cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3608
Views
0
Helpful
10
Replies

RVS4000 Behind DIR-655 Wireless-N Router

brian.hugh
Level 1
Level 1

I have a D-Link DIR-655 Wireless-N Router connected to my Cable Modem.  I would like to have the RVS4000 behind it, as the DIR-655 has some better features for managing my internal network.  I want to forward my external VPN to the RVS4000.  I'm confused on what needs to be set up for the LAN IP and WAN IP.  My DIR-655 does not let me forward to an IP outside of the subnet.  I'm assuming my LAN IP is my internal LAN subnet.   If my DIR-655 already has an external IP, what should the WAN IP be set to?  If I set the WAN IP on the RVS4000 to that of one of my internal subnet it says it cannot be.

Appreciate any help on this.

10 Replies 10

brian.hugh
Level 1
Level 1

Wondering if anybody can help me on this one.

In a perfect world, I wanted to just forward port 443 to the RVS4000 device to allow VPN to my home/office network.  Best practices must be to have separate subnets.  But with the RVS4000 and DIR-644 you can't have that combination of internal and external subnets.

The below thread had a similar map, but not exactly.

https://www.myciscocommunity.com/message/25615#25615

Wondering if anyone has any diagrams of other best practices if you have a WAP/Router in addtion to the RVS4000.

I was thinking another option would be to have the RVS4000 connected to my modem, then my DIR-655 to that.

So as follows

Internet>Modem>RVS4000>DIR-655>Internal Network

So I would have the External IP and ...A subnet from the RVS4000 to the left.  Then ...B subnet from RVS4000 subnet to the right.


That would allow me to keep the current seetings I have for my DIR-655 and control that I have there.


Does this make sense to anyone?

>So I would have the External IP and ...A subnet from the RVS4000 to the left.  Then ...B subnet from RVS4000 subnet to the right.

>That would allow me to keep the current seetings I have for my DIR-655 and control that I have there.

I think this makes a perfect sense.

Just one caution: If you have some servers that need to be accessed from the internet, it might help if they are connected to the LAN ports of RVS4000 directly.

Wondering why you say this?  That the servers need to be hooked up to the RVS4000.  I have seen some postings where people are not the happiest with performance.  I do have some servers that need to be accessed.  I was thinking of forwarding these ports from the RVS4000 to them, but was initially planning leaving them on the DIR-655.

Also, I've seen some things about dual NAT translation, but I don't think the DIR-655 has the option to turn this off.  Do I need to be concerend with anything around this with this setup?

One last thing.  In this configuration should the Mode be Gateway or Router?

Thanks for your quick response.

RVS4000 should run in Gatewy mode, i.e. NAT enabled.

If your DI-655 is running in Gateway mode, you would have to forward the service twice in order for the internet users to access the servers in the subnet of DI-655.

The easiest way to set it up is to connect a LAN port of DI-655 to a LAN port of RVS4000, which makes the DI-655 an Access Point. That way you only need to deal with a single subnet under RVS4000.

Thanks for you recommendations.  Can you comment further about suggesting the servers needing access externally being on the RVS4000?  Why do you suggest this?

Given the requirements, I made the recommendation based on its simplicity.

I'm trying to set this up but still having issues.


Internet>RVS4000>DIR-655>LAN

The RVS400 Needs the following

- WAN IP = assigned by ISP via dhcp

- LAN IP = internal-ip.10.x range

The DIR-655 needs the following

- Internet Connection either DHCP or Static (what should this be set to?)  It cannot be the same as my LAN or Router subnet

- Router IP address, which is an internal IP address range that needs to be the same as the DHCP, but cannot be the same as the Internet Connection IP.  This was tyically the internal-ip.10.x range

The router IP address typically served as the gateway for the other computers on my LAN.  With this scenario, is the LAN IP on the RVS4000 now the gateway?

So I'm confused on what you set the WAN or Internet IP for both devices.

Brian:

You might find the answer for the IP Address questions and additional

info on the subject of Multi-NAT at Gibson Research.

http://www.grc.com/nat/nat.htm

and

http://www.grc.com/nat/nats.htm

My experience with the RVS4000 is that it is so quick that it is

hard to detect the difference between addresses being translated

just once or twice (twice in the instance where two Gateways are

in a mult-NAT network).

It seems to me as if you don't want two routers but actually one router and a wireless access point for your network. If you use both as routers you create two separated ethernet LANs. It may not be possible to have full communication between all computers connected to different LANs. If you want all your computers be part of a single LAN then you may want to set up the D-Link as simple access point. This allows you full communication between all your LAN computers regardless where they are connected.

To do this, set it up like this: Let's say the RVS4000 is set up for internet (i.e. DHCP in your case) and LAN IP address 10.10.10.1, subnet mask 255.255.255.0.

