The catch with the MX is that the subnet referred to by a static route must be unique across the entire organization. There is another option, for locations that have an extra subnet between their internal router and their edge device we can connect to the outer router (with a static route to the inner subnet) and the flows between the workstation and our VPN device will be symmetrical. I guess we can consider ourselves fortunate that we only have to do that for this one location (so far). We were just hoping to not have to configure each PC individually. ![]() So other than getting them to try another brand of modem, we'll have to go with that. The windows firewall is vanilla, with the exception of the allowances I tried to add on one of the PCs. ![]() They all point to the VPN concentrator at the DC for their next hop so it's basically a connected route. We do basically a standard deployment as far as the VPN part. Is the WinX firewall set to allow communication to other LANs off its directly connected subnet? Is it a directly connected interface on the destination subnet or is it to an intermediate router (possibly in the same subnet as the target IP)? Next, look at the routing "inside" the appliance to see how the traffic is being routed out. Traffic in the other direction follows a similar process.įirst, I'd verify that VPN traffic (destination = IP on the far end of the tunnel) is being sent to the firewall. The "appliance" inside the firewall recognizes the destination IP as being selected for the VPN and encapsulates it to route over the VPN to the other "appliance" that de-encapsulates it and pushes it out onto its attached LAN. "Normally," traffic meant for the intake end of a VPN is just sent to the firewall as if it was WAN traffic. If I had one location that behaved differently, I'd look at how the VPN traffic enters that location. My question is, what could the Trendnet be doing differently than the other (Cisco / Juniper / Comtrend) modems and routers? RDP and http work fine, it's just that the Windows 10 firewall, when on blocks the connection. It's worked fine so far except for one location with a Trendnet DSL modem. The appliance creates a VPN back to our DC and the agents enter static routes in their router or modem to match. We are putting in VPN appliances in agent offices. I am also dealing with asymmetric routing. ![]() I noticed you gave a good answer to a similar question. That will tell the workstation to send traffic directly to the firewall, bypassing the router. On the workstation verify that RDP fails. In my experience, this sort of thing breaks RDP, SSH, or any sort of secure protocol that's sensitive to spoofing. ![]() If it tries, the router will most likely tell it to substitute the PC's MAC for the router's MAC on subsequent frames. The firewall will go directly to the PC because it has no reason to go through the router. Having the PC's gateway and the router's next hop in the same subnet will cause asymmetrical routing on the return. It's common in small business, but it causes no end of problems. The root of your problem is using a FW as a router. What's the square box with the arrows? Is that a switch? I'll assume so because it has no IP. That may explain the on again/off again with the PC firewall. Rebooting (or ending the session) would clear the entry from the table. I'd guess that if you start a session with the Win FW off, and then enable it, it will note that there is already a session open and create an entry in the established session table.
0 Comments
Leave a Reply. |