Page 1 of 1

Subnet routing via Firewall

Posted: Fri Oct 18, 2019 3:29 pm
by ultramizer
Hi folks

So we have a really complex Setup using differents Subnets and Zones with Juniper Firewalls and Juniper Switches. We are now replacing an old MacOS L2TP Server with SoftEther with using RADIUS.
We are using a Subnet in a Zone that is configured on the Firewall, directly on this Firewall i have connected the SoftEther installation. The Server is running on Subnet 192.168.20.0/24. The old MacOS Server has the IP 192.168.20.2, gateway is 192.168.20.1. The VPN Users got IPs from 192.168.20.5 - 192.168.20.40
Now i have installed SoftEther and configured everything, the Server can connect to the other different subnets which are made on switches behind the firewall. Routing is everything configured on the switches and on the firewall. So we have Subnets 192.168.111.0/24, 192.168.110.0/24, 192.168.4.0/24, 192.168.6.0/24, 192.168.8.0/24, 192.168.10.0/24. So as i said, the SoftEther is running on Windows 10 at the moment and is running on 192.168.20.50. On this Windows machine i can connect to all the other Subnets just fine, no problem. Since we have no DHCP on the 192.168.20.0 Subnet, i have activated the DHCP Server that comes with SoftEther. I have configured the DHCP of SoftEther to give out IPs starting from 192.168.20.5 to 20.40.
Now when i connect a VPN Client, it successfully connects and gets an IP from that range. However, it seems to be stuck in its own Network... It seems like it has no connection outside it's own 192.168.20.0 Subnet. I can't ping the VPN Client from the 192.168.20.2 machine, so it seems it's somehow stuck in a bubble.
Now how can i get this machine outside it's 192.168.20.0 bubble into the correct 192.168.20.0 subnet? I can't figure it out... I have tried Bridging and i have tried SecureNAT and i have tried Virtual Layer 3 switches but i have no clue how to do it... Maybe somebody can help...

Re: Subnet routing via Firewall

Posted: Fri Oct 18, 2019 6:02 pm
by ozone
Hi,

How have you configured the SE server??
Does it have a virtualhub (where the vpn-clients connect to) bridged to the ethernet port of the windows machine?
(you do mention that you tried bridging, but -how- did you try?)

Other fault may be the built-in windows firewall.

Lastly, the softether-dhcp must include the correct gateway (192.168.20.1) in it's leases, and not the ip of the SE server (192.168.20.50).
Only 192.168.20.1 will route to the other subnets. 192.168.20.50 is just a device on the 192.168.20.0 subnet, not a router (in this case).

Hope this helps,

Oz

Re: Subnet routing via Firewall

Posted: Sat Oct 19, 2019 2:06 pm
by ultramizer
Hi, thanks for your answer! So right now, i have the following configuration:
- Windows 10 Pro, virtually installed on ESXi/vCenter, one Network Adapter configured, which in ESXi is directly connected to the Firewall
- Windows 10 Firewall completely disabled!
- Windows 10 Network Adapter configured using IPv4 manual config to IP 192.168.20.50, 255.255.255.0, 192.168.20.1, DNS 192.168.110.21
- One Virtual Hub
- RADIUS Authentication setup and working using Radius Server 192.168.111.XX
- No Groups, no Access Lists, no Clustering, no Cascade Connections
- Secure NAT Configuration: MAC Adress set to some MAC Adress, IP Adress: 192.168.20.1, Subnet 255.255.255.0
- Use Virtual NAT Settings: Disabled!
- Virtual DHCP Server Settings: Enabled, 192.168.20.5 to 192.168.20.49, Subnetmask 255.255.255.0, Lease Time 7200 Seconds
- Options applied to Clients: Now clear, nothing entered, what i tried before was: Default Gateway; 192.168.20.1, DNS Server 192.168.110.21 (both didntt work)
- "Edit the static routing table to push": Around 20 or so Subnets entered in the format 192.168.111.0/255.255.255.0/192.168.111.1

