problem Trying to get VPN LAN side distributed across VLAN fails

MaxBurn

Storage Is My Life
Joined
Jan 20, 2004
Messages
3,243
Location
SC
#1
OK guys I have a weird and I'm not sure where to go from here. Help?

I have a VPN device from Contemporary Controls (known in the BMS world but likely never heard of here) and I want to distribute this things LAN side network across several buildings so we don't have to buy one VPN device per building. We created a VLAN in these buildings in a hope to accomplish this but it isn't working and I don't have the knowledge to figure out why. These are the facts as I know them:

-The VPN device by itself works great, anything plugged into the LAN ports directly can be contacted by the remote server over the VPN just fine and they can reach the remote server fine too. This is the intended use for this VPN device.
-The VLAN we created is using the same IP scheme as the LAN side of the VPN. Same subnet and subnet mask and gateway is another address on the network.
-Devices are using the VPN IP as their gateway, same as they would when plugged in to the back of the VPN.
-Over the VPN I can reach the LAN side VPN configuration page and all logs indicate the VPN connection stays up when attached to the VLAN.
-Over the VPN I can't reach anything attached to the VLAN.
-Devices on the VLAN can reach each other no matter what building they are in.
-Devices on the VLAN can NOT be reached by the remote server, they can't reach the VPN LAN configration page, sometimes ping works but mostly it doesn't.

Anyone know what to do next?
 

CougTek

Serial computer killer
Joined
Jan 21, 2002
Messages
8,692
Location
Québec, Québec
#2
Looks like something's missing in your routing table. The router portion of your VPN device doesn't seem to know where to send the packets from the WAN side. It seems to send the packets on another VLAN than the one you wish to use. It probbly sends the VPN connections to the default VLAN (should be VAN 1 unless you've changed it) instead of the VLAN you chose for this purpose.

Not knowing the VPN device you use, I cannot tell you precisely where to look in order to fix this, but you should get the general principal.
 

MaxBurn

Storage Is My Life
Joined
Jan 20, 2004
Messages
3,243
Location
SC
#3
This is what I am using:
https://www.ccontrols.com/ctrlink/eipr.php

It's pretty much OpenVPN inside but we are using their cloud solution so the amount of customization we can do in their configuration console is limited but I will look into it.

My networking knowledge is fairly limited but I will start researching VLAN tagging as that sounds like the direction things are getting mixed up in, right?
 

MaxBurn

Storage Is My Life
Joined
Jan 20, 2004
Messages
3,243
Location
SC
#4
Read a little more and we are using port based VLAN, that port on the switch that our VPN LAN side is plugged into is assigned to the VLAN we want to use. Shouldn't need to tag the traffic too??
 

CougTek

Serial computer killer
Joined
Jan 21, 2002
Messages
8,692
Location
Québec, Québec
#5
I've searched the Application Guide and there no mention of VLAN anywhere in the document. Thinking about it, it is normal since a router is a L3 device while VLAN are L2.

-The VLAN we created is using the same IP scheme as the LAN side of the VPN. Same subnet and subnet mask and gateway is another address on the network.
The gateway in that LAN should be the VPN router, otherwise, another device will try to redirect the traffic going to the WAN.
 

MaxBurn

Storage Is My Life
Joined
Jan 20, 2004
Messages
3,243
Location
SC
#7
The gateway in that LAN should be the VPN router, otherwise, another device will try to redirect the traffic going to the WAN.
We will look at this possibility. My thinking at the time was manually entering the VPN device IP address on the network in other computers and devices as the gateway address should make that a non issue, at the same time avoiding an IP collision.

If not solved by Monday I can help then. Good luck.
Thanks.
 

Howell

Storage? I am Storage!
Joined
Feb 24, 2003
Messages
4,740
Location
Chattanooga, TN
#8
OK guys I have a weird and I'm not sure where to go from here. Help?

I have a VPN device from Contemporary Controls (known in the BMS world but likely never heard of here) and I want to distribute this things LAN side network across several buildings so we don't have to buy one VPN device per building. We created a VLAN in these buildings in a hope to accomplish this but it isn't working and I don't have the knowledge to figure out why. These are the facts as I know them:

  1. -The VPN device by itself works great, anything plugged into the LAN ports directly can be contacted by the remote server over the VPN just fine and they can reach the remote server fine too. This is the intended use for this VPN device.
  2. -The VLAN we created is using the same IP scheme as the LAN side of the VPN. Same subnet and subnet mask and gateway is another address on the network.
  3. -Devices are using the VPN IP as their gateway, same as they would when plugged in to the back of the VPN.
  4. -Over the VPN I can reach the LAN side VPN configuration page and all logs indicate the VPN connection stays up when attached to the VLAN.
  5. -Over the VPN I can't reach anything attached to the VLAN.
  6. -Devices on the VLAN can reach each other no matter what building they are in.
  7. -Devices on the VLAN can NOT be reached by the remote server, they can't reach the VPN LAN configration page, sometimes ping works but mostly it doesn't.

Anyone know what to do next?
OK, notes for myself and to make sure we are on the same page. A device plugged into the LAN side VPN appliance works fine. You want to extend the LAN side of the VPN appliance into a VLAN.

Item 1 is a great start. Item 3 indicated that the devices are set with the VPN appliance as gateway but item 2 refers to another gateway. You don't need a gateway in a VLAN so you are either talking about the gateway of the management IP or there is more routing going on complicating matters.

Based on item 6, and assuming you are including the VPN appliance as one of the devices you can reach from anywhere, I believe you have the VLAN setup correctly.

Item 7: I'm going to need more information about how you get to the VPN LAN configuration page from the LAN side. Whether you use IP or DNS name, what is the IP? Can you access it consistently if the VPN tunnel is down?


Testing: you should be able to ping all of the VLAN addresses from any of the buildings. You should also be able to ping an address on the network on the other side of the VPN tunnel. You should be able to traceroute to the other side of the VPN tunnel along expected devices.
 

MaxBurn

Storage Is My Life
Joined
Jan 20, 2004
Messages
3,243
Location
SC
#9
Good questions, some clarification:

6. -Devices on the VLAN can reach each other no matter what building they are in but they can NOT reach the LAN side configuration page of the VPN. Sometimes they can ping the LAN side of the VPN but mostly it fails. The VPN seems to be singled out here for reasons unknown.

7. -Devices on the VLAN can NOT be reached by the remote server coming in over the VPN. Coming in from the remote server over the VPN I can reach the VPN LAN side configuration page.


Stuff I need to do but didn't get time for today:
-Figure out what my coworker meant by gateway address, maybe it was just the router configuration address. I don't know.
-Try the VPN on another port for that VLAN, maybe it's just that port that's hosed.
 

Howell

Storage? I am Storage!
Joined
Feb 24, 2003
Messages
4,740
Location
Chattanooga, TN
#10
If you can ping the LAN side at least a few times, I can't imagine VLANning is not right. Sounds much more like a routing issue.

Inconsistency: the routing configuration could be sending you to the VPN appliance sometimes but not always. Also, the VPN appliance may be sending the traffic back the correct way sometimes but not always. Test with traceroute.
 

MaxBurn

Storage Is My Life
Joined
Jan 20, 2004
Messages
3,243
Location
SC
#14
Turned out to be something with the switch programming, the one creating the vLAN that is. Moved it over to a different switch and it worked fine now.
 
Top