VPN with 3 sites

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

VPN with 3 sites

Post by mlsjwr » Sun Jan 24, 2016 5:33 pm

Dear Friends!
I would like to make a vpn network with 3 sites. HQ with SoftEther server and 2 Branches with SoftEther Bridge.
I cant find a solution how to do it. I attached a schematic about my concept I would like to do.
I tried a lot of settings but I could not find a working solution.
The connection between the sites are OK. I can make a cascade connection from bridge,
I can make a connection as a client but somethign what I could solve, I think it is the routing.

I would liket to have 3 hubs on server for each branch, and if I need I can connect them with L3 switch.
I have't set the 3rd site yet but that would be the same as the second so I just tried everything with HQ and Branch 1
At this moment I have a branch 1 with softether Bridge, local bridged to its phisical LAN,
I have set HQ server on a VM with 2 hubs 1 local bridged to phisical lan and 2 for Branch not local bridged.

When the Branch 1 pc is connected as client to the servers own hub, I can se the pc. When I connect this pc as vpn bridge I cannot ping, I cannot see the PCs on the network even if it connects to the servers own hub, or to the hub created for this Branch.
When I connect to VPN Bridge at the Branch 1 remotely, I can see the IPs at the site (it has a local bridge) When I manage the Hub created for Branch 1 on the server, I can also see the Branch1 IPs. I can also see the IPs when the bridge cascade connnects to the Servers own hub.

I set an L3 Switch with these 2 interfaces and I set routes for it but I still cannot ping anybody from the other subnet. I think I tried all the version I could imagine, but I know there shoud be mistake in my settings.

Can Somebody explain me how to set SoftEther to work it properly?
How to set Branc 1 pcs local bridge IP?
How to set Servers Hubs IPs?
How to set L3 Switch routes and interfaces? (I don't think interface settings could be wrong but who knows?)

There is some criteria I need:
I would like to have a PC on the site whic is accessible only by VPN connection not by LAN, Not by TeamViewer also. Only windows RDP through VPN connection. But it would be great if this PC could print on shared Printer on VPN bridge Pc for example. I do not want to let this pc to the internet also. The only way to access if somebody have a certificate to this VPN network. I do not want to let to this PC anybody RDP from LAN also.

I would like to administer on each site, who has an access to the internet, but maybe it is settings of the router.
At each site I have mikrotik routers with wifi, so they are very well adjustable.

This router has an openvpn, L2tp, and a few more client built in. The other concept would be the best, If I could do it without running server at the site all the time.
Is it possible to connect to VPN server with a router and see the PCs?
In this case still have the criterias I wrote. (administre internet access, Pc through vpn only.)

Thank in advance for anybodys answer or help.
Kind regards
Richard
You do not have the required permissions to view the files attached to this post.

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Mon Jan 25, 2016 9:11 am

I would like to ask how to set ti IP s to get it work?

Let assume the local IP s on phisical LAN from the Routers in DHCPs are
192.168.1.0, 192.168.2.0, 192.168.3.0 as in the picture.
What IPs to set for Server?
Hub for branch 1
Hub for Branch 2
Hub for server

What IP set for Branch1?
Hub (called BRIDGE)

What IP set for Branch2?
Hub (called BRDGE)

Thank You in advance
Richard

thisjun
Posts: 2458
Joined: Mon Feb 24, 2014 11:03 am

Re: VPN with 3 sites

Post by thisjun » Wed Feb 10, 2016 9:16 am

Please show detail about inside of each LAN.
How does VPN server connect to router?

And you wrote subnetmask /26, is it right?

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Sun Feb 14, 2016 10:10 am

Dear thisjun,
first of all thank You for Your answer, and for Your time to dealing with my problem.
I found solution for 1 problem. I was trying and trying and trying, I decided to try
with simple client if they see each other, if they can ping each other etc.
They were NOT, I found the prolbem. The problem was I have Kaspersky internet security
and the firewall were blocking the traffic.
I set the virtual subnet to safe lan in Kaspersky and the ping, webmin, share etc. is OK now.

But I still do not get along with it, when I have more subnets.
I would like to set something like in the documentation:
http://www.softether.org/@api/deki/file ... ze=webview

the subnet mask on physical lan is /24, I just wrote it because at the sites I don't think
I will have more than 20-30 devices. At each site I have IP cameras, and DVR what has
no built in softether client, so I have to bridge each site. I do not know if the bandwith
or if the routers will be able to handle the trafffic, but we will see. I have mikrotik routers
at each site so we have a chance.

It would be better if my routers could connect to the server directly, and no need for running
bridge pc at each site, but that would be the next level. First I would liket if it works.
(I am afraid if I rule out myself :) because there 80 km between the sites)

So about my setup:
I have a mikrotik router at each site, Behind it there is a
HP proliant gen 8 server with Ubuntu trusty 64 bit.
Vmware workstation is running on the server, which has some VMs
(VPN server,database server, later maybe webserver)
So the softether is running on VM with Ubuntu trusty 32 bit. It has a static IP set on physical lan.

Client, and cascade connections can connect, so the connection settins works fine.
I set a DHCP server ON in the servers Own hub because the mobile phone clients must connect.
(Maybe it will be a good idea to make a hub with DHCP server only for moving clients?)

I tried with a local bridge but I think I made a broadcast storm or something because some client
get IP from other sites LAN.

I would like to ask for help in setting the IP s and routes, I think it is something I do not set correctly.
I would like to understand what IPs to set:
-Servers HUB for site 1,2,3 (From physical DHCP range at servers LAN, or from Virtual IP range?)
-Site HUB (from physical DHCP range at site LAN, or virtual?)
-TAP interface (from which range?)

I understand that when I connect the servers HUBs with L3 switch I set the interfaces with the IPs set
in securenat, but:
Do I have to set routes in securenat or in L3 switch?
When do I have to set in securenat and when in L3 switch?
What routes do I have to set in physical Router?

I tried to local bridge with TAP, without TAP, with TAP at bridge and server side, without TAP at each side, to connect everybody to only One hub with TAP and without TAP, so I tried what I could imagine but
I still can not get along with it.

Please suggest me something if my topology is absolutely insane.

What I need to solve:
each site has devices what cannot connect to softether either by softether client or by any other alternative (openvpn, or L2TP)
I do not want sites to reach each other but from HQ or with my management PC with softether client
I would like to reach everything.
I need 1 PC at each site to reach by rdp but only and exclusively by safe vpn connection. (Maybe vpn client
in separate hub, with DHCP only for this safe connection?)


Thank You very very much in advance
Richard

thisjun
Posts: 2458
Joined: Mon Feb 24, 2014 11:03 am

Re: VPN with 3 sites

Post by thisjun » Thu Feb 25, 2016 8:28 am

Did you enable promiscuous mode on VMware?
VMware omits packets sent from unknown MAC address.

What is Virtual IP range?

Are there two DHCP servers on same broadcast segment?

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Thu Feb 25, 2016 10:46 am

Dear thisjun
I am fighting with this for near 2 months now but I still can't get it to work.

I checked the promiscuous mode is on vpnserver, and it seems to be on
Each site has its own router, and its own subnet range what is different so
no overlapping IP s or IP conflict can occour.

eth0 Link encap:Ethernet HWaddr 00:50:56:XX:XX:XX
inet addr:192.168.89.102 Bcast:192.168.89.255 Mask:255.255.255.0
inet6 addr: fe80::250:xx00:xx00:xx00/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:149807 errors:0 dropped:0 overruns:0 frame:0
TX packets:27384 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:116430564 (116.4 MB) TX bytes:3155407 (3.1 MB)
Interrupt:19 Base address:0x2000
The situation is that I am totally lost now with the ip settings, because nowere I can find how to set the IP s
I would like to build topology what is in the maual at 10.6 Build a LAN-to-LAN VPN (Using L3 IP Routing)
3 sites Osaka, Tokyo, Tsukuba.

BUT

Nowere can be found how to set it up.
in this scnenario we have 3 ip ranges what should be (i think) static or from DHCP on the physical LAN
that is OK.

BUT I can't find the following things:

1) what ip to set for HUB in server side???
Should it be a not used IP from server side Physical LANs ip range?
Maybe should it be an IP from the connected Bridge side physical IP range?

2 what ip to set for HUB in bridge side???
Should it be a not used IP from bridge side Physical LANs ip range?
Maybe should it be an IP from the connected Server side physical IP range?

3 Routing!!! Nowere can be found anything how to set and where to set
Each site shoud have router so We can set routes
1 in the router, 2 in securenat, 3 in L3 switch, 4 on eac PC on the LAN
Where to set? I tried to figure it out logically, and I tried several possible versions
without success.

4. The thigs turn to be complicated when I bridge to tap interface because in this case
the DHCP on physical network does not serves IP s for connecting clients so
I have to turn on the DHCP on securenat, we have 1 more subnet now.

IP:
I tried to set the IPs for hubs on each side from its own physical range,
I tried to set from the other side range,
I tried to set from server side range for both, and from bridge side for both,
I tried to set the same IP from each side range.
Not working!

Routing:
I tried to set also a hundreds of versions. I understand the routing should be set as
destination subnet, netmask, gateway. Destination and gateway is not a question
because it is what it is, but I tried to set the gateway to
Server HUB IP,
TAP device IP (when I tried with tap, not local bridge)
I tried to set the vm s IP
Not workint!

The only success I can reac is to ping and traceroute in the following situation:
Ping and traceroute from PC in site A to the Site B HUB in the server.
I cant remember how it was set exactly but I think i can do it again.
(I am not sure but I think I set route in router)
the traceroute went to the
Servers HUB for A site (it is running the vpn server also)
Than Servers HUB for B site.
and thraceroute complete.
When I tried to ping or traceroute the Site B Briges HUB it was notworking.
In this situation ther Traceroute went to the physical router what I do not understand
because the route were set to that subnet through the site A HUB.

I think it would be good to show a real scenario because it would be a good guide for
a lot of people.
Please find me anybody who can clearly explain these few things because
there is a big darkness concerning to these settings.

