Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Router Charts

Click for Router Charts

Router Ranker

Click for Router Ranker

NAS Charts

Click for NAS Charts

NAS Ranker

Click for NAS Ranker

More Tools

Click for More Tools

LAN & WAN How To

Fix the IPsec client routing

Since a VPN tunnel is a routed connection, i.e. it connects different subnets, clients on each end of the VPN tunnel must send their packets to a router that knows where to send packets destined for clients at the opposite end. If your IPsec client and VPN router's WAN side both have public, i.e. routable IP address, you'll probably have no problem communicating once your IPsec tunnel is established.

If either or both of the IP addresses is private, however, you could be in for trouble if either the LAN or WAN-side clients have incorrect Gateways specified.

Clients on the LAN side of the VPN router will have the correct Gateway info as long as they use the router's IP address as their IP address Gateway - in the example setup - because the router handles both Internet and VPN tunnel routing.

PN router LAN client routing

Figure 20: VPN router LAN side client routing

Figure 20 shows the output of the route print command (entered in a Command prompt or MS-DOS window) for our example LAN client. You can see that the default route - where data is sent if it doesn't match any other routes and indicated by - is

Gateway information for clients on the WAN side of the router may not be correct and need to be modified. In our example, the WAN-side client's IP address is, so its expected that its Gateway IP would be something in the 192.168.3.X subnet. Figure 21 shows the output of the route print command for our example WAN client.

WAN LAN client routing

Figure 21: WAN-side VPN client routing

You can see that the default route is, which happens to be the IP address of my LAN's main Internet-connected router. Although that router may know how to get our computer's data to and from the Internet, it doesn't know anything about the 192.168.1.X subnet at the other end of the test VPN tunnel. So if we fire up the tunnel that we just configured, we'll connect, then be very frustrated when nothing on the other end of the tunnel responds to a ping!

More LAN & WAN

Wi-Fi System Tools
Check out our Wi-Fi System Charts, Ranker and Finder!

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Over In The Forums

Hi there,I have two AC5300. One is the router. The second is configured as repeater.both are configured with Merlin 384.9 (installed the proper way). ...
RT-AC87U 384.9Recently I enabled the firewall log (allow/deny), along with dnsmasq ( log-queries=extra ), which are all being sent externally via sysl...
Dear SNB community,I recently discovered the power of AsusWRT Merlin and I want to benefit from some extended features such as Diversion.I tried to in...
So I recently discovered snb and the great asusmerlin for my RT-86U. I have the following running on it:1) Diversion v4.0.72) Entware3) Skynet v6.8.24...
Here's an odd thing that started to happen recently, whenever I turn on my VPN client software on one of my computers and start flowing some traffic f...

Don't Miss These

  • 1
  • 2
  • 3