VPN to Manage Canopy Gear

anon40853160 · November 16, 2006, 7:18am

I have a MT router setup at a remote wireless POP site. Right now the router is doing routing, NAT, DHCP, and a few other things.

I’m running DHCP on the LAN interface for customers connecting to our network. The DHCP server hands out 192.168.0.0/24 addresses. On that interface I have ARP set to reply-only. I have the DHCP server setup for static-only so people with unknown MACs can’t get on the network. Everything in this setup is working fine.

Now I’m looking to remotely manage the canopy gear on the network. All of that equipment is currently setup with an address in the 169.254.1.0/24 network. I’d like to be able to connect to the MT router and then be able to browse the web interfaces on those devices.

I tried setting up PPTP and I could connect but I couldn’t ping any of the 169.254.1.0 devices. How do I need to set this up to be able to access those devices from here?

anon40853160 · November 22, 2006, 5:14am

any ideas?

sergejs · November 22, 2006, 8:34am

You need to configure appropriate routing rules, that desired traffic is routed over PPTP tunnel.

freebird · November 22, 2006, 8:57am

I assume that the canopys are in your LAN network, and you connect
via PPTP to the WAN Port:

Enable PPTP server
Put PPP user (ip: 169.254.1.254) in same subnet like canopys:

/ppp secret 
add name="YourName" service=pptp caller-id="" password="YourPass" \
    profile=default-encryption local-address=169.254.1.1 \
    remote-address=169.254.1.254 routes="" limit-bytes-in=0 limit-bytes-out=0 \
    comment="" disabled=no

enable "Proxy-Arp" on LAN port interface.
Add route for canopy subnet

/ip route 
add dst-address=169.254.1.0/24 gateway=192.168.0.1 scope=255 \
    target-scope=10 comment="" disabled=no

(Change Gateway addresses appropriate)

Use PPtP connection as "Default Route" in your windows host or
set appropriate route after establishing PPTP link for the time you want
to manage your devices.

seandsl

anon40853160 · November 22, 2006, 5:43pm

Alright, I think i was missing the “add route” step before, it’s working now.

Here’s the problem though. Is there any way to make this work without enabling proxy-arp on the LAN interface? I have it setup right now for reply-only and I have a static ARP stable for security.