Static Routing

[andrewhancock91]

This may be something that is common knowledge but I have never tried it and am needing to set a site up like this. We have a remote site that already has a Server2012R2 as well as some kind of Cisco Meraki that functions as the gateway I believe. I am needing to get this site set up with an OpenVPN connection to our primary location. What I have been imagining is setting up an untangle box with the OpenVPN connection active, there is a spare public IP I can set the WAN on, and set the internal NIC somewhere on their network with the sole purpose of being the vpn gateway. And from whatever they are using as the gateway, adding a static route to the primary network with untangle as the next hop. Has anyone on here tried a setup like this? I've already go two other locations using untangle as the main router/gateway with a VPN to the primary site, however this third remote site is one that I have never been involved in before and don't want to walk in and start changing everything around when it works the way it is! Any input is appreciated, thanks!

[andrewhancock91]

Sorry to be so long winded....another thought that I just had is, what about setting up untangle in bridge mode between the gateway and the rest of the clients? Will it intercept all the VPN traffic on its own and re-route it?

[dmorris]

Yeah, either will work if you do it right.

However I would not recommend it.
You are using Untangle in a way that it is not designed for.
http://wiki.untangle.com/index.php/N...Cardinal_Rules

[andrewhancock91]

I understand why doing a static route from the current gateway would possibly not work, however setting it up in bridge mode "in-line" with the network traffic follows the rules. I'm just not sure about how the VPN would work, sadly i'm not in a position to install untangle as the main gateway at this time, but really need the VPN function to work until a time to set things up 100% correct. Appreciate the information!

[sky-knight]

Consider it this way, bridge mode and router mode don't exist.

What you're really talking about is a relationship between interfaces. If you have Internal bridged to External, traffic passing those two interfaces will be over the bridge. However, the VPN interface has an IP address, so it's now routed.

So, your edge router, will need to have appropriate routes to push traffic to Untangle that need routed by Untangle to get on and off the VPN. So you have a bridging Untangle that's also routing for the VPN. The two concepts live on top of the same reality, but logically you have to separate it based on the relationship between the nics.

[andrewhancock91]

Thanks for the response! That makes sense, the internal network I'm trying to push to is a 206.92.78.x\24 network. So if I understood what you just explained which is kind of how I was thinking before but just needed confirmation, on the edge router I should be able to add a static route telling it to send all traffic in the 206.92.78.x network to the address untangle is sitting at. Does that sound correct?

[sky-knight]

There are actually two routes required, one is for the segment on the far side of the tunnel, the other is for the network created in the tunnel itself. Untangle will refer to this as the address pool. You'll need to push both to Untangle for full functionality.

[jcoehoorn]

I wonder if the Meraki device has IPSec support? If so, you might be able to do this with just the existing Untangle on your core site, without needing to add an additional device on the remote end.