Ping VPN to LAN
Options
All Replies
-
I hope that something i'm gonna write will be understandable.I'm assuming this scenario...Local SiteFirewallLAN1 192.168.1.1/24L2TP Pool VPN 192.168.2.x/24NAS LocalLAN 192.168.1.10Remote SiteNAS RemoteLAN 192.168.1.99L2TP virtual adapter (refer to your LTP2 Ip Address Pool, i'm assuming 192.168.2.7)First issue: NAS remote won't ever find NAS local on 192.168.1.10 thought L2TP Tunnel. Without a destination NAT configured into L2TP VPN Connection (under IPSec -> VPN Connection), routing to 192.168.1.0/24 will remain into the same subnet, won't go over VPN.Second issue: NAS Local will find NAS Remote only on 192.168.2.7, but only because the routing is demanded to the Firewall. Due to first issue, the return path may not work.Unless there's another arrangement... Make theorical exercises without the whole layout with "according subnetting" (the true one is unnecessary) will lead only to theories... and not solutions.0
-
So, the best case is both NAS under VPN, right?mMontana said:I hope that something i'm gonna write will be understandable.I'm assuming this scenario...Local SiteFirewallLAN1 192.168.1.1/24L2TP Pool VPN 192.168.2.x/24NAS LocalLAN 192.168.1.10Remote SiteNAS RemoteLAN 192.168.1.99L2TP virtual adapter (refer to your LTP2 Ip Address Pool, i'm assuming 192.168.2.7)First issue: NAS remote won't ever find NAS local on 192.168.1.10 thought L2TP Tunnel. Without a destination NAT configured into L2TP VPN Connection (under IPSec -> VPN Connection), routing to 192.168.1.0/24 will remain into the same subnet, won't go over VPN.Second issue: NAS Local will find NAS Remote only on 192.168.2.7, but only because the routing is demanded to the Firewall. Due to first issue, the return path may not work.Unless there's another arrangement... Make theorical exercises without the whole layout with "according subnetting" (the true one is unnecessary) will lead only to theories... and not solutions.0 -
Best is quite a big word for that.Every "working" solution has pros and cons, and maybe some of these might be "too good for not have" or "too bad"/"too many things to do" that people might answer "I cannot accept that".A customer allowed me to build this working scenario:
a QNAP NAS is using RTRR for offsite backup to another QNAP NAS. VPN is managed via two firewalls, that are providing an IPSec tunnel. The remote site, due to internet with dynamic IP, is the initiator of the tunnel, which is nailed up. But backup is initiated at the local site, for allowing a unified schedule list of backup process from "onsite" NAS to other destinations.Pros:- no CPU of the NASes is used for encryption
- any Firewall can be substituted without issues, until subnet is kept as is now
- VPN cyphers can be boosted if newer devices are more CPU driven
- I use native NASes instruments for exchanging data. I might also ad another layer of cypher if i feel necessary
- VPN override the dynamic public ip address problem: the remote site contacts every time possible the local site, making the remote NAS available as backup target (static private remote IP address)
Cons:- 1 more device (remote firewall). This means more money, more power, more boxes, more cables, more things to configure
- subnetting had to be built with reasoning and be consistent among devices
- remote Subnet had to be changed (and also the one of the remote ISP router, with proper port forwarding and access rules) => more things to do
- remote NAS, if moved to another location, must be paired to the firewall (and kept consistent subnetting)
- If network connectivity change, I might have some issues to manage (NAT-T, VPN filtering, more possible issues)
- In case of problems for the backup/sync procedures, I need to check source, destination and firewall logs.
75% of problems can be solved via proper design and before implementation.0 -
Have you tried configuring the VPN directly on QNAP NAS or am I the only one who couldn’t?mMontana said:Best is quite a big word for that.Every "working" solution has pros and cons, and maybe some of these might be "too good for not have" or "too bad"/"too many things to do" that people might answer "I cannot accept that".A customer allowed me to build this working scenario:
a QNAP NAS is using RTRR for offsite backup to another QNAP NAS. VPN is managed via two firewalls, that are providing an IPSec tunnel. The remote site, due to internet with dynamic IP, is the initiator of the tunnel, which is nailed up. But backup is initiated at the local site, for allowing a unified schedule list of backup process from "onsite" NAS to other destinations.Pros:- no CPU of the NASes is used for encryption
- any Firewall can be substituted without issues, until subnet is kept as is now
- VPN cyphers can be boosted if newer devices are more CPU driven
- I use native NASes instruments for exchanging data. I might also ad another layer of cypher if i feel necessary
- VPN override the dynamic public ip address problem: the remote site contacts every time possible the local site, making the remote NAS available as backup target (static private remote IP address)
Cons:- 1 more device (remote firewall). This means more money, more power, more boxes, more cables, more things to configure
- subnetting had to be built with reasoning and be consistent among devices
- remote Subnet had to be changed (and also the one of the remote ISP router, with proper port forwarding and access rules) => more things to do
- remote NAS, if moved to another location, must be paired to the firewall (and kept consistent subnetting)
- If network connectivity change, I might have some issues to manage (NAT-T, VPN filtering, more possible issues)
- In case of problems for the backup/sync procedures, I need to check source, destination and firewall logs.
75% of problems can be solved via proper design and before implementation.
I get what you’re saying, but my question is: if I have 2 Synology NAS and I setup my L2TP/IPSec on both NAS, Can I do the backup? Because, with VPN, both NAS are in the same LAN.
0 -
Hi @Pas7o
If IP segment are the same one(192.168.1.0/24) in your company and home, then both of NAS IP traffic is unable route to peer side.
I will advice to create a new VLAN interface only for your NAS in your company. Then others traffic could easier control by Security Policy.0
Guru Member
Zyxel Employee
Categories
- All Categories
- 390 Beta Program
- 2.1K Nebula
- 116 Nebula Ideas
- 78 Nebula Status and Incidents
- 5.1K Security
- 51 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 907 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 210 Service & License
- 331 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 879 Nebula FAQ
- 415 Security FAQ
- 220 Switch FAQ
- 194 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 61 Security Highlight
