1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

RV082 to RV082 connection via ADSL

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by Heuveltje, Apr 20, 2006.

  1. Heuveltje

    Heuveltje Network Guru Member

    Hello all,

    I've bought 2 RV082 vpn routers to make a lan to lan VPN. At location A situation as follows:

    Internet > ADSLmodem (dhcp_spoofing via PPoA) > RV082 > LAN with PCs

    at location B: same situation, so both routers get the public ip.

    I use a static route of 0.0.0.0 / 0.0.0.0 > 10.0.0.38 WAN1 to give the devices (and so the LAN) internet connectivity. Else there is no connection somehow

    I set up a VPN gateway to gateway, using some default settings: this tunnel connects ok. However the recources on the other networks are not available or pingable.
    As i am at location A on the LAN 192.168.14.250 i can not ping or see a pc on the remote location B at 192.168.15.251.

    How can i solve this problem? i think i have 2 options:
    1. the connection to the internet has to be established in another way...
    2. i have to add some more static routing to pass traffic from the 192.168.14.xx to the 192.168.15.xx network, but how?

    I hope anyone can shed some light on this..
     
  2. TazUk

    TazUk Network Guru Member

    You shouldn't need to add any static routes :shock:

    Sounds like your config isn't correct, most likely you've specified IP Address rather than Subnet in the local/remote secure groups.
     
  3. Heuveltje

    Heuveltje Network Guru Member

    Like i said, somehow it seems to be that i need the static route to get some internet traffic, no route = no i.net + no vpn (because of no internet)

    Is there an other way to spoof the ADSL modem/router to let the RV082 router think it is directly connected? When i plugged in directly on a work station i had a net connection, so no static route was needed. Can anyone help me?
     
  4. TazUk

    TazUk Network Guru Member

    What ADSL modem is it?

    How do you have the VPN tunnel configured?
     
  5. DocLarge

    DocLarge Super Moderator Staff Member Member

    In conjunction to what Taz has asked, are your adsl modems "actual" modems or are they modem/router combos that have not been put into "bridged mode?" Reason being, the RV0XX series routers are "ethernet" routers and "can not" run properly in a PPPoA environment. Still, stranger things have happenened...

    Doc
     
  6. Heuveltje

    Heuveltje Network Guru Member

    Thanks for your inputs all but the problem has shifted to antoher ground :cry:

    On both modems i uploaded a PPTP profile so the routers make the actual PPP connection via their built in PPTP connection ability. Since that the router and tunnel are stable and i can even ping and tracert between networks. So PPTP is the trick!!!

    However, i have two locations:
    Location A with ip range of 192.168.14.xx and within that a SBServer 2003 and some workstations
    and a location B with only some workstations in the range of 192.168.15.xx

    They are all pingable from A to B and from B to A but i can not make it happen to log on to the SBServer on location A (range .14) from location B (range .15)

    Rather logical given the fact that it is not possible to log on the domain even if you place a workstation from the B location to the A network. The ranges differ and the server does not accept that.

    Are there any ideas how to solve this problem?
     
  7. YeOldeStonecat

    YeOldeStonecat Network Guru Member

    It is possible to log into domains across the VPN tunnel....

    I do a lot of SBS installs. But first...lets make sure your VPN tunnels are setup correctly . What make/model DSL modems do you have? Can you be assured, that the WAN interface of your RV0 routers are indeed obtaining a public IP address? That your ISP provided modems are indeed running as pure bridges, not running gateway/router mode? This is absolutely important to be 100% sure about.

    Next...your remote location..the satellite offices..need to use the IP address of your SBS box as their one and only DNS server. DNS is key to name resolution and proper Active Directory functionality.

