Hello all , im new here but i have some questions about EdgeRouter Pro
we trying to configure a load balancing + PPPoE interfaces + VPN IpSec Site to Site,
we have almost all configured but we have some troubles with the VPN
the situation is the next one: we have 2 interfaces conected via ethernet with PPPoE
Eth4 and Eth5;
we have one LAN at Eth0 with 192.168100.0/24;
we have a VPN IpSec Site to Site with one cisco RV042;
The remote network is 192.168.1.0/24
at the last try we could establish VPN site to site and we can do ping from 192.168.1.252(Private Cisco RV042 ip) to 192.168.100.1(Private EdgeRouter IP) but we couldn't reach the lan network 192.168.100.200(PC ip address)
looking into the logs we could see the traffic comes back from lan but EdgeRouter send this traffic to internet
the question is ¿How we can do this traffic how came from VPN gets back to VPN??
here is my las configuration, i hope could help us
firewall {
all-ping enable
broadcast-ping disable
group {
address-group PEERS_VPN {
address xxx.xxx.xxx.xxx
description "PEERs from VPNs"
}
network-group LAN_VPN {
description "Remote LAN Networks from VPNs"
network 192.168.1.0/24
}
network-group PRIVATE_NETS {
network 192.168.100.0/24
}
port-group MGMT_PORTS {
description "Ports to manage Router"
port 22
port XXXXXX
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians disable
modify balance {
rule 8 {
action modify
description "Do NOT load balance remote PEER VPNs"
destination {
group {
address-group PEERS_VPN
}
}
modify {
table main
}
}
rule 9 {
action accept
description "Do NOT load balance remote LAN VPNs"
destination {
group {
network-group LAN_VPN
}
}
ipsec {
match-ipsec
}
log enable
protocol all
source {
group {
network-group PRIVATE_NETS
}
}
}
rule 10 {
action modify
description "do NOT load balance lan to lan"
destination {
group {
network-group PRIVATE_NETS
}
}
modify {
table main
}
}
rule 60 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_pppoe4
}
}
modify {
table main
}
}
rule 70 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_pppoe5
}
}
modify {
table main
}
}
rule 100 {
action modify
modify {
lb-group G
}
}
}
name TO_LAN_IPV4 {
default-action drop
description "Traffic thru Router from WAN to LAN"
rule 10 {
action accept
description "Allow IPSEC Traffic"
log enable
protocol all
source {
group {
address-group PEERS_VPN
}
}
}
rule 20 {
action accept
description "To LAN VPNs from LAN"
destination {
group {
network-group PRIVATE_NETS
}
}
log enable
protocol all
source {
group {
network-group LAN_VPN
}
}
}
rule 30 {
action accept
description "Allow established and related"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 40 {
action drop
description "Default Rule"
log enable
protocol all
}
}
name TO_ROUTER_IPV4 {
default-action drop
description "Traffic to router from WAN"
rule 10 {
action accept
description "Allow ISAKMP Traffic"
destination {
port 500
}
log enable
protocol tcp_udp
}
rule 20 {
action accept
description "Allow IPSEC Traffic"
log enable
protocol all
source {
group {
address-group PEERS_VPN
}
}
}
rule 30 {
action accept
description "Allow LAN VPNs to local LAN"
destination {
group {
network-group PRIVATE_NETS
}
}
log disable
protocol all
source {
group {
network-group LAN_VPN
}
}
}
rule 40 {
action accept
description "Ports to manage Router"
destination {
group {
port-group MGMT_PORTS
}
}
log disable
protocol tcp
}
rule 50 {
action accept
description "Allow all esp traffic"
log disable
protocol esp
}
rule 60 {
action accept
description "Allow established and related"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 70 {
action accept
description "Allow ICMP from anywhere"
log disable
protocol icmp
}
rule 80 {
action drop
description "Drop Rule"
log enable
protocol all
}
}
options {
mss-clamp {
mss 1412
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 192.168.100.1/24
description Local
duplex auto
firewall {
in {
modify balance
}
out {