IP settings for vpnbrige and vpnserver, and route settings (where and what)
There is not to many things but it would be good to clarify.

Thank You in advance
Richard

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Sun Feb 28, 2016 11:08 pm

So I take a step forward :)
I set the hubs address in the server from the connected Branches IP range
and I set in each physical router routes to the other two networks with the
gateway as the hubs IP in the server. (Exactly the same way as in description
of Tsukuba,Osaka,Tokyo)
Now still something is not OK. but we are on the right direction.
When I traceroute from the PC in the lan A to the PC in lan B it goes to the
default gateway (which is the router) It tells the gateway to the B lan is the hub
address in the server, but than it stops. Sometimes goes back to the PC running the bridge
at the site.

And one more thing: What address for the Hub in vpn bridge? I set an availeable IP from
the lan at the site (for example Bridge s hub x.x.x.253, and Servers Hub x.x.x.254)
What is wrong now? Why does it stop at the servers hub?

Thanks in advance
Richard

thisjun
Posts: 2458
Joined: Mon Feb 24, 2014 11:03 am

Re: VPN with 3 sites

Post by thisjun » Fri Mar 25, 2016 7:58 am

Virtual HUB is just Ethernet switching HUB.
There aren't IP address for HUB.

Anyway, please check promiscuous mode in "VMware" not VPN server.

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Fri Mar 25, 2016 6:15 pm

Dear thisjun

I can set IP for Virtual hub in
Manage Hub / Securenat settings
?!?!
or it is not where I have to set the IP?

10.6.4 Network Layout:
Virtual Hub Name Virtual Interface IP Address
TOKYO 192.168.1.254 / 255.255.255.0
OSAKA 192.168.2.254 / 255.255.255.0
TSUKUBA 192.168.3.254 / 255.255.255.0

I set the interface ip like in documentation at the secure nat settings.
Maybe it is the problem? But If there is no tap interface than it has no IP.

I checked the promiscuous mode on linux where the vpn server is running,
and ifconfig says promisc is on:

eth0 UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1

vmware has no option for promiscuous mode in its settings even if I run it as sudo

Thank You again for Your answer,

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Sun Mar 27, 2016 7:36 pm

Can anybody answer how to set up this 3 site vpn?
I get 2 sentences for every quarter year so it will took 10 years to set it up.

I do not think it is so complicated setup
3 sites with some devices and pcs at each site and the server is running on a
vmware VM linux. The cascade connections are OK, when a client connects it works.

I would like to set the same as in documentation in L3 routing.
I cant belive Nobody has set it before.

It seems to be a realy good software but if it takes 10 years to get it work it is nonsense....

Please fimd me somebody who is ABLE to set it up.

I do not want to tell me what to do, I need only a guide how to set, but when I get answers with 2 senteces
it does not help.

I checked 134435643 times the eth0 is in promiscuous mode,

Thank You

hatnac
Posts: 3
Joined: Tue Aug 06, 2013 1:29 pm

Re: VPN with 3 sites

Post by hatnac » Tue Mar 29, 2016 6:29 am

Hi mlsjwr !

mlsjwr wrote:
> I can set IP for Virtual hub in
> Manage Hub / Securenat settings
> ?!?!
> or it is not where I have to set the IP?

You should set virtual interface IP NOT in secure nat settings BUT in Virtual layer 3 switch settings.
If you follow the section 10.6.4 on the document, you should disable secure nat, create a virtual layer 3 switch and add three interfaces to each virtual hubs of TOKYO, OSAKA and TSUKUBA.

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Wed Mar 30, 2016 10:28 pm

Dear Hatnac
Thank You for Your help. I left the settings in securenat and disabled it.
I set the hubs in server as an interfaces for the L3 switch, with a free IP address from cascade connected
sites lan IP range, When I set a static route in the routers for the lans with this IP s as a gateway
I was able to ping the IP s of the interfaces from a PC on the LAN
But I still can't ping a PC from other sites PC, and I cannot reach the PCs webmin for example.
At this moment I have only the vpnbridge PC at the sites but there is a DVR that I can normally ping
locally, but hot through VPN from other site.
?!?
the other thing is what I noticed, I can't ping the Interfaces IPs from the server itsellf.
?!?
It seems to be a little bit closer but still not working.

hatnac
Posts: 3
Joined: Tue Aug 06, 2013 1:29 pm

Re: VPN with 3 sites

Post by hatnac » Thu Mar 31, 2016 3:17 am

Hi, mlsjwr.

I'd like to see your detailed settings, VirtualLayer3SwitchList section in vpn_server.config for example.

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Fri Apr 01, 2016 2:02 pm

Dear Hatnac!
I am very grateful to You for dealing with my problem.
Here I attached a txt file of server settings.

As You can see I have I have 3 subnets 192.168.88.0/24, 192.168.89.0/24, 192.168.88.0/24, and I
created a new hub what I would like to use to for VPN clients to connect, here I would like to use
securenat DHCP but it is what will be not a problem since vpn client can connect with no problem.
I have problems always with cascade connection, and not with the connection itself because it is
established, but the communication won't work.

The server config file always changes because I am trying an trying and trying and trying, and trying ..,

At this moment I have 2 L3 switches configuretd the second one only for testing Your suggestions.
I connected 2 only for running subnets. I wanted to try 2 sites so the 3rd will not disturb.
Now I attached these 2 interfaces to the second switch and the IP what I set was possible to ping.
I think it is good.

I changed a few things in hardware setup also. Originally I had a tp-link router with dd-wrt attached
to the main router. The VPN server is running on a wmvare workstation virtual machine (Ubuntu trusty).
The wmvare workstation is running on a HP proliant microserver gen 8, which was conected to the
tp-link router (the switch), but now I decided to try everything without the switch. Just to be sure
if not the TP-llink causes the problem. who knows...

Now the HP Proliant is directly connected to the main router... so I would like to test it if it works.

Thank You very much for any idea You can share with me to solve the prolbem.

kind regards
Richard
You do not have the required permissions to view the files attached to this post.

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Fri Apr 01, 2016 9:23 pm

Dear Hatnac,
I a step closer to the solution now.
I connected the ProLiant microserver directly to Main router and now
I can ping and traceroute each site routers (the gateway)
the traceroute from the server site from a PC on the lan goes first
to ther router who tells the gateway to the other LAN, which is the
interface IP of L3 switch and than the traceroute is complete

but :(
still can't ping or traceroute the device on the lan or the vpnbridge PC s ip
and still can't ping or traceroute the server or PC on servers LAN from the site

I set in the routers of each lan the gateway to the servers lan which is the L3 switch interface IP
but at vpnbridge site I did not set the route to each others. At this moment I do not want to
communication between them.

have a nice weekend
Regards
Richard

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Tue Apr 05, 2016 9:05 am

Yesterday I was able to ping the vpnbridge PC for a few minutes from a PC at the
vpnservers site (not the server itself), and than no more times.
I tried to reach the webmins webadmin and it was accessible aslo.
I tried to ping another device on the lan but unfortunately it was late,
when I was not able to ping the bridge pc also. So I don't know if
the other device was accessible or not.

Now nothing, In the packet log I can see the the webmin access.

I set nothing, when it happened, I was trying only ping or maybe traceroute
nothing else happened.

Do You have any idea

kind regard

thisjun
Posts: 2458
Joined: Mon Feb 24, 2014 11:03 am

Re: VPN with 3 sites

Post by thisjun » Fri Apr 22, 2016 8:07 am

Could you attach a result of trace route?

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Mon May 02, 2016 6:55 pm

Hello Thisjun,
I am a step forward again. Maybe it is only 10 years and It will work.
So
I set tap devices for server and for bridges to local bridge the phisical Lan.
I set the tap devices IP to a different subnet of phisical LAN and I can see the server, and bridge PCs

3 Tap devices with IP from 192.168.0.0/27
1 LAN 192.168.88.0/24
2 LAN 192.168.89.0/24
3 LAN 192.168.90.0/24
I set static routes on server and on bridge PC with Tap devices as gateways.
and It works...

BUT

I cant see and cant ping, and cant traceroute the devices on phisical lan.
So for example I cant ping the DVR IP on the lan from another lan.

I can access until the bridge or the server and not more.
local bridge is not working or what could be the problem?
or I have to set local bridge to eth0 also?

in sysctl i have set ip4.forward =1

What coudl be the problem again?

thanks in advance
Richard

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Tue May 17, 2016 12:33 pm

Dear thisjun!

What could be the reason of that I cannot access a host on another site?
I have the settings as You wrote. The interesting thing is I can ping and
traceroute One site from server site Host! No other site are accessible
except the bridge pc.

I tried the following setup:
Site A 192.168.88.0/24 vpnbridge (192.168.88.100)
Site B 192.168.89.0/24 Server (192.168.89.102)
Site C 192.168.90.0/24 vpnbridge (192.168.90.100)

Each site has a local bridge with tap device. When I set each tap device IP from
local IP range. Nothing is working!
When I set the tap devices IP from another subnet (192.168.0.0/27)

Site A tap IP is 192.168.0.29/27
Site B tap IP is 192.168.0.1/27
Site C tap IP is 192.168.0.30/27
The vpnserver, and both vpnbridges has ip forward=1 in sysctl

it partially works!
I can Ping from a Host on Server side Lan (site B) the bridge PC or a Host on Site A

here is a Ping command to a DVR from server site windows pc to DVR on Site A
sometimes when I ping I have 2 request timed outs, and than I get 4 replies.
------------------------------
Pinging 192.168.88.150 with 32 bytes of data:
Request timed out.
Reply from 192.168.88.150: bytes=32 time=22ms TTL=62
Reply from 192.168.88.150: bytes=32 time=30ms TTL=62
Reply from 192.168.88.150: bytes=32 time=46ms TTL=62

Ping statistics for 192.168.88.150:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 22ms, Maximum = 46ms, Average = 32ms

Pinging 192.168.88.150 with 32 bytes of data:
Reply from 192.168.88.150: bytes=32 time=18ms TTL=62
Reply from 192.168.88.150: bytes=32 time=28ms TTL=62
Reply from 192.168.88.150: bytes=32 time=27ms TTL=62
Reply from 192.168.88.150: bytes=32 time=18ms TTL=62

Ping statistics for 192.168.88.150:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 18ms, Maximum = 28ms, Average = 22ms

But this is the only site I can ping a Host on it. The other sites
are partially accessible. When I have the routes set in Router
I can Ping from Any Host on Any site to the vpnbridge, or vpn server,
but not more!

