LAN to LAN with L3 Switch - Firewall block VPN and DHCP prob

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
alex1957
Posts: 5
Joined: Mon Jul 31, 2017 10:20 am

LAN to LAN with L3 Switch - Firewall block VPN and DHCP prob

Post by alex1957 » Mon Jul 31, 2017 10:29 am

HI to everyone, I need help to get SoftEther VPN working.
Attacched 2 image, with VPN Diagram and Real Connection Diagram.
I already read all manual and forum to try to solve my problem, but after 2 week work I ask some help from someone.
Thanks in advance for every possible help.

The Situation …
I Have 4 Different branch office, in the main site I have a 100 Mb fiber, and is where I installed VPN Server with both Remote Connection (for client) and Lan to Lan (for Site).
On MAIN_SITE I have create 5 Virtual HUB with name like in the image 1, and a virtual switch.
VHUB_MAIN is connected to unique Ethernet card installed and all user needed for client
VHUB_SITE_1 is for cascade connection to SITE_1 user LANtoLAN
VHUB_SITE_2 is for cascade connection to SITE_2 user LANtoLAN
VHUB_SITE_3 is for cascade connection to SITE_3 user LANtoLAN
VHUB_SITE_4 is for cascade connection to SITE_4 user LANtoLAN

VISWITCH_L3 is for Layer 3 communication between subnet, and Ihave created the following virtual interface:
VHUB_MAIN 172.18.11.46 255.255.255.0
VHUB_SITE_1 172.18.10.46 255.255.255.0
VHUB_SITE_2 172.18.12.46 255.255.255.0
VHUB_SITE_3 172.18.15.46 255.255.255.0
VHUB_SITE_4 172.29.99.46 255.255.255.0

On all firewall in SITE_1, SITE_2, SITE_3 and on Router of SITE_4 I create the necessary route for L3
IP=172.18.10.0 MASK=255.255.255.0 GTW=172.18.10.46
IP=172.18.11.0 MASK=255.255.255.0 GTW=172.18.11.46
IP=172.18.12.0 MASK=255.255.255.0 GTW=172.18.12.46
IP=172.18.15.0 MASK=255.255.255.0 GTW=172.18.15.46
IP=172.29.99.0 MASK=255.255.255.0 GTW=172.29.99.46
On each firewall or router are present only 4 route, the one of the same network is not present

On each site (1,2,3,4) is installed the SoftEther VPN Bridge, connected to the Main site via VHUB_SITE_X, and connected to ethern board.
SITE_1 and SITE_2 are Hyper-V guest (with mac spoofing enabled), windows Server 2012 R2
SITE_3 and SITE_4 are physical machine with Windows 10 and 1 ethernet board.
All cascade connection are with nat-t, use data compression, disable UDP Acceleration.
If I enable UDP Acceleration, on Hyper-V guests, I get a big amount of traffic and communication crash (about 40mbs of traffic), so I decide to disable in all SITE

All connection are UP and I can see on the main interface all Session, Mac Table and IP Tables OK.
From manage HUB of each HUB, on manage connection, I can see 2 session, 1 for SID-L3 and one for LAN to LAN session, each with IIP and mac from all sites.

Now the Problem ….
From SITE_4 I can ping to MAIN_SITE and MAIN_SITE can ping to SITE_4
From all other site, I can ping the MAIN_SITE and SITE_4
From MAIN_SITE can’t ping to SITE_1, SITE_2, SITE_3
SITE_1, SITE_2, SITE_3 can ping MAIN_SITE

SITE_4 is the only one working and can communicate without problem, and do not have a Firewall, only a router.
All other SITE are one direction working (only ping, because if I try to use netbios and AD communication) nothing come back.

On all firewall I see strange traffic on destination port 443. Strange mean that if I telnet some port from MAIN_SITE (172.18.11.45) to a remote site for example SITE_1 (172.18.10.10) on SITE_1 firewall I can see blocked traffic from source 172.18.10.10 to destination 172.18.11.45, or from public address of MAIN_SITE to the Local IP of Router interface.
MAIN_SITE is a single Fiber VDSL with 8 IP and a Firewall PFsense 2.3.4. MAIN_SITE have a 1:1 NAT to public IP that end with 118 (I own from 113 to 118)
SITE_1 is a PFsense 2.3.4, with 3 wan, and I have a 1:1 NAT from a public IP to local IP. The really strange think is that I see traffic that are related to MAIN_SITE IP the end with 118, and some other traffic from end ip 113.
Looks like if VPN_SERVER send packet on IP 118 and SITE_1 answer to 113. On all site I have nat 1:1 with the machine that run VPN_SERVER.

The second problem, is that some client connect to MAIN_SITE but no DHCP address assigned. Those cleint are connected with Free WI-FI, Home ADSL, or From Customer Office. Casually they can't get DHCP

I made about a thousand of try, but the only working node is SITE_4
I hope was enought clear exposition

PLS, can anyone help me to find a solution ?
Thank’s from Alex
You do not have the required permissions to view the files attached to this post.

alex1957
Posts: 5
Joined: Mon Jul 31, 2017 10:20 am

Re: LAN to LAN with L3 Switch - Firewall block VPN and DHCP

Post by alex1957 » Tue Aug 01, 2017 7:00 am

No one interested to help me ?

thisjun
Posts: 2454
Joined: Mon Feb 24, 2014 11:03 am

Re: LAN to LAN with L3 Switch - Firewall block VPN and DHCP

Post by thisjun » Thu Aug 10, 2017 6:32 am

Could you show result of traceroute?

> get a big amount of traffic and communication crash (about 40mbs of traffic)

I think there is packet loop.
If virtual hub traffic increase, there is loop in the VPN.
If not, there is loop outside of VPN.

Vreo
Posts: 6
Joined: Fri Mar 15, 2019 1:18 am

Re: LAN to LAN with L3 Switch - Firewall block VPN and DHCP prob

Post by Vreo » Mon Mar 18, 2019 3:50 am

Hey alex1957, how do you solved your l3 routing problem? I am having exactly the same issue that you had before. Could you give some guide please ?

Post Reply