I've got a pair of 2927 Routers, the remote one using a 4G M2M Router as a failover WAN backup in to WAN2 (WAN1 is the main ISP connection). Both have a LAN to LAN VPN for remote management of hardware on the remote unit, I'd like to be able to see the GW of the 4G Router for management of it through the VPN from the non-remote unit, ie the one remote from the dual WAN fed unit. Obviously, sat locally behind the remote unit I can happily browse to the 4G Router but what rules or IP Alias do I need to set up so I can also NAT translate this down the VPN tunnel?

Hi Neil201,

I have tried to do this myself several times over the years, and always failed, but I decided to give it another go after reading your post, and it worked!

Because you’re wanting to route via the VPN LAN-to-LAN, you’ll need to add the route into your LAN-to-LAN profile; at the non-4G end.

At the very bottom of the profile settings page, you’ll see the TCP/IP settings, the ones for Remote/Local Network. Look for the “more subnets” option and add the remote GW IP of the 4G M2M unit in as an additional remote subnet, and give it a /31 size subnet.

You should now observe a new static route in your ‘Route table’ (see Diagnostics/Route Table). Now attempt a connection to your remote GW.

Be aware though, this could potentially upset other elaborate routing you may have in place between the two sites, but I’m sure you will notice fairly quickly if that is the case and can easily just remove the newly added additional subnet to revert back.

Cheers mate, just given that a whirl and it works

Here's another quick one; I've got LAN to LAN VPN's at the non-4G Router end, if I wanted to see a remote tunneled device at the 4G end Router from a device on the other end of the remote router how is this possible? In effect I've numerous LAN to LAN VPN's in to subnet of one Router and want to be able to tunnel to these from behind another Router, connected to the main Router hosting the LAN to LAN VPN's via it's own LAN to LAN VPN connection... if that all makes sense!!

Awesome! I’m glad that worked!


Yes, it’s possible.

In the same way you added the static route for your 4G GW subnet, you can also add other subnets.

Understand that the route table must have the appropriate subnet listed for your LANs to be able to see the path through.

So if,
RouterLAN:A <-> RouterLAN:B <-> RouterLAN:C…

…for ‘A’ devices to communicate with ‘C’ devices, you need to add the additional subnet at each end. ‘A’ needs to know where ‘C’ is and ‘C’ needs to know where ‘A’ is.
The B router already knows where A & C are, because that’s the default connection, so you don’t need to add anything to B’s LAN-to-LAN profile, you only need to add C’s to A’s and A’s to C’s in their LAN-to-LAN profiles.

It gets more complicated when you have multiple LANs at each site, but again, these can all be routed as well!

So add C’s subnet/24 to A’s profile and vice-versa.

Cheers, managed to sort that. I presume that a someone with a device on the LAN end of, say in your example, Router A would be able to see behind the LAN of Router C and all devices, presuming they knew Router C's LAN subnet?

Yes, correct. But now, you can lockdown the traffic between all the LANs with Firewall rules.

So created a FW Rule to block all, then create separate ‘Allow’ rules to cherry-pick what you do want to pass traffic for.