For example
I can ping from any Host on server site the vpn bridge PC (192.168.90.100) and nothing else!
I cannot ping a dvr on that site for example
I can ping from vpnbridge PC to server (192.168.89.102) and nothing else!
I cannot ping a host on server site lan.

The only ping what works is from server to 192.168.88.0/24 net
The ping to other 2 sites has 100% packet loss. Only the tap device, the vpn bserver PC and
the vpnbridge pc replies to ping. As I told the ip forward is set in the sysctl

What coudl be the problem?

thisjun
Posts: 2458
Joined: Mon Feb 24, 2014 11:03 am

Re: VPN with 3 sites

Post by thisjun » Fri May 27, 2016 7:58 am

Please show result of traceroute.

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Fri May 27, 2016 11:46 am

Dear thisjun,
it is not easy because I try 583 things so now
I have X th different config.

At this moment I have 3 hubs for each site, and L3 switch.
Each hub has a local bridge to the phisical netrwork card (not with tap)
I tried with tap, but when I used tap for local bridge in case of L3 switch
I saw onlythe interface IP addresses in ip tables. When I use local bridge
not with tap, I can see IP addresses from the site so seems to be better.

/Previously I tried to connect both sites to the same hub, with tap devices with ip from a different subnet
the result was the same. 192.168.88.0/24 was accessible 192.168.90.0/24 was not/

traceroute to 192.168.88.0/24 works!
except the bridge pc I can ping and traceroute everybody on the site.
Why the bridge pc is not accessible? is it maybe Because of the ip forward?

So the traceroute to that site from a pc on the server site is the following:
_________________________________________________________
traceroute to DVR on the site which is working
tracert 192.168.88.150

Tracing route to 192.168.88.150 over a maximum of 30 hops

1 2 ms 1 ms 2 ms 192.168.89.254
2 1 ms 1 ms 2 ms 192.168.89.254
3 227 ms 19 ms 41 ms 192.168.88.150

Trace complete.

traceroute to 192.168.90.0/24 not working. I can ping and traceroute
the router on the site, but nothing else. I tried more devices
_________________________________________________________
traceroute to router on the site which is not working
tracert 192.168.90.1

Tracing route to 192.168.90.1 over a maximum of 30 hops

1 1 ms 1 ms 1 ms 192.168.89.254
2 1 ms 1 ms 1 ms 192.168.89.254
3 31 ms 62 ms 53 ms 192.168.90.1

Trace complete.

_________________________________________________________
traceroute to the dvr on the other site is not working.
tracert 192.168.90.150

Tracing route to 192.168.90.150 over a maximum of 30 hops

1 1 ms 1 ms 4 ms router [192.168.89.1]
2 1 ms 1 ms 1 ms 192.168.89.254
3 * * * Request timed out.
4 * * * Request timed out.
...
29 * * * Request timed out.
30 * * * Request timed out.

Trace complete.

Please share if You have any idea what could be wrong.
or
How to find the problem.

Thank You in adwance
Richard

thisjun
Posts: 2458
Joined: Mon Feb 24, 2014 11:03 am

Re: VPN with 3 sites

Post by thisjun » Mon Jun 06, 2016 4:00 am

I think the router(192.168.90.1) doesn't support hairpin NAT.

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Fri Jun 17, 2016 1:06 pm

Dear Thisjun
I set hairpin nat for all routers on each site. Unfortunately it does not helped
the situation is still the same.
I can ping all devices on 192.168.88.0/24 network from servers site.
I can ping the routers ip on 192.168.90.0/24 network and nothing else.
None of the bridge pc's can be pinged from server site.
But the 192.168.88.0/24 hosts can be pinged from the server site without hairpin nat also.

All routers are from the same brand (mikrotik) They are different types but all of them are soho routers.
(rb 951-2nd). You are right, By default the hairpin nat is not enabled on these routers.
I set a fully transparent hairpin nat on them, I mean srcnat from 192.168.88.0/24 to 192.168.88.0/24.

Teoretically it would be enough to set more specific rule just for the server and specific ports.
(but which port? All of them? Or just the ports are set on server or on bridge?)

Btw... Why do we need hairpin? I make conections from with ddns address (no-ip.com)
I do not connect to myself with an external IP.

I am waiting for Your reply
Kind regards
Richard

robitpaul
Posts: 3
Joined: Tue Jun 21, 2016 5:08 am

Re: VPN with 3 sites

Post by robitpaul » Tue Jun 21, 2016 5:21 am

Yes of course, A VPN uses internet to create a secure and private connection between a device and the internet service the user uses. A VPN works like a shielded tunnel sending and receiving data under protection of that tunnelling which is the work of encryption. A VPN does not let anyone intercept the data of a user by forming the data into encrypted data, which no one can read.

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Tue Jun 21, 2016 12:31 pm

???


Dear robitpaul I think You sent an answer somewhere else not where You would like to.

Check it please.

But if You have any idea to solve the problem I would be very grateful.
I know why VPN is good, and the teory, I have a connection working, but
i can see only one site hosts from server site. On the other site, where I vpnbridge
I can ping only the router on lan. I cannot ping the similar dvr for example.
Any idea?

kind regards
Richard

thisjun
Posts: 2458
Joined: Mon Feb 24, 2014 11:03 am

Re: VPN with 3 sites

Post by thisjun » Fri Jul 08, 2016 8:40 am

>Why do we need hairpin?
Because, if virtual L3 switch and DVR are on same side of router, hairpin NAT is required.
I concern about the setting of hairpinning supports your case or not.

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Sun Jul 10, 2016 7:58 am

Dear thisjun

Actually there is no DVR on the site where the L3 switch is.
There is only L3 switch on the servers site, and there s no dvr at this place. There are 2 IP cameras.
I have mikrotik routers on each site. You are right the mikrotik routers does not supports hairpin nat,
But I can set a firewall rule for hairpin nat.
When You suggested I tried to set hairpin nat for each site (server and both sites with vpnbridge)
but unfortunately it does not helped. The situation was the same (the 90 network is not reachable
the 88 is accessible)

something interesting:
All the cascade connections are working. Without having to be set the hairpin nat
from the server site (192.168.89.0/24) i can ping and reach the IP camera, DVR, router, any host on that site
from the server site i cannot ping or reach anybody, only the router. I cannot ping the DVR the switch...
Generally the settings are the same. (vpnbridge on linux PC ipv4.forward=1 is set.)

so i am out of ideas

kind regards
Richard

thisjun
Posts: 2458
Joined: Mon Feb 24, 2014 11:03 am

Re: VPN with 3 sites

Post by thisjun » Fri Jul 22, 2016 3:03 am

Please try to change default gateway of all host except VPN server to virtual L3 switch instead of router.

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Fri Jul 22, 2016 8:35 am

Dear Thisjun
Thank You for Your answer.
You answer made me think a little bit, and questions has been arrised.
The L3 Switch has no IP address only its connected interfaces, or the server itself.
So it seems to be 3 possibilities:
1 IP of the L3 switch interface which is for the server (what I connect and set manually)
2 IP of the L3 swithc interface whic is for the site (this is where the cascade connection connects)
3 IP of the servers network card (what is the servers IP)
So change to which one?

How do You mean to change the default gateway of all hosts?
You mean to change the vpnbridge running pc only on each site except the vpnserver with the L3 switch?
Or all possible hosts?
Maybe I am not right but when I change the default gateway to something different
than the routers IP, there will be no Internet connection on that host. But if there is no
internet connection than problem could arise with cascade conection to the server, since
it needs internet to connect. And maybe I can loose the connection to administer the PC
via vpn management and ssh also.
What Do You think?
kind regards
Richard

thisjun
Posts: 2458
Joined: Mon Feb 24, 2014 11:03 am

Re: VPN with 3 sites

Post by thisjun » Tue Aug 02, 2016 6:04 am

> So change to which one?

IP for interface of virtual L3 switch for the segment.


> How do You mean to change the default gateway of all hosts?

All possible hosts except router.

> there will be no Internet connection on that host.

Write default gateway in routing table of virtual L3 switch.

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Thu Sep 15, 2016 8:28 pm

Unfortunately I have still no solution for the problem after a 3/4 Year :(

I made another setup. I set vpnserver on each site,
The cascade connection is established in this case also.
I created a simble VM on let say site A and I set static ip for it from site B
Now I can reach the the VM on A site from site B!

So it seems to be OK. If All sites are on the same subnet it works!

But the problem is I want each site different subnet.
So we need L3 switch!
When I set the site-to-site with ip routing something goes wrong.
Somehow the L3 switch does not work correctly. Or I do not set something.

As I know the following things should be set in ip routing case
1 vpnserver on central site
2 vpnserver or vpnbridge on the other sites
3 Set hub for each site on the central server
4 Cascade connection to the hubs on the central server from the sites
5 Set interfaces on L3 switch for each hub on the central server
6 Set the static routes on the phisical router on each site
for example
Site A network is accessible from site B via the site B's HUB IP on L3 switch (what I set when connectiog the inteface)

and thats all.
What did I wrong?

claudelu
Posts: 32
Joined: Mon Aug 29, 2016 11:42 pm

Re: VPN with 3 sites

Post by claudelu » Fri Sep 16, 2016 9:17 am

Hi mlsjwr,

I just wanted to say that I follow your problem very closely because I am finding myself in the same situation as you are and, as far as I can understand, I am stuck in the exact same point as you are.

As a comparision, please see my description of the problem from here
http://www.vpnusers.com/viewtopic.php?f=7&t=5545

I can not say IF I made something different or not but if you see something helpful for you or you can help me with something please do not hesitate to post.

Thank you!

J1mbo
Posts: 6
Joined: Thu Sep 15, 2016 2:22 pm

Re: VPN with 3 sites

Post by J1mbo » Fri Sep 16, 2016 10:30 am

Coming at this cold, it looks a little like a simple IPSec site-to-site VPN would do everything you need at the gateway level.

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Fri Sep 16, 2016 2:12 pm

Dear claudelu!
I am so happy that I'm not alone. :)
But it does not solves our problem. Right?

Of cours I am not sure but as I know You do not need to set the routes on L3 Switch.
Since You have connected the Virtual HUB s to Your L3 Switch, it knows them.
I will try in my configuration if It helps when I add routes to L3 switch, than I will write the results.
You must set static routes but in Your phisical router on Your network. When You want to reach
somebody not on Your network and the PC knows it than You know where to go. But if Your PC
do not know, than it will ask the router. So the router should tell where You can find it.
So You need to tell the L3 switch interface address.

The Ping:
I am not sure if ping goes through the L3 switch! Are You? I think it is better to try something else to
reach the other network. For example webmin on Linux or maybe file share on Windows, or wamp.
It is Your choise. So maybe it is better to test Your config with more network operations.
You can also test Your setup with traceroute, than You can find where the problem is.

In my situation is strange that I can reach one site from the server, but not the other.
I can reac the DVR for example on that site, but I cant reach similar DVR on the other network.
The difference between the sites is the ISP,
the sites which can reach each other are UPC with modem. But I cant reach the other site which is
another ISP with PPPOE connection.

I hope I gave You any idea, but ask if You have any question. maybe I can help.
kind regards
Richard

raafat
Posts: 213
Joined: Fri Jul 03, 2015 2:21 pm

Re: VPN with 3 sites

Post by raafat » Fri Sep 16, 2016 11:22 pm

Hello There!, Have you solved your interesting problem ?


Good luck (:

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Sat Sep 17, 2016 7:21 am

Dear raafat
Unfortunately not so any suggestions would be apriciated.

I tried to set static routes in L3 switch but I have no positive result!

I have an idea. What if the vpnbridge running pc s network card does not sopport something?
I dont know what but maybe

???

Regards
Richard

claudelu
Posts: 32
Joined: Mon Aug 29, 2016 11:42 pm

Re: VPN with 3 sites

Post by claudelu » Sat Sep 17, 2016 10:34 am

Hi mlsjwr,

thank you for your reply. I have tested other services in my Configuration (Windows) like File Sharing but without success.
It makes sense what you are pointing, regarding the Routes but now comes in another Problem.
In my Scenario, the main Router/Firewall is externalised and it is quite expansive to make changes into its configuration.
That is why SE caught my attention. It says (in documentation) that it can connect 2 or more different sites when the SE VPNServer/Bridge is behind a firewall. If I understand right, all I have to do to the Main Router Configuration is only to Forward, at least, a Port of the Public IP Address to the SE VPNServer intern IP Address. This Port must be defined(if predefined are not available) in SE VPNServer/Bridge Port Listener List.

I have done these already.

I want to mention one more thing.
On all my sites the topology of the network is as follows:
Main Site(192.168.2.X/24) Main Router(externalised) <-> Main Switch <-> SE VPNServer and rest of PCs;
Site2 (192.101.103.X/24) Main Router(externalised) <-> Main Switch <-> SE VPNBridge and rest of PCs;
So, in my scenario, it is very important to apply VPN Server Behind Firewall .

Regards!

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Sat Sep 17, 2016 12:31 pm

Dear claudelu!
Maybe You can try the securenat config. What Do You think?
Somebody told me it is the solution when You've have problems with firewalls.
one more idea:
There is an option somewhere with ICMP ping when You have problems with firewall
(icmp over udp or something similar, You can find in documetation)
But it is for last chance and for testing I think.

Hope this helps
kind reagards
Richard

raafat
Posts: 213
Joined: Fri Jul 03, 2015 2:21 pm

Re: VPN with 3 sites

Post by raafat » Sat Sep 17, 2016 2:48 pm

mlsjwr wrote:
> Dear raafat
> Unfortunately not so any suggestions would be apriciated.
>
> I tried to set static routes in L3 switch but I have no positive result!
>
> I have an idea. What if the vpnbridge running pc s network card does not
> sopport something?
> I dont know what but maybe
>
> ???
>
> Regards
> Richard

Interesting!, first before i post the instructions i need some details.

Are you going to connect your branches to your HQ via a router or a PC or a server ?

What is the IP subnets that are in use in your branches and in HQ ?

Which networks do you desire to connect them to each other ?

Do you want branches' IP hosts to access Internet through VPN or only some traffic should be routed through VPN ?

Do you want the communication between branches and HQ to be two way or one way ?


Good luck!

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Sun Sep 18, 2016 9:43 am

Dear Raafat!
Thank You in advance for any suggestions, It always helps when new ideas come to light!

so my scenario is:
I have 3 sites with a broadband connection as follows
Each site has a mikrotik router (not exactly the same model but almost)
there is a ddns set, and I can reach each site.

Site 1
Let say it is the HQ (ISP UPC)
I have a HP microserver running ubuntu 64bit, and SE Vpnserver running on this microserver on a VM (ubuntu 32 bit)
the VMs ethernet cards has promiscuous mode enabled, and ip_forward is set 1 in sysctl
There are some devices on the site (IP cameras, PCs, VMs, TV)

Site 2
branch 1 in another city (ISP UPC)
There is a PC here running Ubuntu 64 bit, and SE Vpnbridge is running directly on it.
Promiscuous mode enabled, and ip_forward is set 1 in sysctl on the PC
(at this moment SE Vpnserver just for test, I tried with vpnbridge earlier, but the situation were the same)
There are some devices on the site (IP camera, DVR)

Site 3
branch 2 in the the same city as HQ (ISP DIGI with pppoe connection)
There is a PC here running Ubuntu 32 bit, and SE Vpnbridge is running directly on it.
Promiscuous mode enabled, and ip_forward is set 1 in sysctl on the PC
(at this moment SE Vpnserver just to test, I tried with vpnbridge earlier, but the situation were the same)
There are some devices on this site (DVR, Windows PC)

We have 2 possibilites L2 Bridge or L3 switch with IP routing, right?
I do not want L2 bridge since I have to redesign the network
I should have set the ip range for each site to avoid overlapping.
In this case it would be a large network. I tried it just to test if it works
I connected each site to 1 hub which were local bridged to the network, and I set a VM on Site 2 to have a Site 1 IP.
I was able to ping, reach through ssh from the site 1, I could reach webmin also. so it seemed to be OK.

The reason I would like to use IP routing instead of Bridge is that I do not want to redesign the IP ranges
and I think it is easier to control the reachability of the sites.
Normally it is enough to reach from Site 1 (HQ) the Site 2 and Site 3. But sometimes it is
useful when I can reach the HQ from branch. When I set HUB for each site on the HQ server
and I want to block access than it is enouht to put offline the actual HUB,
or to turn off the static route on the router, or just stop the L3 switch on the server
where the HUBs are connected to.

There interesting thing is I can reach the Site 2 where I have the same ISP. I don't know if it is significatnt but...
Here is a ping from HQ to Site2 DVR. I have always 2 Request timed outs than 2 replies, at next ping replies for both 4 requests.

Pinging 192.168.88.150 with 32 bytes of data:
Request timed out.
Reply from 192.168.88.150: bytes=32 time=22ms TTL=62
Reply from 192.168.88.150: bytes=32 time=30ms TTL=62
Reply from 192.168.88.150: bytes=32 time=46ms TTL=62

I can also ping the IP camera at the site, the router, but not the vpnbridge or vpnserver PC!
I cannot access anything on the Site 3, except the router. Nothing els. Can't ping the DVR, or switch at the site.
Pinging windows PC from branches was never successful even if I turned off completely the Kaspersky antivirus software.
Pinging the routers Private IP is successful from the other sites.
I tried to make a Hairpin nat rule but It did not helped, and I think it is only needed to access something on external ip
of the router.


So now the answers For Your questions

>Are you going to connect your branches to your HQ via a router or a PC or a server ?
The branches are connected through a router

>What is the IP subnets that are in use in your branches and in HQ ?
All subnets are different 192.168.88.0/24, 192.168.89.0/24, 192.168.90.0/24.
Like a scenario in the documentation.

>Which networks do you desire to connect them to each other ?
As I wrote before, mainly I would like to connect from HQ to the brances, but sometimes
there is a need to connect from branch to HQ (for example to print something out at home)

>Do you want branches' IP hosts to access Internet through VPN or only some traffic should be routed through VPN ?
For internet access it would be good to use the local internet connection. At this moment there is no big internet
traffic at the site, it is a good idea to leave the bandwidth just for communication between the networks.
But I have to say I would like to know how to route the internet traffic through the VPN connection. It may be useful once!

>Do you want the communication between branches and HQ to be two way or one way ?
I think there is an answer for this question above.

Thank You in advance for any suggestions
kind regards
Richard

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Sun Sep 18, 2016 8:34 pm

I caught this sentence in the documentation

5.3.5

Please note that the local bridge function is not available in VPN Bridge for operating systems other than Windows, Linux, or Solaris. Therefore, VPN Bridge is not very useful on operating systems other than Windows, Linux, or Solaris. However, the SecureNAT function can be used.

but the documentation says in
9. Installing SoftEther VPN Bridge
9.3 Install on Linux and Initial Configurations

so what?

it is or it is not availeable for linux OS ?

kind regards
Richard

raafat
Posts: 213
Joined: Fri Jul 03, 2015 2:21 pm

Re: VPN with 3 sites

Post by raafat » Sun Sep 18, 2016 8:42 pm

Hello There!, i am going to breakdown my instructions into several stages. Meaning we will move on to next stage once we finishe the previous one successfully. Also, to not end with a situation where is i have to solve other's suggestions problems, I am going to instruct you from beginning. Here we go (:.