What works:
- L2TP Connection from Clients using destination IP 192.168.20.50 and Radius Users works just fine
- Client gets IP from the defined address range from the Virtual DHCP Server configuration above
- SE running on 192.168.20.50 can be seen/pinged from the old VPN Server on 192.168.20.2 and Clients connected to old VPN Server on respective Client IP addresses ranging from 192.168.20.4 to .40

What doesn't work:
- Clients connected to the VPN Server have no connection to anything. They seem to be encapsulated in their own Network. To test this, i can give the virtual DHCP Server another address range than 192.168.20.0/24 and same thing happens.
- SE VPN Server running on 192.168.20.50 has no connection to the internet, but i guess this is not a problem of SE, and i need to do some config on the Firewall for that.

Thanks again for all the Help i can get!

Re: Subnet routing via Firewall

Posted: Sat Oct 19, 2019 2:16 pm
by ultramizer
oh and i forgot, at the moment no bridge and no virtual layer 3 switch! I tried bridging on the one Network interface i have right now on windows but that didn't help, i couldnt connect anymore. I have no clue on how to use the bridge correctly, and since the connection to the firewall and the routing is port based layer 2 routing, i don't think a virtual layer 3 switch can solve my problem, but maybe i'm wrong!

Re: Subnet routing via Firewall

Posted: Sat Oct 19, 2019 3:37 pm
by ozone
Hi,

The windows10 vm, does it have 1 or 2 (virtual)nics?
(both is possible, both can be made to work)

Also, the old vpn server had a default gateway set to 192.168.20.1. It was 192.168.20.2 itself.
So this means there already was a 192.168.20.1, probably the ip of the juniper firewall/gw.

Giving sercurenat <also> an ip 192.168.20.1 therefore cannot work imho.
Give it something else.... eg. 192.168.20.51 (something different then the virtual nic)
Actually, as long as you <don't> set securenat to "enabled'", it does not matter what ip you give it. But when you enable it, it will fail with 192.168.20.1.
And also.. SE securenat is basic, it should be used to NAT traffic from one subnet to another. (not the same range at both ends)

As for the routing that you pushed....???? What are you trying to do???
Clients are on 192.168.20.xxx/24... The only gateway they have to <find> is 192.168.20.1.
There is, for them, no other gateway on that subnet, especially not 192.168.111.1. That is at least one hop (router) away.
And therefore it's info that the next router needs to have, not the clients. (but the router already has that, since the old vpn works just fine)

The SE server is not the router that connects all these subnets, that is the juniper right???

I think that you <think> it is all really complicated. But in fact I think it might be made to work much simpler that what you <think>. :)
(a bit of wordplay-fun, sorry...)

Oz

Re: Subnet routing via Firewall

Posted: Mon Oct 21, 2019 9:12 am
by ultramizer
Hi ozone

Thanks for your answers! Windows 10 VM now has only one nic, but i can add another one if that helps!

I don't know what you mean by "Also, the old vpn server had a default gateway set to 192.168.20.1. It was 192.168.20.2 itself."
Yes, 192.168.20.1 is the juniper Firewall, 192.168.20.2 was the old VPN Server. I am looking to give the new one the same IP in the end, but i can't right now since the old VPN has to be running and is still beeing used while i migrate to the new one!

By "giving securenat also the IP", do you mean the "Virtual Host's Network Interface Settings: IP Address" IP? I set this to 192.168.20.51 now.
I am not sure if i really need the Securenat, but if i disable it, then the DHCP doesn't work. So i am not sure how to use DHCP without using more NAT related stuff. What i want to achieve, is that the clients connect to the existing 192.168.20.0/24 network, get an IP from the SE DHCP Server and the next hop should be the Juniper Firewall.

