Site-to-Site help needed

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
sajer
Posts: 8
Joined: Tue Oct 16, 2018 11:09 am

Site-to-Site help needed

Post by sajer » Tue May 21, 2019 11:40 am

Hello,

thanks in advance for your help.

We made a site-to-site VPN, and the "Edge" device (not the "host","center") has two physical NIC-s. The problem is, the clients get the IP address from the "main sites DHCP server". By default for the BRIDGE (which is a HUB,but its called BRIDGE by default, when installing in BRIDGE mode)-s advanced settings show "no adjustment of routing table" is ENABLED and its grey, so you cannot set it otherwise, which would be good, but by this design no VPN virtual NIC is created, so i cannot set the NIC metrics by hand and so i get IP-s on the machines on the "Edge site" from the "main site".

How to achieve: - local internet is used by the "Edge site" users/computers (not the internet from the main site, only when its required, like AD autehntication, etc)
- DHCP is assigned for the Edge users from the DHCP server at the Edge site (which is i think wont be a problem when we can work out the first one!)

centeredki69
Posts: 329
Joined: Wed Sep 18, 2013 1:49 pm

Re: Site-to-Site help needed

Post by centeredki69 » Tue May 21, 2019 6:25 pm

Hi, I assume you are using L2 "Casscade connection" from the SE bridge software "Edge Site" and connecting to the SE Server software "Host Center Site"
for the site-to-site connection.

If so you need to Edit the "cassade connection" under security policies, enable *****Filter DHCP packets IPv4 & Filter DHCP packets IPv6****
This can also be done on the server side by editing the USER settings security policies. Only one side is needed but I usually do it at both ends. This will filter DHCP packets from traveling through the L@ cassade connection. Your

sajer
Posts: 8
Joined: Tue Oct 16, 2018 11:09 am

Re: Site-to-Site help needed

Post by sajer » Wed May 22, 2019 9:29 am

centeredki69 wrote:
Tue May 21, 2019 6:25 pm
Hi, I assume you are using L2 "Casscade connection" from the SE bridge software "Edge Site" and connecting to the SE Server software "Host Center Site"
for the site-to-site connection.

If so you need to Edit the "cassade connection" under security policies, enable *****Filter DHCP packets IPv4 & Filter DHCP packets IPv6****
This can also be done on the server side by editing the USER settings security policies. Only one side is needed but I usually do it at both ends. This will filter DHCP packets from traveling through the L@ cassade connection. Your
Thank you for your answer!
I did it, and now no DHCP "comes over", so basically everything is good. Would be good, cuz now if im adding a DHCP server (router) to the "Edge Site", than i get IP and gateway from that and now im "isolated" from the "Main Site". Any advice?

centeredki69
Posts: 329
Joined: Wed Sep 18, 2013 1:49 pm

Re: Site-to-Site help needed

Post by centeredki69 » Wed May 22, 2019 10:35 am

You could run a DHCP servers at each location using the same subnet but setting the servers to issue different ranges of IP address at each location.
For example:
DHCP server at SE server "Host Main Site" = would issue 192.168.1.2 - 192.168.1.100 & having its own gateway being 192.168.1.1
DHCP server at SE Bridge "Edge Site" = would issue 192.168.1.101 - 192.168.1.254 & having its own being 192.168.1.100

Both location could then communicate without overlapping (duplicate IP address conflicts) as the DHCP packets are filtered as mentioned in the previous post. Preventing DHCP packets from going though the cascade connection. Both location could still function locally and have internet access in the event the cassade connection dropped for some reason.
I have used this setup for over 6 years with success.

sajer
Posts: 8
Joined: Tue Oct 16, 2018 11:09 am

Re: Site-to-Site help needed

Post by sajer » Wed May 22, 2019 11:30 am

centeredki69 wrote:
Wed May 22, 2019 10:35 am
You could run a DHCP servers at each location using the same subnet but setting the servers to issue different ranges of IP address at each location.
For example:
DHCP server at SE server "Host Main Site" = would issue 192.168.1.2 - 192.168.1.100 & having its own gateway being 192.168.1.1
DHCP server at SE Bridge "Edge Site" = would issue 192.168.1.101 - 192.168.1.254 & having its own being 192.168.1.100

Both location could then communicate without overlapping (duplicate IP address conflicts) as the DHCP packets are filtered as mentioned in the previous post. Preventing DHCP packets from going though the cascade connection. Both location could still function locally and have internet access in the event the cassade connection dropped for some reason.
I have used this setup for over 6 years with success.
Thank you again.

If i understand correctly, you are talking about a configuration, where all sites have the same subnet (like site A is 192.168.1.0/24 and site B too, only the DHCP ranges differ), am i right? If yes, how could i achieve the same, with different subnets? Every site has now other subnets, if its possible i wouldnt like to change theese settings, because the other goal i want to achieve is to SEPERATE all sites from each other.

And one more thing: if the router (in your config) with the dhcp server gives the clients at the "Edge Site" the ip and gateway, where the gateway is the same IP as the gateway from the "Main Site", which "internet" is used at the Edge Site? How to achieve to NOT TO USE the Main Site-s internet when being at the "Edge Site"?

Thank you for your time :)

centeredki69
Posts: 329
Joined: Wed Sep 18, 2013 1:49 pm

Re: Site-to-Site help needed

Post by centeredki69 » Wed May 22, 2019 4:08 pm

sajer wrote:
Wed May 22, 2019 11:30 am

If i understand correctly, you are talking about a configuration, where all sites have the same subnet (like site A is 192.168.1.0/24 and site B too, only the DHCP ranges differ), am i right? If yes, how could i achieve the same, with different subnets? Every site has now other subnets, if its possible i wouldnt like to change theese settings, because the other goal i want to achieve is to SEPERATE all sites from each other.

Thank you for your time :)
YES: all sites have the same subnet (like site A is 192.168.1.0/24 and site B too, only the DHCP ranges differ)
In order to set achieve what you want using different subnets at each site you need to utilize the Layer 3 switch function which is more complex and requires setting static routes on the routers at each location. See link for Info on setting this up

https://www.softether.org/4-docs/1-manu ... 3_Switches

centeredki69
Posts: 329
Joined: Wed Sep 18, 2013 1:49 pm

Re: Site-to-Site help needed

Post by centeredki69 » Wed May 22, 2019 4:52 pm

sajer wrote:
Wed May 22, 2019 11:30 am
And one more thing: if the router (in your config) with the dhcp server gives the clients at the "Edge Site" the ip and gateway, where the gateway is the same IP as the gateway from the "Main Site", which "internet" is used at the Edge Site? How to achieve to NOT TO USE the Main Site-s internet when being at the "Edge Site"?

Thank you for your time :)
If the DHCP server at the Edge Site issues the MAIN Sites Gateway. The clients packets will go through the cassade connection and will use the Main Site gateway for their internet.
My config stated:
The dhcp server at the "Edge Site" gives the clients the ip addresses and its "local gateway"
DHCP server at SE Bridge "Edge Site" = would issue 192.168.1.101 - 192.168.1.254 & have its own gateway being 192.168.1.100. All "Edge Site" clients will use the local gateway 192.168.1.100 issued by the "Edge site" DHCP server for their internet. These clients would **** NOT**** go through the L2 Cassade tunnel to use the "Main site" internet gateway. However, These clients would have access to the any shared resources at the "main site" via the L2 cassade connection which funtions like a super long Layer 2 encrypted Ethernet cable.

The "main site" would do the same at its location and use its local gateway and have access to all shared resources at the " edge Site" via the L2 cassade.

Post Reply