First stage, HQ side, SE server:

** create a router and name it BlackCastle or whatever you would like to call it.

** create a virtual hub, let's name it HQGate.

** bridge HQGate hub to the interface that is connected to your internal network, make sure "Promiscuous mode" is enabled on the interface that is connected to your internal network.

** on the just-created BlackCastle router, create a virtual interface and and set "Destination Virtual Hub Name" as HQGate hub. Since HQ's IP subnet is : 192.168.88.0/24, we're going to set the virtual interface IP address to : 192.168.88.253/24

** ping the virtual IP address 192.168.88.253 from your router or any host on the same segment(internal network) to make sure that the virtual interface is reachable and the bridge function is functioning correctly.


I am waiting for your confirmation that "192.168.88.253" is reachable from your internal network, that is, 192.168.88.0/24.


Good luck (:

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Sun Sep 18, 2016 9:38 pm

Dear raafat!
Actually I have already have set this scenario. The only difference is the names
HQ subnet is 192.168.89.0/24 and the interface for HQ hub is 192.168.89.254.
As I wrote the vpnserver is running on Ubuntu VM. And this VM is running on vmware on HP microserver.
The VM s network card is promiscuous mode enabled. Earlier I set the Hp microservers network card
to promiscuous mode also. The VM is a bridged VM so for me it would be logical to set it because if
the phisical network card does not sees all packets on the network why would we expect the bridged
virtual ethernet card to see? Unfortunately it has no affect on the problem.

So
I Pinged the 192.168.89.254 from simple Windows PC on the lan and I get 4 replies with <1 ms and TTL=255
The interesting thing is at this moment I have NO local bridge set(no tap and no simple local bridge)
But still have replies from the L3 switch.

???? how could it be?
Actually I was trying and testing the SecureNat option because of the Linux Local bridge unsupport.
Thatswhy I removed the bridges everywhere.

One more interesting thing. I just turned on the PC on the site which does not work and added
simple local bridge to the vpnserver at that site. and I can ping from the router successfully the
192.168.89.254,
192.168.88.254 and
192.168.90.254
which are the interface IPs of the L3 Switch for the HUBs on the server.
What is more, I can ping all these interface IPs from HQ lan with that Windowns PC.

Thank You very much raafat
have a nice day
Richard
Last edited by mlsjwr on Sun Sep 18, 2016 9:45 pm, edited 1 time in total.

raafat
Posts: 213
Joined: Fri Jul 03, 2015 2:21 pm

Re: VPN with 3 sites

Post by raafat » Sun Sep 18, 2016 9:42 pm

mlsjwr wrote:
> Dear raafat!
> Actually I have already have set this scenario. The only difference is the
> names
> HQ subnet is 192.168.89.0/24 and the interface for HQ hub is
> 192.168.89.254.
> As I wrote the vpnserver is running on Ubuntu VM. And this VM is running on
> vmware on HP microserver.
> The VM s network card is promiscuous mode enabled. Earlier I set the Hp
> microservers network card
> to promiscuous mode also. The VM is a bridged VM so for me it would be
> logical to set it because if
> the phisical network card does not sees all packets on the network why
> would we expect the bridged
> virtual ethernet card to see? Unfortunately it has no affect on the
> problem.
>
> So
> I Pinged the 192.168.89.254 from simple Windows PC on the lan and I get 4
> replies with <1 ms and TTL=255
> The interesting thing is at this moment I have NO local bridge set(no tap
> and no simple local bridge)
> But still have replies from the L3 switch.
>
> ???? how could it be?
> Actually I was trying and testing the SecureNat option because of the Linux
> Local bridge unsupport.
> Thatswhy I removed the bridges everywhere.
>
> One more interesting thing. I just turned on the PC on the site which does
> not work and added
> simple local bridge to the vpnserver at that site. and I can ping from the
> router successfully the
> 192.168.89.254,
> 192.168.88.254 and
> 192.168.90.254
> which are the interface IPs of the L3 Switch for the HUBs on the server.
>
> Thank You very much raafat
> have a nice day
> Richard


Kindly, follow the instructions as much as you can. consider the HQGate interface to be 192.168.89.253.

raafat
Posts: 213
Joined: Fri Jul 03, 2015 2:21 pm

Re: VPN with 3 sites

Post by raafat » Sun Sep 18, 2016 9:45 pm

By the way, disable SecureNAT function completely.

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Sun Sep 18, 2016 9:52 pm

Securenat Disabled,
Localbridge created
L3 switch HQgate hub with 192.168..89.253 IP added
unfortunately no reply for ping :(

Sorry, I pinged 88.253

89.253 replies correctly

raafat
Posts: 213
Joined: Fri Jul 03, 2015 2:21 pm

Re: VPN with 3 sites

Post by raafat » Sun Sep 18, 2016 9:55 pm

mlsjwr wrote:
> Securenat Disabled,
> Localbridge created
> L3 switch HQgate hub with 192.168..89.253 IP added
> unfortunately no reply for ping :(

Make sure "Promiscuous mode" is enabled on the interface that is connected to your internal network.

Make sure you have enabled back the router after you have finished adding the new IP.

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Sun Sep 18, 2016 9:57 pm

Sorry sorry
I just mistyped the IP.
192.168.89.253 replies
from HQ site also
and from Branch also

raafat
Posts: 213
Joined: Fri Jul 03, 2015 2:21 pm

Re: VPN with 3 sites

Post by raafat » Sun Sep 18, 2016 10:13 pm

Good news!. Just to be clear, now on BlackCastle router we have HQGate hub and there is an interface on the router that is connected to HQGate hub and is reachable from your internal network, right ?


Delete the bridge that you have just created and try to ping 192.168.89.253, you should get no response, then, enable it back and this time you should get some responses, right ?

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Mon Sep 19, 2016 9:10 am

I am sorry but maybe I did not write it clearly. Sorry for that.

I have already have the whole setup, with 3 sites, 3 hubs on server,
with L3 switch, with on-line cascade connections to the hubs for 2 branches
and with static routes on the phisical routers!
I have HUB1, HUB2, HUB3 (HUB1 is HQGate in this manner, HUB2 and HUB3 are for the brances)
So I just changed in the L3 switch the interface IP for HUB1(HQgate) from 192.168.89.254 to 192.168.89.253
as You told me.
Do You prefer to do factory defaults and make everything to default

Yes when Local bridge is created for HUB1(HQgate) ping replies, and with no local bridge
Destiation is not reachable.

the images are the result
1 You can see when I enabled the local bridge
2 with enabled local bridge
You do not have the required permissions to view the files attached to this post.

raafat
Posts: 213
Joined: Fri Jul 03, 2015 2:21 pm

Re: VPN with 3 sites

Post by raafat » Mon Sep 19, 2016 9:47 am

Great!, yes i highly recommend to reset everything to default, that is why I am instructing you from beginning (:. Let's move on to next stage. Remember i always assume that you've followed me precisely as much as you could.


***Second stage(BlackKhight)

* create a virtual hub and let's name it BlackKhight.

* on BlackCastle router, create a virtual interface and set "Destination Virtual Hub Name" as BlackKhight hub, you have to choose the IP address of this interface as a valid IP address from branch's subnet, let's choose 192.168.88.253/24.

* create a username/password to connect to BlackKhight virtual hub.

* install a SE bridge on a machine that is hosted on branch's side.

* bridge an interface to the just-created bridge on the machine that is on branch's side. The interface should be connected to branch's internal network.

* create a cascade connection and make sure that the cascade connection is "Online" after setting the required values for the connection.

* ping BlackKhight's hub interface IP address from any host on branch's side, just as you did with HQGate hub.

* finally, make sure that when you delete the bridge that is on branch's side the BlackKhight's IP address becomes unreachable


Good luck (:

raafat
Posts: 213
Joined: Fri Jul 03, 2015 2:21 pm

Re: VPN with 3 sites

Post by raafat » Mon Sep 19, 2016 10:17 am

I will skip the third branch because by the time you finish this with me you will have a full understanding as to how to add more branches to your VPN network.


Routing stage

First of all, i would like to know whether you can modify "Routing table" of HQ's router and branch's router ?

What kind of routers are you utilizing at your head quarter and branches as well ?

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Mon Sep 19, 2016 10:44 am

Dear raafat!
I did not do a reset because I have already have set everything, I did everything like You said till now.
But if You say
-Now it should work!
and it will not, than I will do quickly the factory resests everywhere and the all settings from the begining.

So I have deleted the 192.168.90.254 interface in L3 switch for branch with 192.168.90.0/24 network
and added this HUB3 with 192.168.90.253 IP.
Cascade connection is OK from the branch, and I can ping from the router the 192.168.90.253.
The loss You can see is because of L3 switch shutdown for the time I set the new interface, so That is ok.
When local bridge at the site is deleted, the ping from branch does not reply. So OK.

Just a note, I have installed vpnserver, not vpnbridge at all branches, because thus I can accept
vpn connections from mobile devices directly to that sites.
Originally I have vpnbridge installed at branches but the situaton were exactly the same.

I am waiting for Your next instructions :)
You do not have the required permissions to view the files attached to this post.

raafat
Posts: 213
Joined: Fri Jul 03, 2015 2:21 pm

Re: VPN with 3 sites

Post by raafat » Mon Sep 19, 2016 10:52 am

So your branch subnet is 192.168.90.0/24. Have you tested pinging BlackKhight' IP address(192.168.90.253) from "hosts on branch side, including branch's router" ?

