back, it was NOT a DNS issue at all.  In fact, DNS and Ping were the only things that DID work!  Trying to open a remote desktop session would fail, regardless of whether a name or an IP address was used, despite Ping working fine.  The old firmware for NATLoopback works for us, but DNS wasn't our issue.  So there is some other bug in the newer firmware that you haven't mentioned.

Message 25 of 30
Discussion stats
  • 29 replies
  • 4393 views
  • 0 kudos
  • 6 in conversation
Announcements