Asus RT-AC68U has issues connecting to websites while connected to company VPN

araknis

Member
Oct 19, 1999
92
1
71
This is a bit of a strange issue, but I'm pretty sure it's my Asus RT-AC68U causing the problem (perhaps a setting?).

The issue is that I randomly have issues connecting to non-internal websites when I am connected to my company VPN. The connection will timeout, but then if I refresh, it will work (issue is intermittent). I only noticed this issue when I switched from my Netgear R7000 to this router (it's actually a converted TMO router).

I've tested my theory by tethering my PC to my phone and then connecting to my company VPN. No issue connecting to non-internal websites. I don't have any issue connecting to internal websites on either setup.

What setting on the router could cause such an issue?
 

araknis

Member
Oct 19, 1999
92
1
71
Is your VPN client using split tunneling?

I'm unable to find such a setting in my VPN client - Check point End Point Security. How would this setting affect what I am experiencing? Wouldn't the issue point to my router? To clarify, when I "tether" I am just connecting to my Iphone created WIFI network vs. my Asus Router network. It should be transparent to the VPN client.
 
Feb 25, 2011
16,894
1,541
126
I'm unable to find such a setting in my VPN client - Check point End Point Security. How would this setting affect what I am experiencing? Wouldn't the issue point to my router? To clarify, when I "tether" I am just connecting to my Iphone created WIFI network vs. my Asus Router network. It should be transparent to the VPN client.

Probably not. A typical home LAN routing configuration is almost too simple to screw up.

Do "route PRINT" and "ipconfig /all" commands before and after connecting to the VPN, then share the output.

My bet is that your DNS server is on a routed subnet.
 

JackMDS

Elite Member
Super Moderator
Oct 25, 1999
29,484
391
126
The TMO works well as a Plain vanilla Router. When converted and set to more complicated settings it usually act out.

I.e., Saving few $$ and special needs are not always in tune.


:cool:
 
Feb 25, 2011
16,894
1,541
126
Oh, yeah, missed that part - disable routing on the ASUS and just use the TMO router. One router per home network is the happy limit.
 

IndyColtsFan

Lifer
Sep 22, 2007
33,655
687
126
I'm unable to find such a setting in my VPN client - Check point End Point Security. How would this setting affect what I am experiencing? Wouldn't the issue point to my router? To clarify, when I "tether" I am just connecting to my Iphone created WIFI network vs. my Asus Router network. It should be transparent to the VPN client.

I doubt your client is using split tunneling, but what that means is that if it is enabled, internet traffic goes out of your ISP while corporate traffic goes through the VPN to your corporate office. Is your home IP range different than the IP range assigned to your VPN client when connecting? Have you tried some tracerts to see where the connection is dying?

I’d have to look at my AC68U to see the available options and settings with VPN, but I find it hard to believe it is causing it. I have no issues with my VPN connectivity but I only use the AC68U as an AP and not a router.
 

IndyColtsFan

Lifer
Sep 22, 2007
33,655
687
126
Oh, yeah, missed that part - disable routing on the ASUS and just use the TMO router. One router per home network is the happy limit.

I read his message as he is using one router - the Asus - which is the TMobile model that was flashed. Maybe I misunderstood.
 

mxnerd

Diamond Member
Jul 6, 2007
6,799
1,101
126
When connecting to company VPN, OP must make sure that VPN client,
either using router's built-in firmware VPN client, or software client on the smartphone/PC)
does not use company assigned default gateway.

OP should continue use his own PC/router's default ISP gateway so his internet access does not route through company's VPN.
 

IndyColtsFan

Lifer
Sep 22, 2007
33,655
687
126
When connecting to company VPN, OP must make sure that VPN client,
either using router's built-in firmware VPN client, or software client on the smartphone/PC)
does not use company assigned default gateway.

OP should continue use his own PC/router's default ISP gateway so his internet access does not route through company's VPN.

That’s exactly what split tunneling is, and many companies lock down their VPN client to prevent it for security reasons.
 

mxnerd

Diamond Member
Jul 6, 2007
6,799
1,101
126
That’s exactly what split tunneling is, and many companies lock down their VPN client to prevent it for security reasons.
yep. Some employees probably will visit porn sites via company's internet when they should be working from home.:D
 

mxnerd

Diamond Member
Jul 6, 2007
6,799
1,101
126
OK. Seems no one notice that OP was using CheckPoint End Point Security software client.

So it has nothing to do with T-Mobile RT-AC68U router.

==

To OP: you should let your company's IT guys know your issue.

You either ask them to setup CheckPoint End Point Security Server so that when your VPN client software connects to the server, don't assign a default gateway.

Or see if that CheckPoint End Point Security software VPN client has anyway to unselect use default gateway on remote network, like Windows's built-in VPN client.

==

And ask what private IP range your company's network is using. Your home router private IP range should not be the same as company's IP range (ex. can't be 192.168.1.x on both ends), that will confuse the VPN software.

Untitled.png
 
Last edited:

IndyColtsFan

Lifer
Sep 22, 2007
33,655
687
126
OK. Seems no one notice that OP was using CheckPoint End Point Security software client.

So it has nothing to do with T-Mobile RT-AC68U router.

==

To OP: you should let your company's IT guys know your issue.

You either ask them to setup CheckPoint End Point Security Server so that when your VPN client software connects to the server, don't assign a default gateway.

Or see if that CheckPoint End Point Security software VPN client has anyway to unselect use default gateway on remote network, like Windows's built-in VPN client.

==

And ask what private IP range your company's network is using. Your home router private IP range should not be the same as company's IP range (ex. can't be 192.168.1.x on both ends), that will confuse the VPN software.

Untitled.png

We all saw what he is using. His IT will likely tell him no to what you’re suggesting, which is enabling split tunneling. The OP needs to do more troubleshooting with tracert, etc. Since the exact same VPN client works with internet sites when connecting via his cellphone, it is something with the actual corporate connectivity - routing is my guess and it may be due to a chance IP conflict between his LAN and the corporate VPN pool, routing issues to DNS, etc. The OP should find an internet site accessible by IP and then try connecting to it via IP when connected to the company VPN. If it works, that points to DNS being unreachable.
 

araknis

Member
Oct 19, 1999
92
1
71
Yes, there is only 1 router involved which is the converted RT-AC68U. The IP addresses assigned from this router are 192.168.x.x and Checkpoint client assigns 172.24.x.x. So completely different set of IP addresses. What's interesting is when using my phone WIFI, my PC is getting assigned 172.20.x.x IP address.

I looked through all the Checkpoint client config options and don't see any option for default gateway. There is no split tunneling option either. All traffic gets routed through the VPN.
 

mxnerd

Diamond Member
Jul 6, 2007
6,799
1,101
126
What's interesting is when using my phone WIFI, my PC is getting assigned 172.20.x.x IP address.

Nothing wrong with that. It's the private IP range selected by your iOS/Android app and determined by app developers whether you can change the range.

You should talk to your company's IT dept regarding your issue.