0

im facing the following problem and after 2 days of own research and a huge amount of trial & error i could use some help.

Situation:

1 Company, 2 Offices. Both are connected by a BVPN(Branch Office VPN) Tunnel between two Watchguard Fireboxes M200.

Office A uses the 192.168.10.0/24 subnet while the other (Office B) one uses 192.168.11.0/24

Gateways are 192.168.10.1 and 192.168.11.251

Now an employee told me that he has some sort of Machinery located at Office A which uses a totally different subnet (Adress is 192.168.39.1) and that another employee, working at Office B needs to connect to it.

So my first attempt was to give the VM the employee in Office B uses to connect to mentioned machine also an IP from this subnet (192.168.39.20) and try to route everything to the 192.168.39.0 subnet through the VPN Tunnel - without success until yet. I've tried routes in nearly all possible directions.

My thought always goes like: Route from 11.251 to .39.0 with .10.1 as gateway.

I also added a second IP to the Office A watchguard (same physical network interface, so the interface has both IP Adress 192.168.10.1 and 192.168.39.21) and added another route on this watchguard by routing to the .39.0 subnet with .39.21 as gateway.

Can anyone help me out here?

Jesper
  • 1
  • The gateway must be on the same network as the host with the configured gateway. A gateway is a host on the network that knows how to reach other networks. Having a gateway on a different network means that you would need a gateway to reach the gateway, and it does not work that way. A host with the `192.168.11.251` address cannot use a gateway of `192.168.10.1` because it is on a different network. The host would need the layer-2 (MAC address) of a local gateway to encapsulate the packets. Instead, the local gateway needs a route to the remote network. – Ron Maupin Nov 27 '19 at 18:30
  • Thank you for your reply! The 192.168.11.251 and the 192.168.10.1 can talk to each other via VPN. All of our servers are running within the .10 subnet and are useable by all .11 clients. Or did i miss something within your explanation? – Jesper Nov 27 '19 at 21:20
  • Comment#2: I tried to visualize the network-infrastructure. i hope that it helps understanding the situation. https://ibb.co/d0mBmpj It is in german but i hope that it doesnt matter that much. It just states that the servers are the same for all employees, regardless their actual office position (A oder B). – Jesper Nov 27 '19 at 21:51
  • I understand they can talk to each other, but a gateway is a host _on the same network_ that knows how to reach other networks. That is because of how layer-3 to layer-2 works. A host will mask the destination with its network mask to see if it is on a different network. If it is on the same network, it uses ARP to get the layer-2 address of the destination and uses that to encapsulate the packet. If it is a different network, it uses the layer-2 address of the gateway. That means the gateway must be on the same network because the layer-2 address cannot cross a router to another network. – Ron Maupin Nov 27 '19 at 23:54
  • Okay, i understand what you're saying and must admit that there was some misinformation on this topic on my site. So if i get you right, if i add a .39 adress to both watchguards and then route from one to another? – Jesper Nov 28 '19 at 10:06

0 Answers0