name TO_ROUTER_IPV4
}
}
speed auto
}
ethernet eth1 {
duplex auto
speed auto
}
ethernet eth2 {
duplex auto
speed auto
}
ethernet eth3 {
duplex auto
speed auto
}
ethernet eth4 {
description WAN
duplex auto
pppoe 4 {
default-route auto
firewall {
in {
name TO_LAN_IPV4
}
local {
name TO_ROUTER_IPV4
}
}
mtu 1492
name-server auto
password xxxxxxxxxxxxx
user-id xxxxxxxxxxxxxx
}
speed auto
}
ethernet eth5 {
description "WAN 2"
duplex auto
pppoe 5 {
default-route auto
firewall {
in {
name TO_LAN_IPV4
}
local {
name TO_ROUTER_IPV4
}
}
mtu 1492
name-server auto
password xxxxxxxxxx
user-id xxxxxxxxxxx
}
speed auto
}
ethernet eth6 {
duplex auto
speed auto
}
ethernet eth7 {
duplex auto
speed auto
}
loopback lo {
}
}
load-balance {
group G {
interface pppoe4 {
}
interface pppoe5 {
}
lb-local enable
}
}
protocols {
static {
table 1 {
description Test
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN {
authoritative enable
subnet 192.168.100.0/24 {
default-router 192.168.100.1
dns-server 192.168.100.1
lease 86400
start 192.168.100.100 {
stop 192.168.100.199
}
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on eth0
}
}
gui {
http-port 80
https-port 65534
older-ciphers enable
}
nat {
rule 5000 {
description "Exclude VPN peers from NAT to WAN"
destination {
group {
address-group PEERS_VPN
}
}
exclude
log enable
outbound-interface pppoe4
protocol all
type masquerade
}
rule 5001 {
description "Exclude VPN LANs from NAT to WAN"
destination {
group {
network-group LAN_VPN
}
}
exclude
log enable
outbound-interface pppoe4
protocol all
type masquerade
}
rule 5002 {
description "Exclude VPN peers from NAT to WAN2"
destination {
group {
address-group PEERS_VPN
}
}
exclude
log enable
outbound-interface pppoe5
protocol all
type masquerade
}
rule 5003 {
description "Exclude VPN LANs from NAT to WAN2"
destination {
group {
network-group LAN_VPN
}
}
exclude
log enable
outbound-interface pppoe5
protocol all
type masquerade
}
rule 5004 {
description "masquerade for WAN"
outbound-interface pppoe4
type masquerade
}
rule 5005 {
description "masquerade for WAN 2"
outbound-interface pppoe5
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
telnet {
port 6589
}
}
system {
conntrack {
expect-table-size 4096
hash-size 4096
table-size 32768
tcp {
half-open-connections 512
loose enable
max-retrans 3
}
}
host-name ubnt
login {
user xxxxxxx {
authentication {
encrypted-password xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
}
level admin
}
}
ntp {
server 0.north-america.pool.ntp.org {
}
server 1.north-america.pool.ntp.org {
}
server 2.north-america.pool.ntp.org {
}
server 3.north-america.pool.ntp.org {
}
}
offload {
hwnat disable
ipsec enable
ipv4 {
forwarding enable
pppoe enable
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone Mexico/General
traffic-analysis {
dpi enable
export enable
}
}
vpn {
ipsec {
auto-firewall-nat-exclude disable
esp-group XXXXXXX {
compression disable
lifetime 3600
mode tunnel
pfs dh-group1
proposal 1 {
encryption 3des
hash sha1
}
}
esp-group XXXXXX {
compression disable
lifetime 86400
mode tunnel
pfs dh-group5
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group XXXXXX {
dead-peer-detection {
action hold
interval 30
timeout 30
}
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 2
encryption 3des
hash sha1
}
}
ike-group XXXX {
dead-peer-detection {
action hold
interval 30
timeout 30
}
ikev2-reauth no
key-exchange ikev1
lifetime 86400
proposal 1 {
dh-group 5
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface pppoe4
}
site-to-site {
peer xxx.xxx.xxx.xxx {
authentication {
mode pre-shared-secret
pre-shared-secret xxxxxxxxxxx
}
connection-type initiate
description TEST_VPN
force-encapsulation disable
ike-group XXXXXXXXXX
ikev2-reauth inherit
local-address XXX.XXX.XXX.XXX
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group XXXXXXXXXX
local {
prefix 192.168.100.0/24
}
remote {
prefix 192.168.1.0/24
}
}
}
}
}
}
tnx for your comments
regards