I deleted the routing table pushed to the client! It's now cleared out. I put those routes there, because the old MacOS VPN Server didn't work until we set all those routes manually... That's why i imported them. I'm not sure how they exactly work, i'm not the biggest network specialist :)

"The SE server is not the router that connects all these subnets, that is the juniper right?"
Yes, correct, the connection between the subnets is the Juniper Firewall running on 192.168.20.1

I have tested this config now, and i still have the same issue. When i connect to the VPN i can ping 192.168.20.50 and 192.168.20.51 (SecureNAT Gateway IP) but i can't ping 192.168.20.2 or anything outside the 192.168.20.0/24 Subnet. I still seem to be in a bubble. Maybe we can add another nic and then Bridge to that NIC somehow? Does that help?

Thanks again!

Re: Subnet routing via Firewall

Posted: Mon Oct 21, 2019 12:55 pm
by ultramizer
So right now i have completely disabled SecureNAT and DHCP Server of SE, since it seems like the firewall is doing some sort of DHCP Service.
I have now bridged the one network adapter i have using SE Bridge function. I have activated promiscuous mode in ESXi on the vSwitch so that shouldn't be an issue. Now the Problem is, i can't get an IP from the DHCP Server, so i can't connect the VPN anymore... In the logs i can see that i couldn't get an IP from a working DHPC. After reading through tons of forum posts and guides i think bridging the network adapter is probably what i want to do... But right now i can't get it to work because it's not getting an IP from the DHCP...

Re: Subnet routing via Firewall

Posted: Mon Oct 21, 2019 2:18 pm
by ultramizer
I finally managed to do it!
Here is how its configured now. SecureNAT and DHCP completely disabled. I bridged the only network adapter i had using the Bridge function on SE and the DHCP Server of the Firewall! Since it is a virtual machine on ESXi, i had to go on the ESXi host, to the vSwitch security Settings and then allow Promiscious mode, fake pakets and MAC spoofing. I then went into the Windows VM and disabled every single Service on the NIC except IPv4 and the SoftEther Service.
The Clients now connect wonderfully to the VPN, Auth works over RADIUS, they get an IP from the Firewall and all the routing works magically by itself without further configuration! Thanks again for your help ozone!

Re: Subnet routing via Firewall

Posted: Mon Oct 21, 2019 8:03 pm
by ozone
Hi,

Good to hear you got it working!
I didn't think of esxi.... Of course...
And indeed, disabling unneeded services/protocols on the windows nic is always better if you really don't plan on using them anyway. Prevents them being used instead of the one you actually WANT to be used.

I have to remember those points you found.

Regarding your remarks earlier. Securenat would almost definitely be slower then the natting Juniper can do, and with less options.
Same goes for DHCP: Juniper would almost certainly give you more options.
Therefore I would try to avoid using these functions in SE.
And 2 nics on the SE server can have a performance advantage. But more often then not, a single Gb link will not be the bottleneck.

Basically, the way you did it now, is how I would recommend it in this scenario: Let SE do the vpn, let Juniper do the rest. (just bridge SE to the nic)
That was what I meant with "I think it might be made to work much simpler that what you <think>" :)

Enjoy Softether!