    Refer to this article I wrote..using my SBS2K3 server at home as an example...just to make sure DNS is setup correctly.

    http://www.speedguide.net/read_articles.php?id=1660

    What you should do, if you're using the DHCP of the router to control your satellite offices...is edit the DHCP properties..and have it handout the IP of the SBS box as the primary DNS server. You can add the LAN IP address of that router as the secondary DNS server if you wish...so that those workstations can surf the internet during times when your primary office is offline..since the SBS box technically won't be available for DNS requests. But the key is..the IP of your SBS..must be used for DNS by all clients.

    Don't worry about how to mix 192.168.14.xxx with 192.168.15.xxx...let the routers do their job and handle that, and setup DNS so it can do its job properly and handle the name resolution.

    I'm assuming your SBS box is not multi-homed and ISA2K4 is not in the mix.
     
  8. Heuveltje

    Heuveltje Network Guru Member

    Thank you very much YOS!

    Will look in to it a.s.a.p

    The modems provided by the ADSL provider are a thomson speedtouch 510 and a speedtocuh 716v5. Both run in pptp mode so they should be a pure bridge if i am not mistaking.
    The routers do the talking to the ISP and get their IPs and DNSes from the ISP. For your information: ISP = xs4all in the netherlands, normally connect through PPoA mode.

    The VPN tunnel says it is connected and i can ping adresses and stuff. If i do a tracert i can resolve the ip of the server in three steps:
    1. ip of router
    2. line of time outs
    3. ip of server on other side

    MAybe this DNS will help, thank you for your reply. I'll keep you posted.

    Michiel
     
  9. YeOldeStonecat

    YeOldeStonecat Network Guru Member

    If you can sit at the satellite office, ping the IP of the SBS server, and get replies..then yes..your issue is DNS related..that's why you cannot properly join the domain with the workstations at the satellite offices. I'll bet a few pints of Guinness on it! :D

    Hit the article...confirm proper DNS setup and functionality of your SBS box and its local LAN at the central office, edit the DHCP of your satellite office...so it's handing out the IP of your SBS box for DNS...let me know how you do.

    What are you running across the VPN tunnel?
     
  10. YeOldeStonecat

    YeOldeStonecat Network Guru Member

    I forgot to mention...if this is the first time joining the domain, like you're setting up brand new workstations..unbuckling the OS at the remote site, you'll find you'll want to manually punch in the DNS suffix in advanced properties under TCP/IP...because it'll want to search for the domain name first.

    But if you joined them back at mothership before bringing them onsite..you're all set.
     
  11. Heuveltje

    Heuveltje Network Guru Member

    Hello Y.O.S.,

    I followed your (great) guide and edited the ip settings at the PC's on the remote office. Thank you for that.

    But i am still not able to connect to the server on the main office location.:

    [hr:b3348add2f]Clients (192.168.14.xx) + Server (192.168.14.200)
    >>>> connect to >>>>
    RV082 (LAN=192.168.14.250, WAN=PUBLIC IP MAIN OFFICE)

    IP Settings:
    IP: 192.168.14.xxx
    Subnet: 255.255.255.0
    Gateway: 192.168.14.250
    DNS: 192.168.14.200
    [hr:b3348add2f]

    >>> VPN Gateway to Gateway tunnel over the Internet <<<

    [hr:b3348add2f]RV082 (LAN=192.168.15.251, WAN=PUBLIC IP REMOTE OFFICE)
    <<<< connect to <<<<
    Clients (192.168.15.xx) + NO SERVER

    IP Settings:
    IP: 192.168.15.xxx
    Subnet: 255.255.255.0
    Gateway:192.168.15.251
    DNS1: 192.168.14.200
    DNS2: 192.168.15.251
    [hr:b3348add2f]



    I don't know if this setup is correct to be able to make a decent connection to the server on the main office or do i need to set up a server on the remote office?
    At least, these settings makes the server at the main office pingable, but the domain-connection icon in the right hand corner says i am still offline, no new connection can be made.

    (The pc's at the remote office have been a part of the original main office but since a part of the business moved to the remote office i need to get them connected again.)

