access internet via offsite proxy or VPN server
access internet via offsite proxy or VPN server
I have a Omada controlled site and need specific devices to access internet web services via an offsite proxy or offsite VPN server.
These specific devices can be identified either by a VLAN, subnet, IP or MAC and are labeled "A" and "B" in the network diagram below.
I can configure each device to access internet web services via the proxy or the VPN server and it works. But how it should work is that the traffic of these devices is redirected automatically to the proxy or VPN without a configuration on these devices need.
I could not figure out how to set this up in the omada suite. Help is greately appreciated! Thanks a lot in advance!
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
I'm not sure if I understand you correctly. Have you built a VPN tunnel between the ER7206 and the Proxy server?
For example if you have L2TP client-to-LAN connection, and ER7206 as the Client. Then on ER7206 you can set up Policy Routing, and choose all packages go through the VPN tunnel.
- Copy Link
- Report Inappropriate Content
First of all thanks a lot for the help!
I could not set up a VPN tunnel between the ER7206 and the Proxy server. What I could do, is to set up a VPN tunnel between a local client in the Omada site (Windows 10 desktop PC) and the the Proxy server. This works.
Where I am struggling ist to set up the ER7206 as a Client. Do I need to set it up via the following form?
Is "Remote Server" the external IP of the Proxy?
And what do I need to select for "working mode"? Nat or Routing? As far as I understand you Routing would be the right option.
- Copy Link
- Report Inappropriate Content
Probably I dont understand how to setup Policy Routing. But the form for Policy Routing allows only IP Group (or Port Group) as option. I was assuming that an IP Group is only local. Or can I just enter the external IP address of the Proxy Server and create its IP group?
- Copy Link
- Report Inappropriate Content
Policy Routing is the last step, and the option to apply a Policy Route via a VPN only appears when the VPN is created and enabled.
However, first you must establish the client VPN connection to your proxy server. To answer your question, YES you want to use Routing mode and YES remote server is the IP or DNS name of the proxy server. You can add remote subnets if you wish them to be routable, or if you are just using the VPN as your default route, you can leave those blank (I think, in my case I have the remote private subnet configured)
- Copy Link
- Report Inappropriate Content
Again thanks a lot for having a look at this and helping out!
I tried to set it up as said, tweaked all the settings here and there, even went through a full factory reset, but it can't get it working.
Could you please have a look at it and tell me what I am missing? I made a screenshot documentation of the relevant settings.
First of all I have a screenshot of a win10 PC, with VPN set up exactly with the parameters as for Omada and it works. When I check whatsmyip, I get the IP of the VPN server (not the modem attached to the router)
And here is my Omada setup. Without the policy routing, the PC can access the internet but is not using VPN (whatismyip check returns the IP of the local modem not the VPN-IP). With policy routing enabled there is no internet access at all.
What am I doing wrong or what am I missing? Thanks a lot again in advance!
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Everything you've shown above is configured the same as my setup with 1 exception (which is controller related, nothing you can do) and 2 unknowns. My switch routes are as follows, and I'm curious if the default route through my router matters in this case:
I didn't create either of these routes manually (so the controller did), but you could test your setup by adding static routes.
Also, you didn't indicate the status of your VPN tunnel. Please verify that both the SA and the Tunnel are up, I had issues with Starlink and an encrypted tunnel, so was running just L2TP initially as Elon filters ESP packets. Verify that your tunnel is actually up and passing traffic:
At this point my local initiator is assigned an IP of 10.1.2.3 by the VPN server and the local tunnel endpoint is 172.31.126.1 as shown above. The local routing table has an entry for 172.31.126.1 via the VPNclient interface. At the remote end, the routing table has an entry for 10.1.2.3 via ppp0 (which is the remote endpoint of the PPP tunnel established over the L2TP connection).
No other config was needed at the server end (no static routes, nada) in my case the VPN server is another TPLINK ER605...is your VPN server also TPLINK?
The only other thing I can think of is have you power cycled your router since you made all these changes?
- Copy Link
- Report Inappropriate Content
A quick test might be to configure an unused LAN port on the 7206 to belong to your VPN VLAN (40). Jack a test laptop into this port and verify it get's the proper 192.168.40.x IP as well as valid DNS and a default route. Try pinging the 7206 (192.168.1.1?) this shouldn't work. Try a traceroute to google.de and see if it makes sense.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Thanks a lot for sharing your config and for the advises. I added the routing, but it did not help.
I haven't indicated the status of my VPN tunnel, because it just does not build up. I never saw anything under "VPN Status". I was assuming it only builds up when a consumer / client used the VPN. But as I understand now, that was a wrong assumption.
"The only other thing I can think of is have you power cycled your router since you made all these changes?"
--> Very good hint. Yes I did. I noticed too that the router is not taking all config without it.
".is your VPN server also TPLINK?"
--> No it is a standalone hosted virtual windows server . This might be a major factor. And something I cannot change.
The other thing I noticed is that you kept the default subnet of tp-link (192.168.0.x) for your (backbone/network) LAN. Not by intentional, but bad design this could have an impact. I am considering to factory reset everything and re-setup the whole network in the default tp-link subnet. But this is going to take a while, as I have to plan for a full day of outage. And a day to roll back for just in case,..
Thanks a lot again! Your information helped a lot!
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 3381
Replies: 12
Voters 0
No one has voted for it yet.