OpenVPN - Can't ping WNR200 inside network

[Disiku]

I have the following setup on my network

[Cable Modem]
|
[UT Server]
(Int IP-192.168.1.1)
|
[24 port switch] -----------------[2 VMware ESXi servers with multiple VMs]
|
[Netgear WNR2000 (used as AP)]
(192.168.1.2)

UT setup with OpenVPN and am able to connect and ping devices internally including VMs. I am unable to ping the Netgear that I have acting as an AP. There is no AP mode, I simply plugged a patch cable directly from one of the lan ports to the switch, after configuring it with an static IP on my network, and disabled the DHCP service on the device.

Internally I have no problems, I can ping and access all devices. Over the VPN I can access everything except the Netgear (I tried the web interface and tried to ping, both fail) I read on several forums that pinging isnt the way to go because UT blocks ICMP by default, but it works for all other devices on my network, so why should this be any different?

This is my first UT setup, and other then this hiccup everything has been smooth as a dream.

[sky-knight]

Welcome to netgear, you are now hosed...

All residential class routers have built in firewalls that cannot be adjusted. These firewalls require you to be on the same network segment as the device to get into the management console.

Your only choice is remote desktop to a machine on the lan, and connect from there. It is possible that the RAP's proxy feature may work too, but that assumes you have the pro pack or super bundle.

[Disiku]

Thank you for such a rapid response.

I have a couple of DD-WRTs laying around, I may just use one of them as a wireless AP instead, I just liked the idea of the wireless N distance.

I realize its a bit of an overshot, but what if told all traffic from the VPN destined for the IP of the device to be NATd by the UT Box? The device would see the IP of what's hitting it as an IP on the same segment, is it possible and is it overkill?

[sky-knight]

You can't...

The VPN interface isn't configurable as an interface. As such, you can't apply a NAT policy to it. Besides it wouldn't matter... the original source is still in the packet and it will still be dropped.

[Disiku]

Logically sounds like I am going to be forced to use a different device regardless. Thanks again. Was worth a shot.

[sky-knight]

Well you could configure the WAN interface on the thing to use external management... but you'd have to put it on a separate lan segment... and it can cause routing loops if your clients aren't configured properly.

[Disiku]

I could manually assign the external address to a static IP on a different network, and add a route on the UT box to that network. The clients connecting will still use the UT box as DHCP/DNS/GW etc, but it would allow me to manage the device over the VPN without having to RDP or remote control a desktop on the same network, effectively the WAN port on the device would become a managment port.

[sky-knight]

Yes, but nix the route, just port forward it. Easier.

[Disiku]

I will try this tonight, but I am a little fuzzy on how I would setup the port forwarding to accomplish this. Using a static route seems simple, but perhaps I am not thinking of it correctly.

lets say I set the external IP to 10.0.0.1, I would create a port forward rule to say "(Source interface - VPN) and (Destination Address 192.168.1.2), new destination 10.0.0.1" ? How will the UT box know about that network without a route?

[sky-knight]

Because I assume that the 10.0.0.1 network is on the UT box.

What I would do, configure the AP with 10.0.0.2 as an external address and connect it to the main network swtich. Then configure UT's internal interface with an alias of 10.0.0.1, and forward away.

Granted that assumes that UT is your router...