    The pints of Guinness are yours if you can give me some more tips on getting this thingie to work :D
     
  12. YeOldeStonecat

    YeOldeStonecat Network Guru Member

    You shouldn't "need" another DC at this remote office. It's a good idea..incase the tunnel goes down, if you have lots of PCs and some local sharing going on in this remote office...

    however..to get these PCs hittin the Server at mothership...

    What's this icon you're talking about? Saying offline? Can you post a screenie?

    Just to triple check..you're saying these PCs were setup on the LAN at the main office, correct? And you can confirm they were indeed logging into the domain, not local logins. So that when you hit Ctrl+alt+del to login..that 3rd line has your domain, not the local computer name, correct?

    How long has it been since they've logged into the domain?

    Were hosts and lmhost files used in the prior setup? Can you verify that they are default?
     
  13. YeOldeStonecat

    YeOldeStonecat Network Guru Member

    OK lets try something else....

    nbtstat -a 192.168.14.200

    That should give you the servers netbios name, and the domain name.

    The domain name..say it's "Guinness"...when creating the DC and running DCPROMO, you gave it a full name...with the suffix...something like "guinness.local" or "guinness.com" (I prefer the .local)

    Can you, from the satellite office, ping the server by netbios name, say it's "server1"..and get replies"

    Now...can you ping the server via domain name, such as guinness.local...and get replies?
     
  14. Heuveltje

    Heuveltje Network Guru Member

    Yes the pinging works, in both ways, also tracert gives some results. I can even go to the switch on the remote network en telnet in to adjust settings. So ping, tracert, nbtstat and telnet seem to work. But the computers are not found in explorer or whatever kind of program.


    The icon i am talking about is the icon of a computer.
    The balloon says something like: SERVER offline, the connection to the server was lost but you can continue to work blah blah blah....

    The triple check is correct, they log into the domain. At least the satelites try to....


    Since i had to adjust the ip's at the remote office to a different ip range because of range used (that must be used to make the VPN tunnel work) over there there is no connection.
    (192.168.15.xxx = remote, 192.168.14.xxx = main)

    I tried using a local (main office) computer (ip 192.168.14.100), and gave it a ip like in the remote office (i.e. 192.168.15.100). From that moment on there is no connection to the server either, however their is only a switch between them. So it must be some kind of routing problem.

    What am i doing wrong, im so confused.... ??? Should i rebuild the DNS in some way? The records for the satelites point towards their correct ip, not their old ones.
     
  15. YeOldeStonecat

    YeOldeStonecat Network Guru Member

    Seems to still be something screwy with DNS....
    If it fails to resolve via DNS...it will move to netbios in an attempt to resolve...and since your'e routing to a different IP range..that will naturally fail...

    Since you can ping via server name..and get replies...it seems correct..but lets test DNS a bit further.....go to a command prompt..and type in

    nslookup <servername> where you type in the servers netbios name..without the brackets of course.

    Key to look for is having an IP in the reply

    Also try...

    nslookup servername.dnssuffix.local or .com...whatever you have for your top level domain.

    Also try....at the command prompt...

    net view \\servername where you type in your servers netbios name instead of "servername"

    Try removing the secondary DNS you have entered...just enter your servers IP.

    If this fails...I think we have to step back and examine your server and local network in greater detail. With a local area network...things can continue to function "OK" even if DNS is not setup properly...it's when you start pushing DNS and leaning on it more..as we're doing here..that if it's not working 100%...things will start to break.
     
