LAN to LAN bridge and the use of dedicated NICs

[Knight]

Hi to all here!

I know that part of what I'm going to ask as already been answered some way or another before in other topics but after reading them, I'm still confused on a few points of configuration.

First, I will describe the network topology of my setup:
I intend to bridge two ethernet networks (both located in the range 192.168.1x but without any overlapping address), each connected to the Internet via a NAT router and each segment has its own server (a 24h/7d powered on computer running Debian Linux 8.5 64 bits). Those two servers are using the latest version (to this day) of SoftEther VPN server for one and bridge for the other. Port 5555 is redirected from each NAT router to each server to give access to SoftEther VPN to the outside world.

I've followed the tutorial explaining how to create an LAN to LAN bridge (https://www.softether.org/4-docs/1-manu ... L2_Bridge)) and setup successfully the LAN to LAN bridge. All computers linked to both ethernet segments are able to communicate.

But (and it's here that questions arise), as explained in the SoftEther VPN manual, I cannot access directly the very servers where SoftEther VPN software is running and those servers are hosting additional services (such as samba, DLNA, ... for example) which I would like to be seen on both sides of the VPN bridge.
I noted in the documentation that in that case, I need to use additional dedicated NICs (eth1) instead of the server's default one (eth0). It's even evoked here: can't ping between server using "bridge on eth0" (http://www.vpnusers.com/viewtopic.php?f ... =dedicated)

So I added those new network adapters and updated the local bridge definitions on both VPN server and bridge from eth0 to eth1 and restarted the connection.

From this time, nothing is communicating anymore.

eth1, on both server, is connected physically to the same switch as eth0 and configured to be UP in promiscuous mode without any IP address defined (ifconfig eth1 0.0.0.0) as explained in SoftEther documentation. Some ARP seems to be passing through as the MAC adresses table is populated (but not as fully as it should) even the IP table is filled at the same rate but no other protocol is passing through.
If I configure the local bridges back to eth0, the system is up again...

What am I missing in the setup with eth1 used for local bridge?

Thanks in advance for any insight on this configuration issue!

[Knight]

So nobody is able to explain how to use dedicated NICs?

The documentation is not really clear on them...

[thisjun]

I think there are two option.

1. Create localbridge with eth0 and tap device. Please use tap device to communicate with the server over VPN.

2. Exchange the roles of eth0 and eth1.

[Mada]

Well, if you want to communicate with the server running softether, through softether, there is a number of problems:

1. A switch will never send back a package on the same port where is was received.
2. Even if you have two nics attached to different ports on switch, if both are promiscuous without ip, how do you address the server through these?

I suggest you use 3 nics. Nic 1 for internet, Nic 2 in promiscuous mode (without ip) local bridged for softether and NIC 3 attached to the same switch as NIC 2 and configured normally (static ip in your softether range or DHCP through softether) with noting to do with softether local configuration.

You should be able to talk to NIC 3 from the inside. Works for me.

[Knight]

thisjun wrote:
> I think there are two option.
>
> 1. Create localbridge with eth0 and tap device. Please use tap device to
> communicate with the server over VPN.
>
> 2. Exchange the roles of eth0 and eth1.

Thank for the advice, I will try it as soon as I can...

[Knight]

Mada wrote:
> Well, if you want to communicate with the server running softether, through
> softether, there is a number of problems:
>
> 1. A switch will never send back a package on the same port where is was
> received.
> 2. Even if you have two nics attached to different ports on switch, if both
> are promiscuous without ip, how do you address the server through these?
>
> I suggest you use 3 nics. Nic 1 for internet, Nic 2 in promiscuous mode
> (without ip) local bridged for softether and NIC 3 attached to the same
> switch as NIC 2 and configured normally (static ip in your softether range
> or DHCP through softether) with noting to do with softether local
> configuration.
>
> You should be able to talk to NIC 3 from the inside. Works for me.

Whoa, what a pretty complex setting! IMHO

Why is there a need for an additional NIC dedicated to Internet access?

In my setting, I already have eth0 with an IP address in the range 192.168.1.0/24 and eth1 without any IP address dedicated to SoftEther VPN (the same as you in fact).

Internet is available to LAN through a modem-router provided by my ISP and its IP address is declared as gateway (also in 192.168.1.0/24 range) for my server in eth0 declaration.

The above remarks apply to both sites has network setups are symetrical... (Site A is in the range 192.168.1.1 to 192.168.1.120 while site B is in the range 192.168.1.130 to 192.168.1.200)

As you says, a packet cannot be sent back to the port which has sent it but if eth0 is sending it, eth1 can receive it (and also the reverse)! I can even see the MAC address table updated with MAC addresses from distant computers in the administration pages for the integrated switch in the router...
but no IP traffic is running!

