Linux CentOS 7 server, two interfaces, one public used by clients to connect from Internet, one private on corporate LAN.
SoftEther SecureNAT is enabled with A class private subnet on virtual DHCP. Client connects on public interface and gets A class IP from virtual DHCP server.
When client access corporate network, it's source IP is NOT A class IP from SoftEther virtual DHCP, but C class LAN IP obtained from LAN DHCP server. Address on LAN DHCP server is leased out to securenat-da245e499f0b
How, why, where is that configured, documented ... ??????
I don't have enough addresses on LAN DHCP, that's why I configured Secure NAT and virtual DHCP.
No explanation in documentation, no info in logs how client got LAN IP.
Thanks, regards
Ivica
SecureNAT details
-
centeredki69
- Posts: 329
- Joined: Wed Sep 18, 2013 1:49 pm
Re: SecureNAT details
The client does not get an IP address from the local LAN DHCP server. The "secure NAT Virtual router"" (securenat-da245e499f0b) gets 1 IP address from the local LAN DHCP server ( Like a WAN port on a real SOHO Router) This is not displayed anywhere that I can find in the SE server manager. "SecureNAt" functions like a "Virtual router" that's behind the local physical router. Like being double NATed
VPN client gets IP (10.10.10.11 from SecureNAT DHCP server)====>SecureNAT DHCP range (10.10.10.11 - 10.10.10.100) SecureNAT internal IP (10.10.10.1)===>SecureNAT external IP (192.168.0.11) received from Local DHCP server ===> Local LAN Gateway/Router (192.168.0.1) ===> Internet ( or maybe just your internal network)
VPN client gets IP (10.10.10.11 from SecureNAT DHCP server)====>SecureNAT DHCP range (10.10.10.11 - 10.10.10.100) SecureNAT internal IP (10.10.10.1)===>SecureNAT external IP (192.168.0.11) received from Local DHCP server ===> Local LAN Gateway/Router (192.168.0.1) ===> Internet ( or maybe just your internal network)
-
ivica.glavocic
- Posts: 11
- Joined: Thu Dec 04, 2014 7:08 am
Re: SecureNAT details
centeredki69 thank you for the explanation. If I understood correctly, entire server is using only ONE IP address leased from LAN DHCP server, regardless of number of clients connected, please correct me if I am wrong.
Why LAN DHCP and double NAT? In my opinion, this is wrong concept, DHCP is not necessary at all. All traffic from VPN clients should be NATed to local Softether interface, with option to choose which one if there is more than one.
If Softether server has one interface (on corporate LAN with port forward from outside), all traffic should bee NAT-ed to that one.
If server has two interfaces (one on corporate LAN, one public), you simply choose which interface to use for NATed traffic and that's it.
Why LAN DHCP and double NAT? In my opinion, this is wrong concept, DHCP is not necessary at all. All traffic from VPN clients should be NATed to local Softether interface, with option to choose which one if there is more than one.
If Softether server has one interface (on corporate LAN with port forward from outside), all traffic should bee NAT-ed to that one.
If server has two interfaces (one on corporate LAN, one public), you simply choose which interface to use for NATed traffic and that's it.