I’ve been running into this issue recently after purchasing a GL-MT3000.
Previously I was connecting to my work VPN using the built in windows VPN. The router being used at the time was a Netgear Orbi Mesh system (I want to say the AX5400 system, but admit I am not fully positive)
I have moved and I bought the MT3000 to use cause I thought it looked neat and I like to tinker a bit.
I have a different ISP (Charter/Spectrum instead of Comcast/Xfinity) and now my router is different (being the MT-3000). But otherwise there isn’t any other real drastic change. When it comes to home networks I try to keep them as simple as possible.
I’ve already changed the DNS to use cloudflare, checked to see if there may be any firewall settings on my laptop that could cause an issue. I am certainly not a VPN expert, although I am fairly familiar with setting up an Azure VPN for accessing those resources, so I am not sure if I am missing something.
I do know a coworker had an issue with their OpenWrt router previously and I think their solution was just buy a netgear/tp-link router instead.
I can also confirm that if I use my phone as a hotspot I can connect to the VPN, so to me it appears to be a router thing, but I can’t find any additional information and was hoping maybe someone had something I haven’t thought of.
The two VPN technologies used by GL devices are OpenVPN and WireGuard; in Client Mode for your use case if I’m reading this correctly. Determining if your employer supports those protocols is the first step. If so they can provide a configuration file which you can upload to the Beryl AX.
We have a VPN server, I have never needed to look at the exact setup of it, but can if needed.
Then in order to connect to the server we use the built in windows vpn client so it wouldn’t be using OpenVPN or Wireguard through where you would normally set it up through the Beryl AX. The router isn’t handling anything VPN for connecting basically.
The only real changes to my setup is the isp, modem, and router from the previous setup.
Hopefully that helps explain, if not I’d be happy to screenshot how I connect to it.
So that clarified it reads you’re all set if you just want the Beryl AX to pass packets transparently as a router while it handles DHCP tasks. Public Internet DNS queries are to be forwarded to Cloudflare.
I’d enable the toggles for DNS Rebind Attacks & Override DNS Settings for All Clients but that’s just me (GL GUI → Network → DNS). There’s ways malware & malicious actors can bypass your DNS provider.
That’s sage advice that applies to more than just technology.
I’ll never not recommend anyone to not have a diagram of one’s network topology. These things have a way of ‘growing tendrils’ over time.
Thanks for the troubleshooting tip, I did enable DNS Rebind Attacks and I already had Override DNS settings checked off, unfortunately that hasn’t solved it, but it did looks like it tried to resolve to the server so def headed in the right direction thank you for the help.
I didn’t setup the vpn server (and they aren’t my particular wheelhouse honestly), although I did setup an Azure VPN so we can access our Azure VMs via that service although it functions much differently. Our on-prem VM has basically never been touched aside from occasional updates and whatnot, so I really am not sure the particulars on how or what it uses to do everything, but I’ll check as that will likely get me closer to seeing why this may be happening.
Or maybe the ole reboot will just solve everything too.
Regardless, thank you for your help it has put me on the right path and if not, we are setting up a new VPN through the sonicwall we have anyway so I may just delay until that is sorted.
Sonicwall aside maybe it’s best to toss up a net diagram up. It could be as simple as that the Beryl AX handing out 192.168.8.0/24 is conflicting with confs elsewhere that expect the ‘old’/previous subnet IPs that was assigned fr the Netgear unit… typically something like 192.168.1.0/24. I speculate.
Just for my own piece of mind I’d SSH into the Beryl AX & confirm you can resolve the DNS lookup to whatever those domain IPs you’re trying to reach for the VPN endpoint/server. My aforementioned HOW-TO has all the details necessary as a practical primer.
You can also lookup DNS resolution within LuCI (GL GUI → System → Advanced Settings; then Network → Diagnostics → Nslookup). Login is the same password as the GL GUI, username root .
The windows integrated VPN uses IPsec, as far as I remember. Since the GL devices block IPv6 by default (because it’s not stable in the firmware) it might be an issue - when your VPN needs it.
I’ll see if I can find a net diag in our work docs, but we use a 10.10.x.x. for lan so I would doubt that, but will double check to be possible. I’ll also follow the guide provided for checking to see if I an resolve the DNS lookup
Ahhhh that may explain it, I’ll see if just enabling IPv6 resolves it, if it is too unstable for regular use (and that is the cause) I may just be forced to get something different.