Oz

Re: Subnet routing via Firewall

Posted: Tue Oct 22, 2019 7:36 am
by ultramizer
The last little issue i am facing right now is that MacOS Clients seems to disregard the VPN Connection if it's in the second place in the system settings. In Mac OS you can arrange the NICs and virtual NICs in an order, so that it prioritizes the top one over the others. For example, you can prioritize ethernet traffic over WiFi Traffic by putting the ethernet higher up. This way, it sends everything it can over ethernet even if you have a WiFi connection.
However, before we switched to SoftEther we used MacOS Server VPN. That's where the Routing Table comes into play. We have set up basically whats called split-tunneling i guess, so if the clients connects to the VPN, its beeing told what to send throught the tunnel and what not. This way, even if the VPN is not ordered on the top in the system prefs, it still sends all the internal network request through the tunnel because in the routing table its clearly specified which IPs to send through the tunnel. With Softether, and no routing to push specified, we have the issue that it is sending everything over the Client regular WiFi or Ethernet, and not through the tunnel, which means we can't get any connection to internal services. The only workaround is to either move the VPN on top of all other connections on every single client, or to activate "send all traffic through the tunnel" on every client. Both are really kinda shitty options, since if possible, we would like to restrain from manually configuring every client again, since it worked before and we don't want all the WAN traffic to go through the VPN if not required...
I have tested the SecureNAT routing table push but that didn't work somehow... I'm still not sure how to set it up at the moment so that it makes the most sense... Atleast connections work and with a bit of tweaking on the client side all the routing works aswell, but it's not optimal at the moment, since we were looking for a vanilla solution where we don't need to manually edit client settings.

Re: Subnet routing via Firewall

Posted: Tue Oct 22, 2019 2:45 pm
by ozone
Yes indeed, that is called splittunneling, and it indeed requires some sort of route setting on the clients.
And it explains why you were pushing routes on the old server. It didn't occur to me that that was the intention.

DHCP is probably the best option to push the routes to clients, as other options are pretty messy.

In your case, with Juniper currently being dhcp, it can mean 2 things:
-Juniper pushes the routes, but you will need to be able to set up the routes in the Juniper;
-You DO use the SE securenat, but not quite the way it was intended, and Juniper DHCP needs to be disabled or blocked.

The routes to push are probably already known from the old vpnserver, and there should be NO default gateway (or 0.0.0.0) pushed to vpnclients.
The clients will use the extra routes to find subnets on the vpn-site via192.168.20.1, but still use the default gateway of the client-site itself to find internet (or the 0.0.0.0-route).


If it is not possible to push via Juniper, enabling Securenat and its dhcp-function might still work if you consciously bypass the traffic so it does not get delayed or nat-translated.
To do this set the Securenat's (virtual host network interface) ip address to something other than the VM-nic ip-address or 192.168.20.1, and -do not- set the default gateway-address. You may set the DNSs, and of course the extra routing info.
Also, if the Juniper dhcp is still active and cannot be disabled for this subnet, it needs to be blocked from issuing addresses. There are settings in SE that hint to do that. (virtualhub extended option list-> RemoveDefGwOnDhcpForLocalhost, but haven't ever tried it)

So imho, it would be preferable to do the route pushing with Juniper-dhcp. (you mentioned that there weren't any dhcp clients on 192.168.20.0/24, other than the vpn-clients, so this would not likely lead to issues by not setting a default gateway in juniper for 192.168.20.0/24)
If this is not possible, but you can let the Juniper-dhcp be disabled on 192.168.20.0, do that. And then set up your own dhcp with securenat. But bypass the NAT function as mentioned above.
If there is no way to change anything on the Juniper, you'll have to try blocking it's dhcp-responses. (the last thing you want is that "sometimes" the Juniper hands out addresses, and "sometimes" Securenat)

I hope it is clear what I'm trying to say...

Re: Subnet routing via Firewall

Posted: Tue Oct 22, 2019 3:02 pm
by ultramizer
Amazing, thanks for your answers! It's a vital piece of information that custom routes are connected to DHCP and are handed out by a DHCP server. That helps a lot by searching where and how to push them. I can disable the Juniper DHCP, as i have full control over the firewall, so that shouldn't be an issue. If i can configure the DHCP to give out custom routes is what i am going to be checking next. I have done some tests with the SE DHCP Server, but i didn't get any routes. Probably because i didn't get an IP from SE but from the Juniper, even by enabling the DHCP on SE. Probably the faster one can deliver, as usual with DHCP. Yes, the routes are known! Thanks again, i will do some more testing and let you and others in here know how it went. Maybe it helps in the future!

