For help, advice and discussion about stuff not related to aviation. Play nice: no religion, no politics and no axe grinding please.
By Colonel Panic
#1745933
Thanks; I can confirm that the only DHCP server is the USG; so far everything on the network today has been allocated a static IP (by me, via the USG and not using any device's dashboard) within the range ...2.2(?) - ...2.90.

The only things given an IP via DHCP have been visitors with laptops & phones etc.
User avatar
By Sjoram
#1746249
Infrequent visitor here these days, so just caught up on the recent posts.
Are you familiar with running a traceroute on the Mac via Terminal?
What happens if you traceroute from the VPN connected client to an address in 192.168.2.x assigned to a device on your network?
My gut instinct is that IF the traffic is being routed down the VPN from the remote client, it's either not being routed back in the other direction or the firewall rules aren't allowing the traffic to pass.
Nothing on 192.168.2.x will know anything about 192.168.3.x and vice-versa, but the USG should be able to link them together. The reason for needing to send all traffic down the VPN is that otherwise anything destined for an address not 192.168.3.x would try to use the 'default route' of the local internet connection and not the VPN tunnel. Sending all traffic down the VPN makes the USG the default route for all network traffic on the machine other than the VPN tunnel itself.
By Colonel Panic
#1746334
Sjoram wrote:Are you familiar with running a traceroute on the Mac via Terminal?
What happens if you traceroute from the VPN connected client to an address in 192.168.2.x assigned to a device on your network?


Thanks; happy to run traceroute, but not sure what the replies mean. Here, I traceroute'd three different "things" to see if the nature of the query mattered.

2.50 = a Raspberry Pi
2.29 = a Synology NAS
2.30 = an iMac

What can one deduce (if anything) from the results? In each case if I type the same IP addresses in to the browser addressbar the progress strip just stalls at <10% across and nothing happens.

NB: The VPN does connect OK, and assigns me an IP of 192.168.3.1 which is what I would expect. I have ticked "Send all data over VPN"

EDITED TO ADD: I am not sure where the 10.255.25.0 comes from? Possibly via Waitrose's O2 wifi access point?

Image
User avatar
By Sjoram
#1746556
Your PM gave me the nudge to check the thread.
:D

Based on your screenshot, it would appear that traffic can route from the VPN client to devices on the 192.168.2.x so I think it's likely what you now need is firewall rules on the USG to allow traffic with a source address of 192.168.3.x to reach the relevant devices/services on 192.168.2.x

You could either be very open and allow any 192.168.3.x to any 192.168.2.x or you could be more granular and only explicitly allow the services you need.

It's possible that the USG will allow ping & traceroute by default (or via a tick box), but not other protocols.
By Colonel Panic
#1794329
Re-awakening an old thread - but I never did get this to work :oops:

Following the macOS instructions on this page https://help.ui.com/hc/en-us/articles/1 ... DIUS-Serve , in the section "Setting up the L2TP Client, in part "2" should I put my static IP address in the Server Address field? Do I need to mention any port or LAN IP details?

I set my VPN up to use 192.168.3.1/24; my USG is on 192.168.2.1. Have I done the right thing?

TIA
User avatar
By Sjoram
#1794354
Colonel Panic wrote:should I put my static IP address in the Server Address field?

Yes
Colonel Panic wrote:Do I need to mention any port or LAN IP details?

No
Colonel Panic wrote:I set my VPN up to use 192.168.3.1/24; my USG is on 192.168.2.1. Have I done the right thing?

This should not be a problem, in fact it is fairly routine for VPN clients to be on a different subnet, so long as routing and firewall rules exist on the USG to allow the two subnets to talk to each other. It's possible that some or all of this is configured automatically when you configure the VPN.

I haven't personally used the USG and in my experience each vendor has its own quirks when it comes to the precise configuration, even though the protocols themselves are a common standard. I've relatively easily got the site-to-site VPN going on my own firewall/router, but the remote access VPN as you're trying to configure was such a pain on my equipment I resorted to running a separate VPN from my Windows server for that.