Forwarding VPN (PPTP) traffic through RV042 with dual WAN ports.
A long post, so brace yourselves...
We have recently purchased a Cisco RV042 (latest firmware), and there seems to be a problem with forwarding VPN PPTP traffic through the router.
We have two ISP’s – One ADSL and one fiber connection. We have customers connecting through both Internet connections (HTTP, HTTPS etc.); hence the router is set to “Load Balance” mode. (Otherwise the port forwarding doesn’t work through both Internet connections at the same time.)
Everything is working fine, port forwarding and all.
There is only one problem:
We have one VPN PPTP server (Mac OS X 10.5.8) located on the LAN.
I have set port forwarding to forward all PPTP traffic (1723) to the VPN server.
And here comes the weird part:
Depending on where you connect from the outside (i.e. from your home ISP) there is always only one of the WAN ports that works for VPN. Never both. I.e. from my home ISP, I can always connect (with VPN) through the WAN1, and others can only connect through WAN2. Always.
All other forwarded traffic (such as HTTP, HTTPS etc.) is reachable from both WAN ports. Always. It is just the VPN that only randomly works through one of the WAN ports.
I’ve checked the VPN logs on the VPN server, and I can see exactly where things go wrong. When a client “phones home”, the incoming call reaches the server:
* Incoming call... Address given to client = 192.168.x.xxx * Directory Services Authentication plugin initialized * Directory Services Authorization plugin initialized * PPTP incoming call in progress from 'XXX.XXX.XXX.XXX'... [...]
And the server responds, sending an LCP negotiation request, but the client never confirms the request. More accurately, it seems as if the LCP request never reaches the client:
I’ve tried everything. From protocol binding to bandwidth management, MTU-size, switching WAN ports on the router, resetting the router, allowing ICMP messages (Block WAN requests), and many other things I could think of.
But I just can’t force the router to always send the LCP session out the same WAN port as the incoming VPN call, unless I unplug one of the WAN cables or switch to “Smart Link Backup”. (But that will void the usage of both WAN ports at the same time, which we absolutely need.)
Any suggestions? Please help!
TIA / Cathrine
ps. Before this, we had a Netgear FVX 538 (which unfortunately died), and this worked flawlessly on that router, using both WAN ports simultaneously.
Re: Forwarding VPN (PPTP) traffic through RV042 with dual WAN po
Thanks for your reply!
Yes, there seems to be a problem with traffic re-direction and the RV042, RV082 etc. :-P
The reason why the router is set to load balance mode is that we are in a transition period where our clients are starting to use the new(er) fiber connection, whereas most of them still use the ADSL. The only reason why I’ve set the router to Load Balance is that it is the only setting that will allow usage of both WAN ports at the same time.
I’ve already tested the Protocol Binding, forcing PPTP traffic (or all traffic) out one specific WAN port, but that does not change the behavior. The problem persists.
My conclusion is also that the outgoing VPN traffic is seemingly load balanced between the two WAN ports. In my case, it seems as if the (LCP) negotiation is sent out the wrong WAN port.
Though the thing that differs from the thread you posted is that in my case, the connection is never even established, (the LCP negotiation fails according to the VPN server log), or it works all the time. But only through one WAN port from a certain location. (Depending on from where on the outside you connect, it only works through one specific WAN port.)
On many posts there are suggestions that the GRE protocol must be allowed. Problem is, that the protocol binding only binds ports and protocols TCP/IP or UDP. There is no setting to allow GRE or re-direct GRE out one WAN port. (The GRE protocol is only present in the bandwidth management section, which seemingly does nothing in terms of forcing a certain type of traffic out one WAN port.)
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.