  16. Heuveltje

    Heuveltje Network Guru Member

    finally some results.... in a negative way.

    nslookup does not give any results:

    C:\>nslookup CHEESE (lets say thats the servername)
    DNS request timed out.
    timeout was 2 seconds.
    *** Can't find servername for 192.168.14.200: Timed out
    *** Default servers are not available
    Server: Unknown
    Address: 192.168.14.200

    DNS request timed out.
    timeout was 2 seconds.
    DNS request timed out.
    timeout was 2 seconds.
    *** Request to Unknown timed-out


    hmmm ping CHEESE times out also, Tracert also,
    #%$%$^!!! Why does it do some thing else now!
    a ping from the server to the workstation also times out. nbtstat gives no result either.
    Im lost....... :cry:
    only thing that works on the serverside is:
    nslookup name_workstation

    Any bright ideas? Throw the server out of the window? :(
     
  17. YeOldeStonecat

    YeOldeStonecat Network Guru Member

    OK I'm starting to run out of ideas here......I think we've covered everything....so something must still be not correctly...time to back up and go over all the steps again...

    First...lets make sure your servers TCP is setup correctly..it's using itself as it's only DNS server, and your event viewer is clear of DNS related errors. Same for WINS..make sure in its TCP properties it's looking at itself for WINS.

    Next...your connections. I see you started fiddling with static routes...shouldn't need any. I want to make sure that your DSL modems are indeed running in pure bridged mode. Your RV0 routers must be the only device doing any NAT on each end....and their WAN interface must be obtaining a public IP address. Your routers should be running in gateway mode, not router mode. You want your MTU to be set correctly on the router. 1492 for PPPoE DSL, 1500 for bridged DSL, Cable, or frame/frac-T.

    Your comment on your adsl modems doing "dhcp_spoofing"...make me wonder.

    As for each location, you appear to have them setup correctly..different IP ranges on each...192.168.14.xxx on one, 192.168.15.xxx on the other. Now to confirm the routers are setup correctly to do their tunnels...

    http://linksys.custhelp.com/cgi-bin...2NmX2xhbmc9MSZwX3BhZ2U9MQ**&p_li=&p_topview=1

    Might as well have a check in the box for enable netbios broadcast.

    On the workstations...make sure their primary DNS server is the IP of your SBS box, same with their WINS server...although you shouldn't be falling on WINS if they are 2K or higher clients. But just to make things correct.....

    Make sure your hosts and lmhosts files are clean.

    Now on the satellite office...from a command prompt, lets make sure the tunnel is active.

    Below, I'll use "cheese" as an example for your servers netbios name, and "guinness.local" as an example for your domain suffix. Substitite with your actual ones of course.

    From the satellite office..can you ping the gateway IP of the main network, and get replies?
    Can you ping your SBS servers IP, and get replies?
    Can you ping your SBS servers netbios name (cheese), and get replies with the correct IP?
    Can you ping your SBS servers domain suffix (guinness.local) and get replies with the correct IP?

    Now move to nslookup
    nslookup coffee
    nslookup guinness.local
     
  18. DocLarge

    DocLarge Super Moderator Staff Member Member

    Cheese may be timing out because it's not properly entered in the Reverse lookup zone of your DNS... That's one possibility because I ran into that recently.

    Doc
     
  19. YeOldeStonecat

    YeOldeStonecat Network Guru Member

    Good point to mention Doc.....which brings up a suggestion to run some nslookup tests on the local main office..from a workstation. Test the DNS functionality of the SBS box from the local LAN first. As I mentioned...local networks can "appear" to function correctly because of netbios broadcasts...one may not notice DNS isn't setup correctly.
     
  20. Heuveltje

    Heuveltje Network Guru Member

    Thanks all, for help to think with me.

    Yet i am still not able to join remote pc's to the domain.
    I am back to being able to ping, tracert etc. etc. (this was because of a power failure on the remote PC side, and it was late at night :-s )

    In reply of Y.O.S.C.:
    DNS seems to be correctly set up. There are also no errors in the event viewer.

    The fiddling with static routes was because of the dhcp-spoof. But since the routers use PPTP-mode to make the PPoA connection with the ISP that is not needed anymore.
    You say MTU 1492 = PPoE, Others = 1500. Is PPoA also 1500? Got it on automatic right now, works for me but dont know the exact value right now.

    I don't use use DHCP_SPOOFING anymore. I use PPTP to make the modem transparent. Logging in is done by the router, see above.

    VPN tunnels state: connected

    Netbios = checked

    DNS = IP Cheese, 192.168.14.200, no other, SBS points to itself. The same goes for WINS.

    HOSTS and LMHOSTS are clean

    Pinging gives good results
    NSLOOKUP main office side:
    C:\>nslookup cheese
    Server: cheese.guinness.local
    Adress: 192.168.14.200

    Name: cheese.guinness.local
    Adress: 192.168.14.200

    However NSLOOKUP remote office:
    C:\>nslookup cheese
    Server: cheese.guinness.local
    Adress: 192.168.14.200

    *** cheese.guinness.local can't find cheese: Server failed.
    But if i type NSLOOKUP cheese.guinness.local the results are like on the main office side....

    I read somewhere to delete the computer from the domain administration on CHEESE. So i did. Remote computer was set to Workgroup: WORKGROUP and rebooted. Logged in as admin and went to computer properties where i try to change workgroup into domain: guinness (without the .local as advised).
    The computer then askes for credentials to add the computer to the domain (so the domain is found i guess?) and i type admin credentials (no domain\user, just user). Then the computer thinks for a long while until it says:
    (translated from Dutch to my best English)

    The following error ocurred while joining the domain GUINNESS :
    The service did not reply in the right way to the start- or drivercommand.

    So this seems to be some sort of time out..?
    the incoming log on the router at the main office side states at about the same time:
    Connection refused - Policy violation: UDP 0.0.0.0:68->255.255.255.255:67 on ixp1. I don't know if that has to do something with it.
    Also in the interface table IXP1 is named PPP200, probably because of the way it connects to the internet?

    Is there SOMEBODY that has a working VPN gateway to gateway on RV082 running? Please let me know. I am starting to think it is alsmost impossible....
     
  21. YeOldeStonecat

    YeOldeStonecat Network Guru Member

    With PPPoA DSL..you want your MTU at 1500..you don't want 1492 MTU..that's for PPPoE DSL...a bit different than PPPoA.

    I always manually set the MTU...regardless of what brand router, or version of firmware. I flat out do not trust "auto-MTU" on any router...there are far too many variables IMO for this option to work.

    What I have noticed in prior versions of RV082 firmware...is that auto-MTU did not work...it negotiated an MTU value waaay to low. I'm on cable at home, my MTU should be 1500...when I first setup my RV082 as I was setting it up and tweaking things....I still have MTU on auto..and it negotiated my MTU at something way too low..like dial up settings..something like 576 or something.

    Yes we've setup site to site VPN tunnels with the RV082, working fine.

    Now that I think of it..you're domain connection error that I questions a few posts up is probably your "offline folders" synching...I'm guessing you redirected the My Docs directory. I always turn off offline folders..it's enabled in XP by default as soon as your remap the My Docs folder.

    Your "policy violation" error...hmmm...
     
  22. DocLarge

    DocLarge Super Moderator Staff Member Member

    I'm stuck on a PPPoA connection since leaving the states :( and at a norm, the default for PPPoA is 1458.

    1500 is a general MTU default for all windows systems. However, based on your broadband connection (Ethernet max MTU = 1500; PPPoA max MTU = 1458) you can't use 1500 (I use to use 1500 all the time till I came over here but I had cox high speed internet). I sooooooo miss cable internet, y'all just don't know :cry:

    *Sniff* (Doc pours out a little liquor for the homies...)

    Anyway, you can check your current connection to tell if your MTU is too large, thus causing "Giants" (packets to large to be transmitted).
    Here's the formula:

    ping -f -l [mtu size ] [gateway]

    Example given:

    ping -f -l 1500 69.xxx.xxx.xxx

    If you were to ping this theoretical gateway of your isp (if this were your service) and you get "Packet needs to be fragmented but DF set," this means your MTU is too high for your broadband connection.

