Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16
  1. #11
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,810

    Default

    Looks like the same steps on the mikrotik.

    https://www.marthur.com/networking/m...pn-part-2/871/
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  2. #12
    Untangler
    Join Date
    Sep 2008
    Posts
    73

    Default

    Quote Originally Posted by jcoffin View Post
    Looks like the same steps on the mikrotik.

    https://www.marthur.com/networking/m...pn-part-2/871/
    The critical difference, is that Mikrotik (and others) allow me to use the same or adjacent DHCP pools serving the LAN side, for my VPN clients.

    So in that case, I can just uncheck the "Use default gateway on remote network" and I'm done, no need to start adding routes.
    Last edited by cgallery; 07-21-2018 at 09:35 PM.

  3. #13
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,404

    Default

    Actually, it doesn't. The L2TP protocol lacks the ability to push routes to the client. So if you don't use it for full tunnel, you're using a script to manually put routes into the client's routing table. This is just a reality surrounding the Windows VPN client and the L2TP protocol, it's something that's industry wide. Heck, I just had to do exactly this on a Meraki setup this week! Why? Because that's just the nature of the way L2TP works with the stock Windows VPN client.

    SSTP is an entirely different beast, which is also built into Windows and there's no need to have any router perform that action if you have a properly configured server to handle the role. Untangle doens't do SSTP.

    Both of Untangle's client VPN solutions require dedicated IP address scopes, they cannot exist on any other network you already have, they are always routed. OpenVPN due to a dedicated 3rd party VPN client has far better options here because you can define how the client behaves on the server before you push it.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #14
    Untangler
    Join Date
    Sep 2008
    Posts
    73

    Default

    Quote Originally Posted by sky-knight View Post
    Actually, it doesn't. The L2TP protocol lacks the ability to push routes to the client. So if you don't use it for full tunnel, you're using a script to manually put routes into the client's routing table. This is just a reality surrounding the Windows VPN client and the L2TP protocol, it's something that's industry wide. Heck, I just had to do exactly this on a Meraki setup this week! Why? Because that's just the nature of the way L2TP works with the stock Windows VPN client.

    SSTP is an entirely different beast, which is also built into Windows and there's no need to have any router perform that action if you have a properly configured server to handle the role. Untangle doens't do SSTP.

    Both of Untangle's client VPN solutions require dedicated IP address scopes, they cannot exist on any other network you already have, they are always routed. OpenVPN due to a dedicated 3rd party VPN client has far better options here because you can define how the client behaves on the server before you push it.
    "Actually, it doesn't" what?

    There are two options in the Windows Advanced/IP Settings block: (1) Use default gateway on remote network. (2) Disable class-based route addition.

    When you uncheck #1, #2 is unchecked by default.

    So when you connect to a VPN server under that scenario, you still have a route added for you automatically. And this route will get your traffic thru provided the IP assigned by the VPN server is on the same network as your LAN-side clients.

    The "both of Untangles client VPN solutions require dedicated IP address scopes, they cannot exist on any other network you already have, they are always routed" is my issue, other appliances I use are just a little more flexible.

  5. #15
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,404

    Default

    Perhaps they are, but I just learned the hard way that Maraki certainly isn't. And no, there is no additional route added, it's just the routing table updating to reflect a new local network. As in, the station has an IP on said network. So yeah, with SSTP based technology you're "bridged" into a local IP segment so you can seemingly split tunnel into a given IP network without much further effort.

    Sadly, just about every network I manage these days has more than one IP range, so this is basically pointless. It also complicates management of ACLs. This is frustrating because there are applications that despise full tunnel. Which means users get these annoying scripts to add the routes they require.

    Untangle's design is such that all VPN clients are on dedicated IP ranges, and routed from there. Which means if you wish to use L2TP, you're going to have to be full tunnel or you're going to pull your hair out. This same methodology is used by Cisco in their far more expensive Meraki product, and the reasons why are all virtually identical.

    Untangle never professed to to be a perfect solution for all networks. Furthermore the flexibility you want can be found in the OpenVPN module. You can split tunnel while pushing a full customized routing table there, as defined in the VPN exports. So I'm left confused as to what you're after. L2TP cannot give you what you want, not with the Windows VPN client. OpenVPN provides its own far more powerful client, so it can push routes.

    L2TP also cannot push DNS suffix... something I also find utterly bonkers in this day and age.
    Last edited by sky-knight; 07-22-2018 at 10:42 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #16
    Untangler
    Join Date
    Sep 2008
    Posts
    73

    Default

    Quote Originally Posted by sky-knight View Post
    Perhaps they are, but I just learned the hard way that Maraki certainly isn't. And no, there is no additional route added, it's just the routing table updating to reflect a new local network. As in, the station has an IP on said network. So yeah, with SSTP based technology you're "bridged" into a local IP segment so you can seemingly split tunnel into a given IP network without much further effort.
    Microsoft's own language: "Disable class based route addition," so I'm going to call it a route.

    Quote Originally Posted by sky-knight View Post
    Sadly, just about every network I manage these days has more than one IP range, so this is basically pointless. It also complicates management of ACLs. This is frustrating because there are applications that despise full tunnel. Which means users get these annoying scripts to add the routes they require.

    Untangle's design is such that all VPN clients are on dedicated IP ranges, and routed from there. Which means if you wish to use L2TP, you're going to have to be full tunnel or you're going to pull your hair out. This same methodology is used by Cisco in their far more expensive Meraki product, and the reasons why are all virtually identical.

    Untangle never professed to to be a perfect solution for all networks. Furthermore the flexibility you want can be found in the OpenVPN module. You can split tunnel while pushing a full customized routing table there, as defined in the VPN exports. So I'm left confused as to what you're after. L2TP cannot give you what you want, not with the Windows VPN client. OpenVPN provides its own far more powerful client, so it can push routes.

    L2TP also cannot push DNS suffix... something I also find utterly bonkers in this day and age.
    The purpose of the thread was to see if I could achieve with Untangle, what I've done with appliances from Mikrotik, SonicWall, and others via L2TP and the Windows client.

    I cannot, due to implementation differences in Untangle.

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2