1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

RV042 Site 2 Site VPN as Router

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by pcardelli, Jan 7, 2008.

  1. pcardelli

    pcardelli LI Guru Member

    I'm trying to setup three RV042 routers, not as the internet gateway, but as routers on the local networks. All three RV042 will be connected together, and traffic will be passed through.

    The three schools all have their own unique subnet.

    10.24.103.0 internet gateway is 10.24.103.2
    10.24.110.0 internet gateway is 10.24.110.1
    10.24.111.0 internet gateway is 10.24.111.1

    I would like all three schools to be able to connect through the VPN, while still passing internet traffic through their current defualt gateway which does the content filtering and loging.

    All three routers have a public IP which I will label here as:

    a.a.a.a with local ip of 10.24.103.5
    b.b.b.b with local ip of 10.24.110.3
    c.c.c.c with local ip of 10.24.111.3

    I remember reading that there is a way to route all traffic to the RV042 and then redirect traffic to the defualt gateway from there. This might be easier as I have very little power over the content filter/firewall that is currently the defualt gateway.

    I currently have the router setup as the gateway on one test server, and I can ping it through my test tunnel, but I can't really ping anything else. I understand this is a routing issue but I can't seem to figure out how to fix it as most of the documentation assumes we would use this in a gateway mode.

    Any help in this matter would be greatly appriciated.
     
  2. Sfor

    Sfor Network Guru Member

    I do not understand why you want to set the routers to not to work in the gateway mode.

    With a properly set gateway to gateway tunnel RV042 will pass all the usual traffic to remote LAN without setting it to the router mode. If the remote gateway security group is set to the subnet value, the router will pass all the traffic to the remote network without any additional routing rules.

    So, by setting 3 RV042 as gateways in 3 location and linking them by two tunnels from each location, all three LANs could be merged in to one VLAN.

    I did something like that with just one RV042 and two WRV200 devices, each working as a LAN gateway, forming a triangle shaped VLAN.
     
  3. pcardelli

    pcardelli LI Guru Member

    The reason for not using them in Gateway mode, is that I don't want the VPN traffic to have to go through the filtering appliance. also I want the appliance to be able to talk to the Domain Controllers, as this is how it distinguishes between users and keeps track of their internet usage. The appliance also does NAT. So to place the router on the other side would mean I would have to NAT and then NAT again, making trouble shooting a little bit more complicated then I would want, although I may be wrong about this.

    Attached is diagram. One route I am thinking about is making the RV042 the Default Gateway, as the proxy settings do point to the Appliance, and I believe that should be enough to maintain CIPA compliance. The only problem I see is that if a student or teacher brings their laptop from home and gets on the network somehow, they would be able to get on unfiltered and this could cause some compliance issues.
     

    Attached Files:

  4. Sfor

    Sfor Network Guru Member

    I think the easiest thing would be to set the RV042, as the gateway in the DHCP server settings. Then, to set a routing rule in the RV042 to direct all the traffic (except the VPN) to the filtering appliance.
     
  5. pcardelli

    pcardelli LI Guru Member

    I could use some help in figuring out how to setup such a rule to route all traffic excep the VPN in the RV042. Would I just set that up in Advanced routing?

    I not sure exactly how to set this route up, and at least need some documentation so I can figure this out. Thank you.
     
  6. Sfor

    Sfor Network Guru Member

    The "Advanced Routing" is the right place indeed. In the routing table you will be able to see, how the router is handling the VPN traffic.

    One problem remains. Will your DSL modem be able to direct just VPN traffic to the RV042?

    As far as I understand your network both RV042 and Appliance have a separate public IP, visible from the Internet. If this is the case, there will be no problem with directing just the VPN traffic to the router.

    As for the routing rules: it would be necesary to set many rules to cover all IP address range except for the local LAN and remote LAN address range. If you are able to add a few routing rules to the appliances, it coud be a bit simpler to do it by directing just the traffic to the remote LAN with the RV042 as the gateway.
     
  7. pcardelli

    pcardelli LI Guru Member

    Solution found works great

    I figured out how to place a static route in the appliance, so it can remain as the gateway.

    so in each appliance I point traffic for each subnet that needs to go through the VPN to the respective router. I also found that I had an IP conflict on on one of the routers, so a simple change in the address allowed me to fix everything. All the RVo42s have a public IP, which I did not post here for security reasons. I was able to connect all three schools, so it is almost as if they are on the same LAN but with different subnets.

    I figured out what my problem was after doing some research with OpenVPN. I will be using Open VPN to connect our monitoring server to many of our clients, as it is pretty flexable. The RV042 is great if you want to make the connections invisable.

    So I have Two tunnels at each school to connect all three schools. If anyone needs help I can at least direct you in the right direction now. Thank you for everyones insite.
     

Share This Page