[yite00]

I'm using and openvpn client and I have an AT&T 3G microcell mini tower. The microcell provides cellular service through my internet connection.

I just recently subscribed to a VPN service and since then my microcell can't connect to the internet. I've done a lot of searching and I found that the microcell uses ports 123, 500, 443, and 1500. I also called AT&T and they said that I need to make sure all the ports are open.

I went to yougetsignal.com and confirmed that ports 123 and 1500 are blocked.

I found a few options to potentially try:
1. Administration>Command Firewall exceptions
2. Policy based routing to allow my microcell IP address through
3. Policy based routing to list all of my IP addresses that I want to be on the VPN.

The instructions I've read and found may be providing the answer I need but I don't understand or know all of the terminology. I already tried once and my router froze up so I'm hesitant to just try wing this.

What do you think would be the easiest option for me?

Any help is greatly appreciated

[yite00]

Thank you for the response.

So the easiest is to list all the ip addresses in the policy based routing and exclude the microcell and the router. If I have a switch do I exclude that ip address as well?

When listing the ip address: 192.168.1.10/xx, the xx is not a range correct? For example 192.168.1.10/20 doesn't mean ip addresses 192.168.1.10 through 192.168.1.20.

Do I have list the xx at all? I think I understand it is associated with the gateway. Correct me if I'm wrong. For my case it will always be 24 but what is difference if I include it or not?

Either way I would have to include every ip address individually.

192.168.1.10/24 or 192.168.1.10
192.168.1.11/24 or 192.168.1.11
192.168.1.12/24 or 192.168.1.12
etc

Thank you

[James2k]

You can use subnet values in the policy routing section, but make sure you don't use either:

192.168.1.1 (Explicit router IP reference)
192.168.1.0/24 (Entire LAN range, which would include the router IP)

As mentioned, if the router IP is sent through the VPN, it will break everything.

You can calculate subnets/ranges for your LAN to go through the VPN via something like this:

http://www.subnet-calculator.com/subnet.php?net_class=C

Alternatively you can create your own range, perhaps using static DHCP to place all clients within a specific range you'd like or sending all clients within the configured DHCP range, or just list as separate values i.e.

[yite00]

Thank you for the information.

I think I understand. If I put in policy routing selection the following

192.168.10.130/2

Then addresses 192.168.10.129 - 192.168.254 will go through the VPN as calculated by the subnet calculator, correct?

With that my routers address 192.168.1.1 is outside that range so I'm safe.

Then I have to make sure that my Microcell's address is outside that range and it will bypass the VPN also correct?

I wanted to make sure I understand the subnet so I don't don't break my router.

[yite00]

Yes you're correct. I was using the wrong calculator but now I understand.

On a side note my DHCP settings should encompass that range correct?

Start IP = 192.168.10.129
Maximum DHCP Users = 125

125 = 254 - 129

If I reduced 125 to 124 I could then assign a static IP to 192.168.10.254 which would still be within the VPN correct?

And the overall benefit to using the CIDR is to reduce 125 lines of input down to 12 lines (for this case).

[yite00]

Okay I just applied the changes. Everything is working great. My microcell is outside my VPN and is now functioning properly and my router is not broken.

I realize this went from a best option to a CIDR discussion. I hope that's not a problem.

Thank you very much for your help.