Layer 3 Site-to-Site Fails only in one direction

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
rHipsh
Posts: 6
Joined: Wed Mar 01, 2017 6:12 pm

Layer 3 Site-to-Site Fails only in one direction

Post by rHipsh » Wed Mar 08, 2017 2:28 pm

Good afternoon!

I have a problem.

If I setup the remote hub as simply bridged to the LAN, everything works.

However, I want to use the Layer 3 switch.

I have a basic test setup to try to utilize the Layer 3 switch.

I have one switch with two interface cards. One interface card is connected to a hub within Softether. This interface is connected to the hub that is bridged to a physical card that is connected to the local network.

The second interface card is connected to another hub that has a host that connects remotely.

LAN Card: 10.34.0.3
Remote Card: 10.34.1.10

The host connects to the hub successfully and is assigned 10.34.1.100 with a route pushed to it:
10.34.0.0/255.255.255.0/10.34.1.10
Because I can ping 10.34.0.3 it means I have a route to the 10.34.0.0 network. And the fact that I can ping the router/gateway on the 10.34.0.0 network, means I have a route. However, I cannot ping any other host on that network.

From the LAN, all the ip addresses can be ping'd, including the remote host. However, from the remote host, only 10.34.1.10, 10.34.0.3 and 10.34.0.1.

10.34.0.1 is the LAN's local router/gateway.

Just as a more concrete example:
A local host has the ip address: 10.34.0.178

If I try to ping 10.34.1.100 from 10.34.0.178, it works.
If I try to ping 10.34.0.178 from 10.34.1.10, it does not work.

The only errors that show up in the logs are:

2017-03-07 09:43:45.411 [HUB "Test"] Session "SID-TEST-27": A large volume of broadcast packets has been detected. There are cases where packets are discarded based on the policy. The source MAC address is 00-AC-F3-14-02-61, the source IP address is 10.34.1.100, the destination IP address is 239.255.255.250. The number of broadcast packets is equal to or larger than 56 items per 1 second (note this information is the result of mechanical analysis of part of the packets and could be incorrect).

This error only occurs when I ping a host on the LAN from the remote host.

If I ping the router from the remote host, the error does not occur.

Any clues as to what is going on would be greatly appreciated.

thisjun
Posts: 2458
Joined: Mon Feb 24, 2014 11:03 am

Re: Layer 3 Site-to-Site Fails only in one direction

Post by thisjun » Thu Mar 23, 2017 6:18 am

Did you configure routing to 10.34.1.0/24 on the router (10.34.0.1)?

rHipsh
Posts: 6
Joined: Wed Mar 01, 2017 6:12 pm

Re: Layer 3 Site-to-Site Fails only in one direction

Post by rHipsh » Fri Mar 31, 2017 3:24 pm

Yes. I configured the router with a route to 10.34.1.0/24. As a consequence, from 10.34.1.0 I can ping the router and get a response. But beyond the router, to another device, I could not get a ping back.

thisjun
Posts: 2458
Joined: Mon Feb 24, 2014 11:03 am

Re: Layer 3 Site-to-Site Fails only in one direction

Post by thisjun » Thu Apr 06, 2017 6:43 am

I think your router doesn't support hairpin routing.
So, please change the router or configure route each host.

rHipsh
Posts: 6
Joined: Wed Mar 01, 2017 6:12 pm

Re: Layer 3 Site-to-Site Fails only in one direction

Post by rHipsh » Thu Apr 13, 2017 1:45 pm

Thank you for your reply.

I ended up setting up the connection as a bridge and did the hairpin routing.

You are correct. What I needed to do was the hairpin routing.

I have that configured on the router:

NAT:
src-nat 10.34.1.0/24 dst: 10.34.0.0/24 masquerade
and
src-nat 10.34.0.0/24 dst: 10.34.1.0/24 masquerade

And now it works and everyone is happy with the local security settings on the network devices.

Thank you for your comment. I hope this little bit of information is helpful to someone else.

Post Reply