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Mon Sep 19, 2016 11:07 am

Yes, I can ping 192.168.90.253 from the router at branch

I fully agree, when we have 1 branch working than should not be a problem adding more

The question to Your question on Routing
I have full control on routers on each site, Each site has Mikrotik routers which can be managed by
mikrotiks software "Winbox". I can reach them from outside from inside. So I have full control of them.
Two branches has mikrotik 951Ui-2nD, the difference between them is one is older than other
the HQ the same model but it is gigabit version of that router. I have static routes set on the routers
but the gateway is 192.168.X.254 since it was the L3 switch interface till now.

Here is a picture of Winbox software so You can see what I can do with the router.
You do not have the required permissions to view the files attached to this post.

raafat
Posts: 213
Joined: Fri Jul 03, 2015 2:21 pm

Re: VPN with 3 sites

Post by raafat » Mon Sep 19, 2016 11:17 am

Routing stage

On branch's router add a static router that is corresponding to the meaning of this :

Every traffic destined to "192.168.89.0/24" should be routed to "192.168.90.253" (BlackKHight's IP address)

and on HQ's router :

Every traffic destined to "192.168.90.0/24" should be routed to "192.168.89.253" (BlackCastle's IP adddress)

"no static routes on SE server are needed".

with a few assumptions, now every host on branch side should be able to ping every host on HQ side and vice versa.


let's see what you get back!
Last edited by raafat on Mon Sep 19, 2016 11:23 am, edited 3 times in total.

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Mon Sep 19, 2016 11:20 am

Actually I have only 1 pc at the site 192.168.90.0/24, which is the vpnserver PC and
it is better if i do Ping from an independent device. Thatswhy I did ping from the router.
Theres is a dd-wrt router at the site acting as AP, and switch. but I am not sure if
dd-wrt could ping, maybe from ssh terminal.

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Mon Sep 19, 2016 11:30 am

So here is the result. This is what I am saying all the time.
I set earlier everything as You said now. and I hav this problem.

I tried first with certificate authentication, now with password, earlier with vpnbridge, now with vpnserver.
I tried with tap device with simple local bridge
The situation is always the same.

The only thing I can ping at the branch is the router. 192.168.90.150 is the dvr, wich answers the ping
from the router, of fror a local machine connected. but not from 192.168.89.0/24 network.

:(
You do not have the required permissions to view the files attached to this post.

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Mon Sep 19, 2016 11:34 am

At the other branch 192.168.88.0/24 there is a DVR with address 192.168.88.150 wich ansers
the ping from 192.168.89.0/24.

When I start ping the first 2 replies does not arrive but the third and fourth answers.
with next ping all the 4 requests has replies.

raafat
Posts: 213
Joined: Fri Jul 03, 2015 2:21 pm

Re: VPN with 3 sites

Post by raafat » Mon Sep 19, 2016 12:02 pm

mlsjwr wrote:
> So here is the result. This is what I am saying all the time.
> I set earlier everything as You said now. and I hav this problem.
>
> I tried first with certificate authentication, now with password, earlier
> with vpnbridge, now with vpnserver.
> I tried with tap device with simple local bridge
> The situation is always the same.
>
> The only thing I can ping at the branch is the router. 192.168.90.150 is
> the dvr, wich answers the ping
> from the router, of fror a local machine connected. but not from
> 192.168.89.0/24 network.
>
> :(

Is the branch's router reachable from 192.168.89.0/24 ? how do you test that ?

raafat
Posts: 213
Joined: Fri Jul 03, 2015 2:21 pm

Re: VPN with 3 sites

Post by raafat » Mon Sep 19, 2016 12:18 pm

I need you to change IP settings of DVR that is on branch side to this :

192.168.90.150 (already set)
255.255.255.0 (already set)
192.168.90.253 (new value, which is BlackKhight's IP address)

Then, try to ping again from HQ's subnet 192.168.89.0/24


let's see what you get back!

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Mon Sep 19, 2016 12:47 pm

I can reach the branch router by ddns from outside, but actually the router IP is
accessible by its private IP also (I assume that through VPN connection)
You can see the traceroute from 192.168.89.0/24 goes first
192.168.89.1, than 192.168.89.253 than 192.168.90.1
it seems to be a correct route to the 192.168.90.0/24 network from 192.168.89.0/24

The router has option to do traceroute, ping, ipscan, and a sort of testing options so I can
ping directly from router.

You mean I have to change the default gateway of DVR to 192.168.90.253?
I am not at the site, so I any network settings changes must be don carefully because
I do not want to loose, connection to the site. But changing the default gateway, may not cause
problems if the IP address does not changes.
At this moment the DVR gets IP from DHCP in the router, Some leases are set to get the same IP, to access from internet.
If I change the Default gateway the DVR will not accessible from internet.

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Mon Sep 19, 2016 1:18 pm

I think a little bit,
I have access to the DVR through portforward from internet,
I do not have managing software at the site for dvr,
what means I can make changes from internet only,
If I change the gateway, Will I have access to the DVR?
If not I cannot restore the access to DVR.

??
What Do You think?
Last edited by mlsjwr on Mon Sep 19, 2016 1:23 pm, edited 1 time in total.

raafat
Posts: 213
Joined: Fri Jul 03, 2015 2:21 pm

Re: VPN with 3 sites

Post by raafat » Mon Sep 19, 2016 1:19 pm

Change it temporarily to test how DVR responses after the change. However, if you change DVR IP settings the result depends on the topology of your networks. Basically DVR should be accessible through VPN. As i said change it temporarily to test how DVR responses.



Waiting...
Last edited by raafat on Mon Sep 19, 2016 1:30 pm, edited 1 time in total.

raafat
Posts: 213
Joined: Fri Jul 03, 2015 2:21 pm

Re: VPN with 3 sites

Post by raafat » Mon Sep 19, 2016 1:21 pm

If you have a machine with TeamViewer installed then it's ok, do you ?, do you have other devices inside branch ?
Last edited by raafat on Mon Sep 19, 2016 1:29 pm, edited 1 time in total.

raafat
Posts: 213
Joined: Fri Jul 03, 2015 2:21 pm

Re: VPN with 3 sites

Post by raafat » Mon Sep 19, 2016 1:26 pm

Also if you can contact any one who works in the branch and and who has an access to the DVR, then, it's ok to ask him to assist you on that, it's a little test but with a great result about what is happening with you (:

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Mon Sep 19, 2016 2:07 pm

I have a better idea, The only pc on that site is the vpnserver PC which is ubuntu 32bit. I am not sure but I think there is no 32 version of TV for Linux. Or maybe it is the vmware?!?!?
I am not sure but anyway, I have Virtualbox on that PC and there is also an Ubuntu 32 bit installed with no gui, just for test purposes.

I can access the bridge pc via ssh or ssh tunnel for xrdp also so I can manage the virtualbox VMs

What do You think if I change the gateway for that VM?
But in this case there is a Bridged VM running on a phisical PC and I am not sure if in this case it acts as a fully functional PC.
In this case we have a virtual machines network card running on real phisical network card.
I don't know if it just sending the ethernet frames as totally separate network card.
But lets try. I do the tests and come back with the results

raafat
Posts: 213
Joined: Fri Jul 03, 2015 2:21 pm

Re: VPN with 3 sites

Post by raafat » Mon Sep 19, 2016 2:22 pm

Is that PC that has Vitrual Box separate from the machine that hosts the SE server ?, if you have a laptop and if you can contact someone via a smartphone, it is good

raafat
Posts: 213
Joined: Fri Jul 03, 2015 2:21 pm

Re: VPN with 3 sites

Post by raafat » Mon Sep 19, 2016 2:35 pm

Things are going to be complicated, i would like to suggest to stick to the DVR device if you can contact someone in that branch or if you can guide someone with his laptop will be much better. What about the other branch ?


Good luck (:

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Mon Sep 19, 2016 2:42 pm

the Virtualbox VM is just a simple ubuntu minimal, just for test purposes, what actually helped us.
the SE vpnserver is not running on virtual machine at the sites, it runs directly on the PCs

but We've got the results

I set the VirtualBox VM at the branch to have IP 192.168.90.121/24 GW 192.168.90.253
and I was able to ping 192.168.90.121 from 192.168.89.0/24 network

raafat
Posts: 213
Joined: Fri Jul 03, 2015 2:21 pm

Re: VPN with 3 sites

Post by raafat » Mon Sep 19, 2016 2:51 pm

mlsjwr wrote:
> the Virtualbox VM is just a simple ubuntu minimal, just for test purposes,
> what actually helped us.
> the SE vpnserver is not running on virtual machine at the sites, it runs
> directly on the PCs
>
> but We've got the results
>
> I set the VirtualBox VM at the branch to have IP 192.168.90.121/24 GW
> 192.168.90.253
> and I was able to ping 192.168.90.121 from 192.168.89.0/24 network

That clearly means your problem is not with DVR your problem is with the branch's router. Double check on what is going on with that router. Also, since you got a response after setting the GW to 192.168.9.251, if you do the same thing to your DVR, the DVR will be most likely accessible through VPN.

raafat
Posts: 213
Joined: Fri Jul 03, 2015 2:21 pm

Re: VPN with 3 sites

Post by raafat » Mon Sep 19, 2016 3:04 pm

You have to try it (:. try to change the default IP address of DVR device to 192.168.90.253, then the DVR device will be accessible through the VPN connection. Just test and let's see what you get back!


Good luck (:

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Mon Sep 19, 2016 3:45 pm

I tried, I set the DVR-s GW to 192.168.90.253 and I can reach it with its software
on the 192.168.90.150 IP address from 192.168.89.0/24 network

raafat
Posts: 213
Joined: Fri Jul 03, 2015 2:21 pm

Re: VPN with 3 sites

Post by raafat » Mon Sep 19, 2016 3:55 pm

mlsjwr wrote:
> I tried, I set the DVR-s GW to 192.168.90.253 and I can reach it with its
> software
> on the 192.168.90.150 IP address from 192.168.89.0/24 network

Great!. As i said the problem with the branch's router. If you set the gateway of each host to 192.168.90.253, then, each host will be accessible through the VPN connection.

raafat
Posts: 213
Joined: Fri Jul 03, 2015 2:21 pm

Re: VPN with 3 sites

Post by raafat » Tue Sep 20, 2016 10:56 am

Did you catch your problem ?

claudelu
Posts: 32
Joined: Mon Aug 29, 2016 11:42 pm

Re: VPN with 3 sites

Post by claudelu » Tue Sep 20, 2016 6:40 pm

Hi raafat,

I see you're pretty good at this.
Is there a chance, after mlsjwr's problem is solved, that you can guide me with my topology SE VPN configuration?

