Solved: Re: RV340 Site2site VPN – how user from remote access local harware DM

jl05 · ‎11-15-2021

Hello,

2 RV340 with VPN between 2 subnets:

Site 1 local: 192.168.25.0/24, with hardware DMZ range 192.168.0.128 to 132

Site 2 remote: 192.168.20.0/24

Communication betwen PC in these two subnets works fine.

With the right firewall access rules on local RV340, the access from local 192.168.25.0/24 to the DMZ is possible.

How to enable access from site 2 remote 192.168.20.0/24 to the site 1 local DMZ ?

Thanks for your help

Best regards,

nagrajk1969 · ‎11-16-2021

Hi

The HW-DMZ is not a lan-network/subnet...its to used for defining/configuring a separate network of hosts with "public-ipaddresses" connected separately on LAN4-PORT.

- You can define a "subnet" of public-ipaddresses (that is usually provided by the ISP as Static-IPs to you)

- OR the HW-DMZ could be configured as a "range" of public-ipaddresses provided by ISP and one of the ipaddress in this range will be configured on the wanX-interface of RV34x

So the first thing that is needed to be addressed is the statement you mentioned as below:

>>>with hardware DMZ range 192.168.0.128 to 132

- So is the wanX (wan1 or wan2) interface also configured with a ipaddresses in this range?....i dont think so

Secondly, since the subnet/range defined in HW-DMZ are expected to be "public-ipaddresses" routable on the Internet...this network as such is not easily (or maybe cannot be) configured as part of "protected-network" of site1 in the s2s-ipsec tunnel to site2...

Instead of "hw-dmz" it would make sense to define the ip-subnet 192.168.0.0/24 (or range) into a separate vlan (lan-network) of site1...and next create a ip-group of the subnets in site1 and select the ip-group as local-group in the s2s tunnel config

-similarly configure a ip-group on site2 router as remote-group and select it as remote-traffic-selector in the s2s tunnel config in site2 router...

But then again, this is interesting...will surely try this out in my network too...although i think it will not work....but no harm in checking it though

regards

View solution in original post

nagrajk1969 · ‎11-16-2021

Hi

The HW-DMZ is not a lan-network/subnet...its to used for defining/configuring a separate network of hosts with "public-ipaddresses" connected separately on LAN4-PORT.

- You can define a "subnet" of public-ipaddresses (that is usually provided by the ISP as Static-IPs to you)

- OR the HW-DMZ could be configured as a "range" of public-ipaddresses provided by ISP and one of the ipaddress in this range will be configured on the wanX-interface of RV34x

So the first thing that is needed to be addressed is the statement you mentioned as below:

>>>with hardware DMZ range 192.168.0.128 to 132

- So is the wanX (wan1 or wan2) interface also configured with a ipaddresses in this range?....i dont think so

Secondly, since the subnet/range defined in HW-DMZ are expected to be "public-ipaddresses" routable on the Internet...this network as such is not easily (or maybe cannot be) configured as part of "protected-network" of site1 in the s2s-ipsec tunnel to site2...

Instead of "hw-dmz" it would make sense to define the ip-subnet 192.168.0.0/24 (or range) into a separate vlan (lan-network) of site1...and next create a ip-group of the subnets in site1 and select the ip-group as local-group in the s2s tunnel config

-similarly configure a ip-group on site2 router as remote-group and select it as remote-traffic-selector in the s2s tunnel config in site2 router...

But then again, this is interesting...will surely try this out in my network too...although i think it will not work....but no harm in checking it though

regards

jl05 · ‎11-17-2021

Hi,

Thanks pour your indications.

I tested with the ip-groups. It works when:

- I include an IP range which is exactely the same as the DMZ IP range

- I include a list of single IP-addresses.

Regards

RV340 Site2site VPN – how user from remote access local harware DMZ