Now you have to configure the D-Link. Connect to the web interface of the D-Link and first make sure the internet connection on the D-Link is still set to DHCP (not static IP). If that's the case, change the LAN IP settings: disable the DHCP server on the D-Link and change the LAN/router IP address to 10.10.10.2, subnet mask 255.255.255.0 (the IP address of the D-Link router is inside the LAN IP subnet of the RVS4000). Commit those changes. Now wire one of the LAN ports of the D-Link to one of the LAN ports of the RVS4000. You cannot use the WAN port on the D-Link. Now you can use the D-Link router like a simple access point for your LAN network. The RVS4000 is your internet gateway.

macgate782
Level 1
Level 1

I posted a request on how to do this also a few days ago at the VPN forum, but with a DLINK DGL-4300 wireless game router, but no one had replied yet!

Well after SO MUCH sole searching, research from the smallnetbuilder site, Greenbow website as well as IP Securitas website, I got it working perfectly with an IPSec VPN tunnel setup between the Cisco RVS4000 behind the DLINK DGL-4300 and with MAC OSX running IP Securitas (equivalent to Cisco's QuickVPN).  Just like yourself, my older DLINK has features that the RVS4000 doesn't have and I like the idea of a VPN gateway securing my servers (web, sftp, VNC, smb, smtp etc..) separate from my public LAN.  However, the plus point of the RVS4000 is its ability to host multiple IPSec VPN secure connections using the Screen Sharing function of Mac OSX Leopard and Snow Leopard to a VNC server anywhere with security and reliability at a good price!

Make sure that you DLINK DIR-655 has the latest firmware installed. 

Here's my setup..

            172.x.                                        (192.168.0.1)                                             (192.168.0.x IP range) (our home network with no VPN setup)

Cable Modem WAN port -----> WAN port of DGL-4300 (LAN Port 1) ---------> (My general network LAN (PC, NAS, Wireless Access point, web server, Pogo Plug)

                                                                 (LAN port)

                                                                      2

                                                                      I                                                           (192.168.0.x to 192.168.1.1 routing setup automatically)

                                                      (VPN)       I (DHCP issued IP from DGL-4300 to RVS4000 as its own WAN address)

                                                                      I

                                                                      I                                                          (192.168.1.x IP range with dual ipv4 and v6 address support)

                                                                      I------> WAN port of Cisco RVS4000 (LAN port 1-4 for Atom Raid 5 VNC server, SMB, FTP, N access point)

RVS4000 will obtain its WAN address automatically from the DHCP server of your DLINK router and this is needed to get the IPSec VPN tunnel going as the local group setup will obtain its IP addr from the WAN address issued by your DLINK.  Make sure that you "reserve" the DHCP address for the WAN part of the Cisco RVS4000 on your DLINK DIR655 so it doesn't float on the next reboot and lease time, again essentially in getting the VPN part of your CISCO RVS4000 going.

This is the basic setup.  Mine is more complicated with VLAN L2 smart switches to separate LANs and improve bandwidth.

Basically, the cable modem WAN address is your outside VPN server address.  When you forward UDP port 500 and 4500, forward them to the actual internal IP address issued by the DLINK.  Say, if DLINK's DHCP server issued an IP address of 192.168.0.133, then port forward those 2 UDP ports to 192.168.0.133!  This forwarding should be done on the DLINK router and not on the Cisco RVS4000!  You will see this address appear also on the IPSec VPN tunnel setup page under Local Group Settings on the IP address box.  It will show 192.168.0.133.

Setup your IPSec VPN tunnel with the appropriate Phase 1 and 2 handshake and encryption methods on the RVS4000 and then on your IPSec client (I use IP Securitas for the Mac OSX Leopard) and the way you go.  With this setup, you get the following..

1, All internet devices behind the Cisco RVS4000 have full access to the net.

2, All internet devices behind the Dlink router have full access to the net.

3, All internet devices behind the Cisco RVS4000 can access the home network freely.

4, No internet devices behind the Dlink router can access the devices behind the RVS4000.

5, All devices behind the DLINK router can access the devices behind RVS4000 only through an established IPSec tunnel.  (but this is slow as molasses; 25Mbps roughly I think)

6, Some net devices with SSL-VPN ability can tunnel through different subnet and are smart enough to configure itself are accessible between both networks. 

However, you might want to limit this practice as the weakest security link is that device.

I have a wireless-N router attached to the RVS4000 to bypass the VPN tunnel for local but quick file transfers (faster than IPSec's slower connection), but I have WPA2 and a secured strong password for the access point. 

The setup works beautifully.  Again, the strong point is OSX screen sharing via IPSec on the RVS4000 to my business VNC server is strong and reliable!

Hope this helps!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: