RV340 VPN Management vlan access

jeremy0023 · ‎08-09-2018

I first recognized a problem when I setup a VPN back to my office to access the management network from offsite. The VPN functions correctly. I was unable to access my core switch (10.10.0.20) in the management network (VLAN 10, 10.10.0.0/16) from VPN although I could access everything else. The landing subnet for the VPN at the office is VLAN 10. Then I tried some internal troubleshooting at the office and things became even stranger. This is an odd thing so let me try to get the set-up as clear as I can.

SETUP:

I have the RV340 as my edge router. I also have an SG500X that serves as my core switch and VLAN router. An SG500-52p is connected as my access switch for this particular building with all VLANS including the management VLAN trunked to it through a lag using transaxial cables on SFP ports. All that is functioning normally so I will leave out the details. From here forth then, I will refer to the SG500X as the "SG."

The VLANS pertinent to the discussion are VLAN250 (edge traffic), VLAN 10 (Management), VLAN 40 (Users). There are no ACL's setup on the SG or the RV and interVLAN is working properly. I will restrict access to management and inter-VLAN later. I wanted to be able to access the GUI for the RV340 only on the management VLAN which is why it has two access ports to the SG. I restricted management access on the RV to VLAN 10 under its VLAN settings, although during troubleshooting, I opened up management to VLAN 250 in order to access the RV. By the way, the RV (10.250.0.10/24 is the default route for the SG and the RV contains return routes for all VLANS except the ones that have direct interfaces (VLAN 10, 10.10.0.10/16 and VLAN250, 10.250.0.10/24). Here are its VLAN settings and static routing:

These ports are connected to the SG on XG1 and XG 2:

Here is my routing table for the SG:

I have attached a diagram of the network including things that seem pertinent to this discussion. The VLAN250 has a /24 mask and is incorrect on the diagram. Everything else is right.

The way it should operate then is that the management interface for the RV is 10.10.0.10/16. The GUI should be accessible there and there only if the "Device Management" on the RV VLAN250 is disabled (only enabled for now until I figure this out). The edge traffic should all be routed to the VLAN 250 interface on the RV. Everything seemed to be working great. I could ping and access the GUI on all network infrastructure devices from the above management terminal (10.10.0.200/16) and all VLANS were getting edge traffic (internet) and various TCP/UDP forwards from the RV. Then the problem.

PROBLEM:

I tried to access the SG from the VPN and could not--no GUI and no response when pinging. I could access everything else on the management VLAN accept the SG. That was weird, so I moved to internal troubleshooting at the office. From the management terminal, I could access all devices. So I moved to a VLAN 40 terminal (again, no ACLs are set up at this point). I could access the GUI of all devices on the management network (VLAN 10) accept the RV at 10.10.0.10/16. Pinging failed as well. However, I can access the GUI and ping the RV at 10.250.0.10/24.

So when on VPN through the RV, I can't access the SG. When on the SG through another VLAN other than 10, I cannot access the RV even though I can access all other devices on VLAN 10.

So now I moved directly to the SG and the RV interfaces themselves. I pinged the RV from the SG at 10.10.0.10/16 with a source of the SG's VLAN 10 interface (10.10.0.20/16). 1/4 packets failed the first time, but after a few more tests, I could not get another fail. Ping tests sourced from the other VLAN interfaces not the SG returned no packets. That should not be the case since interVLAN is working between all VLANS for now.

So I moved to the RV diagnostic. When trying to ping 10.10.0.20/16 (the management VLAN 10 interface on the SG), the RV returns unpredictable results:

So it remains, I can't access the RV from other VLANS, which I should be able to do now even though I will control access later. But the bigger deal, and the reason for the title of the post is this: I can't access the SG over VPN and therefore manage the network fully from offsite. The best I can guess at is that I have created some sort of routing loop through the RV because of the dual interfaces.

How can I fix this and still accomplish what I am trying to accomplish? By the way, all of this is in production. Thank you for your help and sorry for the long post but there is a lot to explain!

nagrajk1969 · ‎08-27-2021

Hi

1. Why dont you enable "Inter-Vlan Routing" (enable/check) for vlan10 and vlan250 interfaces on RV340?

- the "inter-vlan routing" has nothing to do with enabling/disabling "device management access or any other acls/restrictions you are planning"...you may restrict access, but not routing in general atleast for the subnets vlan10/vlan250...

2. Which VPN service are you using on RV340 (is it AnyConnect-SSLVPN, L2TP-wIPsec VPN, or C2S-IPSec VPN, or PPTP-vpn)?

3. What is the subnet/ip-pool that you have assigned for VPN-users?

- try using a different subnet for the vpn-users that is NOT existing/configured in your internal-network - say for example "172.29.1.0/24"

- and enable "Inter-vlan-routing" for vlan10 and vlan250 interfaces on RV340

>>>>The best I can guess at is that I have created some sort of routing loop through the RV because of the dual interfaces.

- Maybe...becos the 4-port lan-switch on RV340 does not support any STP/RSTP...so yeah...maybe its leading to some misbehavior

- RV340 does support LAG though...so created a tagged(with vlan10/vlan250) LAG-PORT on RV340 (with lan1/lan2 ports) and connect it to corresponding 2-port LAG port on SG...if one of the links in the lag goes down..the other link will handle the traffic...and so on...)....