site to site vpn setup when behind isp wifi router image
I've read through many site to site vpn posts on this site but I still haven't found a solution to my issue. Here is the situation. I was asked to connect two sites together so the remote site B's users can print to printers and access the file shares at site A. Both sites are using comcast business modems, and have been for quite some time so turning the ISP modems to bridge mode is an absolute last resort option.
I'm not entirely clear on how to go about setting up the vpn router to allow traffic from the xfinity business modems to see each other over the site to site vpn connection. Both sites connect, but I can't ping either one.
Here's what I've done so far:
1. at both the remote site and the main site I've gone in to the isp cable modem and changed the local ip ranges so they are different, site A local up range is 10.1.10.X and site b is range is 10.20.30.X
-
I've gone in to the tp-link interfaces and setup WAN 1 to a static IP on the local subnet for each site. Tp link at site A wan1 is set to 10.1.10.215 and site b is 10.20.30.233
-
On both comcast modems I've setup port fowarding for the respective static ips of the tp-link devices so that ports 4500 and 500 UDP are open
-
I've gone in the admin panel of the tplink r600vpn routers and setup the site to site ipsec and connected both sites together. Both sites have static internet/public ip addresses which are placed in to the proper fields. I'm using WAN1 as the adapter in the settings.
This is where things fall apart for me. I can see that the vpn connection is working from the control panel on the tp-link routers, but I cannot ping the local IP addresses on either site from computers connected to the cable modems. Pings to 10.1.10.X network from site B time out, and vice versa.
I've read about static routing, but I don't understand if I need to set this up on just the tp-link routers, or if I need to set this up on the comcast modem router or both. I tried messing with this already but it didn't work either. I tried making the static routing destination for the tp-link at site b as 10.1.10.0 with hop 1 at 10.20.30.1 on WAN1 as the interface but that didn't work. Is there a firewall rule I need to look for that might prevent this from working?
I'm also having a hard time understanding which physical network ports need to be connected. Right now I have the tp-r600vpn routers connected via the WAN1 port only. Do I need to instead have this device connected on one of the 4 lan ports instead?
I'll keep googling for answers, but I've yet to find one that explains this type of setup and figured I would ask.
Best Answer
The issue is that data is not flowing from the clients to the TPLink routers.
A more conventional would (depending on your ISP and requirements) be to ditch the ISP router aand replace it with the TPLink router, or - as you say - convert the ISP router into a bridge. Another (less then ideal, but sometimes most practical) option would be to use "double NAT", ie connect the Internet to the ISP router, and a LAN port of the ISP router to the WAN port of the TPLink router on both sides. You would need to disable WIFI on the ISP router and enable it on the TPLink (or get an AP). You would want to change the ISP router LAN to be in the 19.168.X range in each case.
An alternative which may work - depending on your particular routers, would be to add routes from the ISP router to the TP-Link router. This is not ideal because you are going to induce asymetric routing and some firewalls and other stuff can break - ie packets going out will go from PC -> ISP router -> TP-Link Router -> VPN while packets returning will go VPN - TPLink router -> PC (not seen as going through the ISP router because the traffic, because the VPN abstracts the VPN hop)