Regards!

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Tue Sep 20, 2016 8:33 pm

Dear raafat
Thank You very very much for Your help. I am much much closer to solve the problem,
but unfortunately the problem is not found yet.

That is very good that I have a confirmation for that it was good what I did till now, and
I know it should work with these settings

I have set the the static route on each router what should tell to hosts where to find the
other network. I can ping each gateway from each network, each router from each network
but when I want to ping a host on the other network it partially works.
for example:
I can ping all hosts on 192.168.88.0/24 from 192.168.89.0/24 network.
I cannot ping any host on 192.168.89.0/24 from 192.168.88.0/24 network
even if I have set the static route on both routers.

I was struggling all day with the router settings but I cannot find why the packet does not go
through the router.
Maybe some firewall rules or maybe I have to set addresses option for that route.
I don't know. I have to figure it out, or ask the router vendor.

I have to go to abroad for a few days so I can't work on it but I will not give up
Thanks to You.

Just give me some time, and I will continue. And if I catch the problem I will write.

kind regards
Richard

raafat
Posts: 213
Joined: Fri Jul 03, 2015 2:21 pm

Re: VPN with 3 sites

Post by raafat » Tue Sep 20, 2016 9:53 pm

Great for hearing that (:. Your problem is not related to "Routing". If you ping from your network another host on another network, and you get back a response from that host, then, there is no problem related to routing. Check if you have any ACLs enabled on branches' routers, may be, who knows ?. the more details you provide the more likelihood that you will catch your problem. May be you would like to share with us more details about your topology.


Good luck (:.

raafat
Posts: 213
Joined: Fri Jul 03, 2015 2:21 pm

Re: VPN with 3 sites

Post by raafat » Tue Sep 20, 2016 9:59 pm

claudelu wrote:
> Hi raafat,
>
> I see you're pretty good at this.
> Is there a chance, after mlsjwr's problem is solved, that you can guide me
> with my topology SE VPN configuration?
>
> Regards!

May you provide me a link to your topic ?

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Wed Sep 21, 2016 8:04 pm

ACL is aplied only for Wireless. There are some basic firewall rules which are set
after factory reset.
I cannot ping hosts on the other sites. It is not fully true but let me explain:
The only thing I can ping is the router for example 192.168.89.1 from 192.168.90.0/24 network

And there is only one site the 192.168.88.0/24 wher I can ping and reach the hosts from
192.168.89.0/24 network. I can ping the 192.168.88.150 from 192.168.89.0/24 network and
first it will reply only for last 2 ping requests, than for all of them.
I will try some wiresharking what is happenning or

Does it help when I send the firewall filter rules of the router?

add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=accept chain=input comment="Winbox Wan access" dst-port=8291 protocol=tcp
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
established,related
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface=ether1

I will continue from home
kind regards
Richard

raafat
Posts: 213
Joined: Fri Jul 03, 2015 2:21 pm

Re: VPN with 3 sites

Post by raafat » Thu Sep 22, 2016 1:57 pm

Hello There!. I would like to suggest to disable any ACL, including ACLs related to wireless traffic, on the branch's router after doing a reset ?. Do you mean that the problem is only presented on the branch's router ?, what about the other branch's ?

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Mon Sep 26, 2016 8:59 pm

Dear raafat!
I did 2 ping tests.
At server site 192.168.89.0/24
I pinged the 192.168.90.121 which is a Virtualbox VM running on Branch site vpn server machine.
It has a static IP set in /etc/network/interfaces file with the 192.168.90.1 (the router) gateway address
(broadcast, network, mask, etc.)

At branch site 192.168.90.0/24
I pinged the HP microserver (Ubuntu) from the 192.168.90.121 (Virtualbox VM)
I got the strange (DUP!) responses ??? what is it? I must do some search on internet) :)

The result can be seen on the attached image.

Facts:
When I set the L3 Switch interface adresses as a gateway in devices, I get responses for all requests
and I get quick responses for that requests.
When the gateway is the router IP, I dont get responses for first requests as You can see in my previous
images. but later get the responses (for example 3rd, and 4th). These seems to be a bit slower for me.
I cannot ping Windows hosts. When I ping a windows host I got this
From 192.168.90.1: icmp_seq=2 Redirect Host(New nexthop: 192.168.90.253)

This is a ping from 192.168.90.121(ubuntu) to 192.168..89.10 Win8

I do not belive ACL for Wifi has any effect on routes or ping since it controls only the MAC addresses which
can connet to the wifi interface. But of course I will try, just to be sure.
You do not have the required permissions to view the files attached to this post.

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Thu Sep 29, 2016 4:53 pm

Hello raafat!
I tried to turn off, the wireless ACL with the following results:

I turned off the ACL which had no effect on Ping or traceroute to 192.168.90.150 (DVR) from 192.168.89.0/24 network

than

I turned on the ACL, and I was able to ping and traceroute the DVR ?!?!?!? Whaattt?
it was still not possible to ping any windows host on 192.168.89.0/24 network.
After a few days the situation is the same as it was before. I cannot reach hosts on branch site.

I asked a the router vendors expert about that if the Wireless ACL has any effect on routing or packets
but it seems not to be.

raafat
Posts: 213
Joined: Fri Jul 03, 2015 2:21 pm

Re: VPN with 3 sites

Post by raafat » Thu Sep 29, 2016 10:49 pm

mlsjwr wrote:
> Hello raafat!
> I tried to turn off, the wireless ACL with the following results:
>
> I turned off the ACL which had no effect on Ping or traceroute to
> 192.168.90.150 (DVR) from 192.168.89.0/24 network
>
> than
>
> I turned on the ACL, and I was able to ping and traceroute the DVR ?!?!?!?
> Whaattt?
> it was still not possible to ping any windows host on 192.168.89.0/24
> network.
> After a few days the situation is the same as it was before. I cannot reach
> hosts on branch site.
>
> I asked a the router vendors expert about that if the Wireless ACL has any
> effect on routing or packets
> but it seems not to be.

Hello There!. Are both Windows-based clients, that are on different sites, on the same workgroup ?

By the way, have a look at this :

https://seswan.com


Let me see you there (:.

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Fri Sep 30, 2016 7:40 am

Hello raafat
Is it necessary to be in the same group for ping?
For example the DVR has no workgroup settins like linux or IP cameras.
But I can ping them.
Actually at branches theres are no Windows clients. The only one is my laptop
when I am at the site. It is a member of windows workgroup at HQ site.
So when I ping a windows client at HQ it should be the same workgroup.

You are doing a site with the correct settings?
I know it is difficult to determine a problem at someones site, but when there is a guide
what should work that is a big help.
A collection of possible errors would be also a big help, like a checklist what to check.
And some test ideas what to test, how to test to determine, what is the problem.
For example what You suggested to change the gateway and than ping.
There should be a lot of things to try and it is a great help when you have a list what to try

have a nice day
Richard

raafat
Posts: 213
Joined: Fri Jul 03, 2015 2:21 pm

Re: VPN with 3 sites

Post by raafat » Fri Sep 30, 2016 9:38 am

Did you try to disable your laptop's firewall ?, if you didn't do it yet, give it a try.


Good luck (:.

raafat
Posts: 213
Joined: Fri Jul 03, 2015 2:21 pm

Re: VPN with 3 sites

Post by raafat » Fri Sep 30, 2016 9:57 am

By the way, now you are communicating with the DVR device through branch's router or through the SE bridge as a next hop ?. I mean, what is the gateway of the DVR device ?

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Fri Sep 30, 2016 4:12 pm

Dear raafat,
Laptop, and HQ host with Windows 10 has kaspersky installed,
and it has a firewall also. I tried completely shut down kaspersky what had no effect on ping reply.

I tried to ping from linux host at branch to windows host at HQ but of course I will try again just to be sure.

At this moment I am (not) communicating with the DVR at branch through 192.168.90.1
(the branch router) as a gateway. It would be the normal way, using VPN.

host wants to reach the DVR on the other subnet
if he knows the gateway than it goes to it, if not it goes to the router who has a static route to
the other subnet. router tells the gateway and we are now at the other subnet,
the branch router should know the DVR since it is on LAN so we should reach now the DVR.

When I turned off and on the wireless ACL I could reach the DVR for a while, but later the situation returned
to previous state. (Maybe after restarting the PC servers, I don't know.)
But I really do not belive i it filters anything.

What Do You think about DD-WRT?
The win10 host is on a tp link 1043 router used as switch. Can it disturb?
I tried to connect it directly also but there were no positive result

raafat
Posts: 213
Joined: Fri Jul 03, 2015 2:21 pm

Re: VPN with 3 sites

Post by raafat » Fri Sep 30, 2016 10:25 pm

Firstly : I prefer to continue from where we left off last time that came with a positive result. When you change the gateway IP address of the DVR device to be the IP address of the virtual hub's interface, the DVR device becomes reachable through the VPN connection, kindly, confirm.

Secondly : yet you've not solved the problem that when you set the gateway IP address of the DVR device to be the IP address of the branch router the DVR device becomes unreachable, kindly, confirm.

Thirdly : you have to know if your confirmation to the two previous paragraph is positive twice, your problem isn't with SE software, it's with the router, what is the root cause of that, that is another story. Keep the aftermentioned in your mind.