    At that point, I (personally) would drop my MTU by "50" points (i.e., 1500, 1450, 1400, etc...) until I got a ping reply.

    Chances are if your MTU is higher than 1475 on PPPoA (and the default is 1458), your packets are fragmenting...

    You can do one of two things: set the router to "manual" and make your MTU 1458 right from jump thus taking care of the MTU size for your network, or use the above formula, find the exact MTU size for your network, and then download "Dr TCP" and use it to adjust your computer's registry to the best MTU you find using the formula.

    Doc
     
  23. YeOldeStonecat

    YeOldeStonecat Network Guru Member

    Is that something you found to be for the UK? Or your particular ISP over there? Very odd number, not the usual standard.

    Even tossing in the 20 bytes for IP and 8 bytes for ICMP...still an odd number.

    I'd love to see him run our TCP analyzer and post the results here...

    http://www.speedguide.net/sg_tools.php
     
  24. Heuveltje

    Heuveltje Network Guru Member

    Result SG TCP analyser:

    TCP options string = 020405b40103030201010101

    MTU = 1500
    MTU is fully optimized for broadband.

    MSS = 1460
    Maximum useful data in each packet = 1460, which equals MSS.

    Default TCP Receive Window (RWIN) = 256960
    RWIN Scaling (RFC1323) = 2 bits (scale factor of 4)
    Unscaled TCP Receive Window = 64240

    RWIN is a multiple of MSS
    Other RWIN values that might work well with your current MTU/MSS:
    513920 (MSS x 44 * scale factor of 8 )
    256960 (MSS x 44 * scale factor of 4 ) <-- current value
    128480 (MSS x 44 * scale factor of 2 )
    64240 (MSS x 44)

    bandwidth * delay product (Note this is not a speed test):

    Your TCP Window limits you to: 10278.4 kbps (1284.8 KBytes/s) @ 200ms
    Your TCP Window limits you to: 4111.36 kbps (513.92 KBytes/s) @ 500ms

    MTU Discovery (RFC1191) = ON

    Time to live left = 54 hops
    TTL value is ok.

    Timestamps (RFC1323) = OFF
    Selective Acknowledgements (RFC2018) = OFF
    IP type of service field (RFC1349) = 00000000 (0)

    that is when the MTU in the router is manually set to 1500.
    If i start pinging with DocLarge's formula the DF sets in at 1473, and 1472 is allright.

    What should the MTU on the router be set to? When it was set to 1428, like linksys tells you to do in a information post at their help site, all mail-services come to a halt... (big drama when you can't grasp it.... sleepless nights...) So that is NOT good, after that i set it to automatic, which worked ok (however still no domain logon between locations).

    When i installed Y.O.S.C.'s advised MTU of 1500 still everything is ok. But 1500 is to big? What should i do?
     
  25. YeOldeStonecat

    YeOldeStonecat Network Guru Member

    Honestly things are looking okie dokie. If you used the manual MTU discovery, and reached 1472/1473...that appears correct...as what number do you get if you add 28 to it? 1500.

    Man...I wish I could see more of your setup. There has to be something that's right there....but I can't see if from here.

    I'm still wondering about that routing entry you made.

    Are you familiar with hosts and lmhosts files?

    And adding DNS suffix in your DNS properties on the workstations? I'd like to see if you can edit those 3x things with the appropriate info..and settle things.
     
  26. Heuveltje

    Heuveltje Network Guru Member

    Fixed...

    I was unable to fix my problems using the linksys hardware so i decided to buy 2 Draytek Vigor 2800 VPN routers. Connected and everything works. So i think my problem must be in the PPTP-mode for the modems. $400 later i am stuck with 2 useless RV082's....

    Thanks everybody for the extensive help and bearing with me!
     
  27. YeOldeStonecat

    YeOldeStonecat Network Guru Member

    Thanks for reporting back. Interesting....curious what's unique in your setup there. You ended up finding some compatibility issue.
     

Share This Page