Hello,
I just found interesting situation and looking for solution. Let’s say we have LAN 10.0.0.0/24 with router at 10.0.0.1. Range 10.0.0.10-50 reserved for static ip, 10.0.0.51-100 for LAN dhcp and 10.0.0.101-150 for vpn clients. So, following official guides, setting PPP local-address to 10.0.0.1, remote to vpn-pool (10.0.0.101-150) and enabling proxy-arp on local interface - everything works, except one thing: when assign manually static ip address to windows/linux/mac client I get “address already in use” issue. Why? Because of proxy arp that always responds with router mac to any unknown ip (arp request) on local subnet. Okay, there is another way: assign addresses for vpn clients from different ip subnet, let’s say 10.0.1.1-100. No need for proxy-arp anymore. But here I get another problem: when client connected, it gets only one route: 10.0.1.0/24, so it can access router at 10.0.1.1 and anything in this subnet, but no way to access 10.0.0.0/24 UNLESS I check special box “Send all traffic to this vpn” on client side. This fixes everything (adds default route to vpn), but brings another issue: now client downloads torrents and listen to musing using my internet connection. I know, I can filter this traffic, but client will loose any internet connectivity at all when connected by vpn.
So, looks like no solution? In my understanding, adding small option to vpn configuration (similar to dhcp server option “add arp for leases”) that will create and maintain arp entry for every connected vpn client, will eliminate need for using proxy-arp feature and all problems described above just go away.
Any thoughts?
ps: RB2011iL, 6.33.3
Sba -
I think you still need to keep the proxy-arp on. Secondly, when accessing different networks you can always use masq out the interface you need to use on your main router with the source address(s) being your VPN client and/or group…
Well, the problem is how to tell remote client to send traffic to vpn for subnet, different from its own. There is no way to send routes to clients in l2tp (as openvpn can do). The only way is to say client to use vpn as default gateway and send all traffic through it - that’s not acceptable. I’m limited to use l2tp/ipsec because it’s widely supported by smartphones, windows, linux and mac clients out of the box. I’ll try to create static arp entries for static IPs and then will see if ‘address already in use’ will go away.
ps: anyway, proxy-arp brakes many things. I think best way is to turn it off and create dynamic arp records for each vpn connection (of course, deleting on disconnect). Would be great to see this feature implemented in future.