Re: Subnet routing via Firewall

Posted: Tue Oct 29, 2019 10:52 am
by ultramizer
Unfortunately i couldn't make it work with the juniper DHCP Server. It's just too complicated to configure and commit the changes, so i tried using the integrated SE DHCP Server. If i activate it, and deactivate the Juniper DHCP, i can connect just fine, i get an IP but now i can't connect to anything anymore. Looks like i am stuck in my own network again. I still have the adapter set to bridge mode but i can't seem to get it to work using the Virtual NAT function, which is needed for DHCP.
We also have another DHCP Server Running for all the other subnets that need DHCP, and i have attached that server to the same 192.168.20.0/24 subnet using a virtual NIC since it's a virtual machine, but this DHCP doesn't give out IPs on this subnet for whatever reason... So i'm stuck again and don't know what to do next. Any ideas?

Re: Subnet routing via Firewall

Posted: Sun Nov 03, 2019 4:11 am
by ozone
Very sad to hear that you couldn't get the juniper to push the routes.
That would have been my preferred way of doing it, if I had to do it.

But pushing it with SE-dhcp 'should' work too...

Can you confirm that the routes you entered in SE are actually arriving at the mac clients?
(I'm not a mac expert, but I believe it goes with "netstat -nr" in a terminal-window)

Also, Earlier you mentioned that you entered the routes in SE in the format 192.168.111.0/255.255.255.0/192.168.111.1
But I think this should be: 192.168.111.0/255.255.255.0/192.168.20.1

Reason is that the gateway address IS (and should be) visible to the client without knowing the route, so in the same subnet.
So setting the gateway to 192.168.111.1 will simply not work.
The gateway the client should use to get to the 192.168.111.0/24 network is 192.168.20.1: the Juniper.

Sorry for the late reply btw.

Oz

Re: Subnet routing via Firewall

Posted: Thu Dec 19, 2019 6:11 am
by aquilesopkarg
ultramizer wrote:
Fri Oct 18, 2019 3:29 pm
Hi folks

So we have a really complex Setup using differents Subnets and Zones with Juniper Firewalls and Juniper Switches. We are now replacing an old MacOS L2TP Server with SoftEther with using RADIUS.
We are using a Subnet in a Zone that is configured on the Firewall, directly on this Firewall i have connected the SoftEther installation. The Server is running on Subnet 192.168.20.0/24. The old MacOS Server has the IP 192.168.20.2, gateway is 192.168.20.1. The VPN Users got IPs from 192.168.20.5 - 192.168.20.40
Now i have installed SoftEther and configured everything, the Server can connect to the other different subnets which are made on switches behind the firewall. Routing is everything configured on the switches and on the firewall. So we have Subnets 192.168.111.0/24, 192.168.110.0/24, 192.168.4.0/24, 192.168.6.0/24, 192.168.8.0/24, 192.168.10.0/24. So as i said, the SoftEther is running on Windows 10 at the moment and is running on 192.168.20.50. On this Windows machine i can connect to all the other Subnets just fine, no problem. Since we have no DHCP on the 192.168.20.0 Subnet, i have activated the DHCP Server that comes with SoftEther. I have configured the DHCP of SoftEther to give out IPs starting from 192.168.20.5 to 20.40.
Now when i connect a VPN Client, it successfully connects and gets an IP from that range. However, it seems to be stuck in its own Network... It seems like it has no connection outside it's own 192.168.20.0 Subnet. I can't ping the VPN Client from the 192.168.20.2 machine, so it seems it's somehow stuck in a bubble.
Now how can i get this machine outside it's 192.168.20.0 bubble into the correct 192.168.20.0 subnet? I can't figure it out... I have tried Bridging and i have tried SecureNAT and i have tried Virtual Layer 3 switches but i have no clue how to do it... Maybe somebody can help...
The windows10 vm, does it have 1 or 2 (virtual)nics?
(both is possible, both can be made to work)