[Mada]

Knight wrote:
> Mada wrote:
> > Well, if you want to communicate with the server running softether, through
> > softether, there is a number of problems:
> >
> > 1. A switch will never send back a package on the same port where is was
> > received.
> > 2. Even if you have two nics attached to different ports on switch, if both
> > are promiscuous without ip, how do you address the server through these?
> >
> > I suggest you use 3 nics. Nic 1 for internet, Nic 2 in promiscuous mode
> > (without ip) local bridged for softether and NIC 3 attached to the same
> > switch as NIC 2 and configured normally (static ip in your softether range
> > or DHCP through softether) with noting to do with softether local
> > configuration.
> >
> > You should be able to talk to NIC 3 from the inside. Works for me.
>
> Whoa, what a pretty complex setting! IMHO
>
> Why is there a need for an additional NIC dedicated to Internet access?
>
> In my setting, I already have eth0 with an IP address in the range 192.168.1.0/24 and
> eth1 without any IP address dedicated to SoftEther VPN (the same as you in fact).
>
> Internet is available to LAN through a modem-router provided by my ISP and its IP
> address is declared as gateway (also in 192.168.1.0/24 range) for my server in eth0
> declaration.
>
> The above remarks apply to both sites has network setups are symetrical... (Site A is
> in the range 192.168.1.1 to 192.168.1.120 while site B is in the range 192.168.1.130
> to 192.168.1.200)
>
> As you says, a packet cannot be sent back to the port which has sent it but if eth0
> is sending it, eth1 can receive it (and also the reverse)! I can even see the MAC
> address table updated with MAC addresses from distant computers in the administration
> pages for the integrated switch in the router...
> but no IP traffic is running!

Well, there is a number of reasons why one would like an "outside" and an "inside" separated by Softether. Having internet traffic flow in and out from a remote point (via the vpn tunnel) for example. In this case, you would need an extra nic in order to talk to the SE server from the "inside".

[Knight]

thisjun wrote:
> I think there are two option.
>
> 1. Create localbridge with eth0 and tap device. Please use tap device to
> communicate with the server over VPN.
>
> 2. Exchange the roles of eth0 and eth1.

So finally, I have been able to test those solutions: the setup with the TAP interface for softether VPN and the linux bridge did finally work!
So now my link between the two sites is up and running.
Many thanks, thisjun!

But I would prefer using the more elegant solution of the dedicated NIC for the system configuration!
I can't figure why this is not working...

[Mada]

Knight wrote:
> thisjun wrote:
> > I think there are two option.
> >
> > 1. Create localbridge with eth0 and tap device. Please use tap device to
> > communicate with the server over VPN.
> >
> > 2. Exchange the roles of eth0 and eth1.
>
> So finally, I have been able to test those solutions: the setup with the TAP
> interface for softether VPN and the linux bridge did finally work!
> So now my link between the two sites is up and running.
> Many thanks, thisjun!
>
> But I would prefer using the more elegant solution of the dedicated NIC for the
> system configuration!
> I can't figure why this is not working...

Your TAP device? Is it connected to a physical NIC? eth0? Or are you using a dummy interface?

[Knight]

I think I did not explain clearly enough what is the working setup.

I have modified the Softether VPN local bridge to use a TAP device instead of the real NIC (here it is eth0 on my server).
Then, under Linux, I modified the network settings for the system by using a Linux bridge linking eth0 to the new TAP device in order for both devices to see the external world.

I provide here the content of /etc/network/interfaces on my server (the settings are the same on the other server at the opposite side of the VPN link):
-------------------------------------------------------------------------
# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
address 0.0.0.0

# The VPN TAP network interface
auto tap_vpn
iface tap_vpn inet static
pre-up tunctl -t tap_vpn
address 0.0.0.0
hwaddress ether XX:XX:XX:XX:XX:XX

# The bridge network interface
auto br0
iface br0 inet static
bridge_ports eth0 tap_vpn
address 192.168.1.1
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.120
-------------------------------------------------------------------------
For the TAP MAC address, use eth0's MAC address as the bridge will use either eth0's one or the TAP's one depending on which comes up last during the bridge creation. So using eth0's MAC address for the TAP device ensure that the bridge will use a real MAC address for communications with the outside...

The TAP device is created by Linux instead of softether VPN in order for it to be included in the Linux bridge at boot time as network interfaces are supposed to be up before any VPN can be created.
The trick is to ensure that the TAP device in Linux has the "tap_" prefix prepended to the TAP device name used in softether VPN (and also the same MAC address).

Here is an extract of Softether VPN configuration file for the corresponding local bridge:
-------------------------------------------------------------------------
declare LocalBridgeList
{
bool DoNotDisableOffloading false

declare LocalBridge0
{
string DeviceName vpn
string HubName BRIDGE
bool LimitBroadcast false
bool MonitorMode false
bool NoPromiscuousMode false
string TapMacAddress XX-XX-XX-XX-XX-XX
bool TapMode true
}
}
-------------------------------------------------------------------------

I hope I have been a little clearer with the settings of the servers...