Fourthly : if you don't solve the problem that is mentioned in the second paragraph, it's meaningless to try to ping hosts, because simply you have a routing problem(regrading VPN packets) present on your router.

fifthly : despite I don't think we need this test, if you desire to ping a windows-based machine that is present on the branch's network, you have first to change the gateway IP address of that machine to be the virtual hub's interface IP address. In addition, disable any anti-virus that has control over your machine's network interface, and firewall and, less likely, make sure they are on the same workgroup. Obviously, working with windows-based machines involves a few not-friendly things, it's much easier to just try from linux-based machine to a linux-based machine.

sixthly : if you have no chance to solving your router's problem, or if you think it's not worthy wasting all that time on it, I suggest to buy a linksys router, specifically : WRT1200 AC (you can consider additional brands if you have no worries about money).

seventhly : the problem of the branch's router could be anything that prevents your router from routing VPN's packets to their final destination. ACL's, bugs, the problem could be the man on the moon!. Personally, I have no problem investing the branch's router problem further, but always keep in your mind is it worthy ?

Eighthly : Based on the aftermentioned, I believe that your problem has been solved regarding SE software.


let me know what came into your mind after reading "precisely" what I have written.


Good luck (:.

raafat
Posts: 213
Joined: Fri Jul 03, 2015 2:21 pm

Re: VPN with 3 sites

Post by raafat » Sat Oct 15, 2016 8:21 pm

What have you done regarding your issue ?

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Mon Oct 31, 2016 9:11 am

Dear raafat

I am waiting for support from mikrotik.
I asked if there is any issue that can block vpn packets on the router.
or
if there is any issue with pppoe connectio.
unfortunately they are too busy so I have no answer yet.

So I have to wait

I just tested the network now but I cannot ping the L3switch interface on the 192.168.88.0/24 network.
I don't know what has happened?!?!? I did not change anythign.
Some updates on ubuntu and on router but nothing else
ping 192.168.88.253
PING 192.168.88.253 (192.168.88.253) 56(84) bytes of data.
From 192.168.88.100 icmp_seq=1 Destination Host Unreachable
From 192.168.88.100 icmp_seq=2 Destination Host Unreachable

Local brdige is operating, L3switch is running.

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Mon Nov 14, 2016 1:32 pm

Dear Raafat

I found the problem!

unfortunately I have still no answer from mikrotik but I was just trying and I found what is the reason.

The Router has a firewall rule which drops INVALID packets.

When I disable this rule, all the sites are accessible. I can ping the DVR, or switch, or any PC on 192.168.90.0/24, from 192.168.89.0/24 and vica versa.

The question is Why are these packets treated as invalid? Because udp? But I cant see udp traffic on router.
1194, 4500, 500 port forwards has 0B and 0Packets in statistics.

I know the SoftEther running PC is not accessible through vpn. Something must be done to access its privat IP.
Do You know how can I set to access this devices? Do I have to add the tap device?

Thank You very much for Your help.

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Wed Nov 16, 2016 9:18 am

So finally the problem is SOLVED!

The problem was the firewall rule in forward chain which drops invalid packets!

I think the router treats packets from different subnet as invalid.
For example in 192.168.90.0/24 networ a packet from 192.168.89.0/24 is treated as invalid.

I made a rule in the firewall in forward chain to accept packets from 192.168.0.0/16 and it is working with
the Drop invalid rule enabled. I will try to reduce the range, to the 3 subnets but I think that would be also OK.

There is one more thing I would like to solve: to access the server host.
I read a lot of posts in the forum but these are not clear for me.
I have to add another NIC to the host? What if it is impossible?
In my case Raspberry pi has 1 port and thats all. I can use tap interface.
how?
Local bridge to tap and to eth0? or just to tap?
When I have both of them the tap gets ipv4 from dhcp,
When I have only tap interface than I have no connection to anyting, so something is missing.

thank You in advance
Richard

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Sat Nov 19, 2016 11:10 am

I found this post
http://forum.softether.org/viewtopic.php?t=4542&p=11204

I tried to set
SoftEther-Hub <-Local Bridge-> tap_soft <-Linux Bridge-> eth0.

but it caused to loose the connection to the device.
I set the "life insurance" so after a half hour I got back the device.
I don't know if stp or what has happened but I tried the linux bridge wiht stp on, what did not changed anything.

Than I tried something else:
SoftEther-Hub <-Local Bridge-> eth0
SoftEther-Hub <-Local Bridge-> tap_soft

I created a Linux bridge (br0) and added a port, the tap_soft
when the br0 gets an IP address (ifconfig br0 x.x.x.x) than I can reach the
server host at this br0's IP address.
when I add the eth0 to the linux bridge, I loose the connection.

So what is the correct solution?
It was working on a raspberry Pi but when I set the same config at the other site for a PC, than
I can reach the bridge ip only from the local subnet, not from the other sites.
What could be wrong?

thank You in advance
Richard

raafat
Posts: 213
Joined: Fri Jul 03, 2015 2:21 pm

Re: VPN with 3 sites

Post by raafat » Wed Nov 23, 2016 5:31 pm

mlsjwr wrote:
> Dear Raafat
>
> I found the problem!
>
> unfortunately I have still no answer from mikrotik but I was just trying
> and I found what is the reason.
>
> The Router has a firewall rule which drops INVALID packets.
>
> When I disable this rule, all the sites are accessible. I can ping the DVR,
> or switch, or any PC on 192.168.90.0/24, from 192.168.89.0/24 and vica
> versa.
>
> The question is Why are these packets treated as invalid? Because udp? But
> I cant see udp traffic on router.
> 1194, 4500, 500 port forwards has 0B and 0Packets in statistics.
>
> I know the SoftEther running PC is not accessible through vpn. Something
> must be done to access its privat IP.
> Do You know how can I set to access this devices? Do I have to add the tap
> device?
>
> Thank You very much for Your help.


Hello There!. I've asked you many times to confirm that there are no ACLs on the router and to disable each and every ACL on the router when we were troubleshooting your issue and you've confirmed that there are no such ACLs!

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Sat Nov 26, 2016 11:17 pm

Dear Raafat,
ACL for me means access list
There is access list in the router for example for wifi devices where You can set
the device mac address which can access the network.
I saw routers with ACL to LAN also

My problem was not an access list, but a firewall rule which dropped packets coming from
different subnet. The reason of dropping packets was that, this rule treated packets with a
source address from different subnet as invalid.
I did not know, the Mikrotik support was not know.
I am very sorry for misunderstanding You.

I found a solution for tap device, but I am not sure if it is the correct way to set it up.
I made a local bridge to tap device
I made a local bridge to eth0
I made a linux bridge (br0)
I add the tap device to bridge ports
I set ipv4 for bridge,
and i set 0.0.0.0 for tap device and eth0
Now I can reach the server host on the address of the linux bridge (br0)

When I add the eth0 to the bridge I loose connection to the device (probably a loop)
(This config was set on a raspberry pi 3, but when I set it on a PC it not working)

What is the correct way to set the tap device ?

thank You in advance
Richard

raafat
Posts: 213
Joined: Fri Jul 03, 2015 2:21 pm

Re: VPN with 3 sites

Post by raafat » Sun Nov 27, 2016 10:39 pm

Try to make your set-up like this : bridge the virtual hub to the tap device, this process should be done by SE. Then, create a bridge(Linux-side, outside SE env) and add both tap and eth0 to. Set an IP address on the eth0 interface.

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Thu Dec 01, 2016 8:19 am

Dear Raafat,
Works great
The problem was I made a local bridge to eth0 and to tap interface also.
I needed the local bridge to eth0 because the clients did not get IP address from the DHCP server
When I added to te bridge the eth0 and tap interface it caused a loop

but

When I add only local bridge to tap interface and add the tap and eth0 to linux bridge,
and set the bridge ip than everything it works fine.

So now I have everything set correctly, and works fine.

I have 2 more things I would like to know. Would You mind if I ask these questions?
These are related to Signed certificates and to Securenat.

Thank You verry much for Your kind help. You helped me a lot, I don't think I could find out the problem
without You.

Kind regards
Richard

raafat
Posts: 213
Joined: Fri Jul 03, 2015 2:21 pm

Re: VPN with 3 sites

Post by raafat » Sat Dec 03, 2016 9:51 pm

Great!. Sure, you can ask whatever you would like to ask (:.

mlsjwr
Posts: 62
Joined: Sun Jan 24, 2016 4:27 pm

Re: VPN with 3 sites

Post by mlsjwr » Sun Dec 04, 2016 12:05 pm

Dear Raafat,
Thank You very much for Your answer. So the questions:

1.)Certificates:
-------------------
So with the certificates I just need a confirmation if I understand it.
There is no question about simple certificate, that is what it is. But the question is about signed certificates.
In my situation: 3 sites with L3 routing, 2 sites with cascade connection to the main site.

Does the the signed certificate gives extra security or not significant?
If Yes, just confirm If I understand the settings correctly.
1 I make a serlf signed certificate to have a root certificate
2 It is enough for me to have 1 server certificate for each site so I import this certificate for each server.
3 I create users for the cascade connections with signed certificates, using the previous self signed certificate for signing.
4 I set the always veriry servers certificate for cascade connections, and I add the server certificate to the trusted certificate list.
Is it correct ?

2.) SecureNAT
I not realy understand the purpose of SecureNat.
What is the situation in real life, when I can use it?
Is it a subnet accessible only from the subnet?
Does it make sense to use securenat when I have site-to-site with local bridge?

Is the following case for using SecureNat?
I need a PC on the network that has access to the LAN but has blocked every incoming and outgoing
traffic outside the network.
In other words I want to access that PC (for example RDP, file share, printer),
and I would like to access printers on the network from the PC, but block any access to the internet
and from the internet.
I know I can set no gateway on that PC but unfortunately there are softwares installed on it, so it would be
difficult to reorganize the administrators rights, so any user has access to IP settings. So it would be good
to have a superior solution. I just want to know, just because of my curiosity. If it is not the right way,
I can do it with a firewall rules in the router. (it is something like iptables)

it was 2 question topics not just two questions, Sorry for that :)

Thank You very much in advance
kind regards
Richard

Post Reply