[Mada]

Knight wrote:
> I think I did not explain clearly enough what is the working setup.
>
> I have modified the Softether VPN local bridge to use a TAP device instead
> of the real NIC (here it is eth0 on my server).
> Then, under Linux, I modified the network settings for the system by using
> a Linux bridge linking eth0 to the new TAP device in order for both devices
> to see the external world.
>
> I provide here the content of /etc/network/interfaces on my server (the
> settings are the same on the other server at the opposite side of the VPN
> link):
> -------------------------------------------------------------------------
> # The loopback network interface
> auto lo
> iface lo inet loopback
>
> # The primary network interface
> auto eth0
> iface eth0 inet static
> address 0.0.0.0
>
> # The VPN TAP network interface
> auto tap_vpn
> iface tap_vpn inet static
> pre-up tunctl -t tap_vpn
> address 0.0.0.0
> hwaddress ether XX:XX:XX:XX:XX:XX
>
> # The bridge network interface
> auto br0
> iface br0 inet static
> bridge_ports eth0 tap_vpn
> address 192.168.1.1
> netmask 255.255.255.0
> network 192.168.1.0
> broadcast 192.168.1.255
> gateway 192.168.1.120
> -------------------------------------------------------------------------
> For the TAP MAC address, use eth0's MAC address as the bridge will use
> either eth0's one or the TAP's one depending on which comes up last during
> the bridge creation. So using eth0's MAC address for the TAP device ensure
> that the bridge will use a real MAC address for communications with the
> outside...
>
> The TAP device is created by Linux instead of softether VPN in order for it
> to be included in the Linux bridge at boot time as network interfaces are
> supposed to be up before any VPN can be created.
> The trick is to ensure that the TAP device in Linux has the
> "tap_" prefix prepended to the TAP device name used in softether
> VPN (and also the same MAC address).
>
> Here is an extract of Softether VPN configuration file for the
> corresponding local bridge:
> -------------------------------------------------------------------------
> declare LocalBridgeList
> {
> bool DoNotDisableOffloading false
>
> declare LocalBridge0
> {
> string DeviceName vpn
> string HubName BRIDGE
> bool LimitBroadcast false
> bool MonitorMode false
> bool NoPromiscuousMode false
> string TapMacAddress XX-XX-XX-XX-XX-XX
> bool TapMode true
> }
> }
> -------------------------------------------------------------------------
>
> I hope I have been a little clearer with the settings of the servers...

Ok, so if I understand you correctly; in your setup a packet will arrive at the SE computer. SE will output it on eth1 with is physically attached to eth0? The package is revived logically to tap. Physically it arrives at eth0 (witch is bridged in os with eth0)?

My problem is that eth0 and eth1 has no physical Ethernet connection. So I had to add one more NIC.

[thisjun]

>Mada
SoftEther VPN server output packet to tap device (not eth1).
OS can receive the packet from tap.

[triwaves]

> > I hope I have been a little clearer with the settings of the servers...
>
> Ok, so if I understand you correctly; in your setup a packet will arrive at the SE
> computer. SE will output it on eth1 with is physically attached to eth0? The package
> is revived logically to tap. Physically it arrives at eth0 (witch is bridged in os
> with eth0)?
>
> My problem is that eth0 and eth1 has no physical Ethernet connection. So I had to add
> one more NIC.

You seem to have addressed a situation similar to what I am trying to do except I'm not in a Lan to Lan configuration , I just have a single server that one client at a time accesses.

I had started a thread with a network diagram attached but still haven't solved my problem - if you have any insight from your experiences I would much appreciate it!

http://www.vpnusers.com/viewtopic.php?f=7&t=5796#p16810

I'm confused on what the setup options are for SecureNAT and the limitations. My understanding is that there is a limitation with accessing services on the same machine as the Linux Host, but is there a configuration I can employ to work around it? I want to SSH to my Linux machine that is hosting SoftEther VPN Server and also access a shared file directory on that server.

Can I take advantage of the fact that I have multiple NICS available? Currently I have ETH0 connected to the main WiFi router (for WAN and LAN access); ETH1 is unconnected and WLAN0 is unconnected. Only a tunnel is defined in the softether bridge setup.

Should I do something different to access the Linux server itself?

Thanks

[thisjun]

If you use SecureNAT, please try usermode SecureNAT.

[Mada]

thisjun wrote:
> >Mada
> SoftEther VPN server output packet to tap device (not eth1).
> OS can receive the packet from tap.

Yes, ok but the tap and the eth0 is linked by a bridge in Linux/OS. eth0 is physical and on the same switch as eth1.

Are you sure this would work without the eth0 and eth1 being on the same switch?

[Knight]

I've not been able to have two physical ethernet interfaces linked to the same switch working on my system.
But as I said earlier, the working setup is similar though entirely virtual with the linux bridge linking eth0 and the TAP device used by SoftEther VPN.
Juste setup your system similar to mine by following the settings given earlier and you should be up and running

[thisjun]

>>Mada
If you create localbridge by SoftEther to tap and eth0, it isn't needed bridging by Linux and connecting physically.