replacing SecureNAT with local bridge?
-
- Posts: 32
- Joined: Mon Nov 02, 2015 7:45 am
replacing SecureNAT with local bridge?
I have a Softether server setup on AWS, and everything works fine. It's all just the most basic installation with minimal configuration.
However, I am looking into replacing SecureNAT with a local bridge to improve performance. I duly disabled SecureNAT and then created a bridge between my only NIC and the virtual hub.
But now, I cant access the internet.
What is the right way to go about this? Thanks a lot!
However, I am looking into replacing SecureNAT with a local bridge to improve performance. I duly disabled SecureNAT and then created a bridge between my only NIC and the virtual hub.
But now, I cant access the internet.
What is the right way to go about this? Thanks a lot!
-
- Posts: 25
- Joined: Tue Dec 15, 2015 7:45 am
Re: replacing SecureNAT with local bridge?
It looks like something is blocking the bridge. Maybe you have an "advanced" antivirus solution that has its own firewall and needs to be configured. Please try uninstalling (not only disabling) any vendor-specific firewall and update the forum.
-
- Posts: 32
- Joined: Mon Nov 02, 2015 7:45 am
Re: replacing SecureNAT with local bridge?
mbrcomp wrote:
> It looks like something is blocking the bridge. Maybe you have an
> "advanced" antivirus solution that has its own firewall and needs
> to be configured. Please try uninstalling (not only disabling) any
> vendor-specific firewall and update the forum.
Thanks for the reply!
Unfortunately, I don't have any anti-virus or firewall installed. I have also tried disabling the built in Windows firewall to no effect.
Not sure if this matters, but I am using Windows Server 2012 R2 hosted on Amazon AWS.
Please find an enclosed screenshot of the bridge I created
> It looks like something is blocking the bridge. Maybe you have an
> "advanced" antivirus solution that has its own firewall and needs
> to be configured. Please try uninstalling (not only disabling) any
> vendor-specific firewall and update the forum.
Thanks for the reply!
Unfortunately, I don't have any anti-virus or firewall installed. I have also tried disabling the built in Windows firewall to no effect.
Not sure if this matters, but I am using Windows Server 2012 R2 hosted on Amazon AWS.
Please find an enclosed screenshot of the bridge I created
You do not have the required permissions to view the files attached to this post.
-
- Posts: 202
- Joined: Wed Jul 10, 2013 2:07 pm
Re: replacing SecureNAT with local bridge?
Softether is a so called "Layer-2-VPN" protocoll (Layer2 is for example Ethernet).
If you "bridge direct to your server NIC", its like you put a cable between your vpn-client and the (virtual) switchport of your server. I would say, amazon did not like that. From the view of amazon, its a bit like you plugin a seconed server next to yours.
So, you should instead bridge to a virtual device (tap device) and then doing NAT between the new virtual device and the "real" nic.
I have no idea, how to do it on a windows server. On normaler user windows (7,8,10) its called "Inernet sharing". Maybe this helps.
If you "bridge direct to your server NIC", its like you put a cable between your vpn-client and the (virtual) switchport of your server. I would say, amazon did not like that. From the view of amazon, its a bit like you plugin a seconed server next to yours.
So, you should instead bridge to a virtual device (tap device) and then doing NAT between the new virtual device and the "real" nic.
I have no idea, how to do it on a windows server. On normaler user windows (7,8,10) its called "Inernet sharing". Maybe this helps.
-
- Posts: 25
- Joined: Tue Dec 15, 2015 7:45 am
Re: replacing SecureNAT with local bridge?
Technically, it should work. The bridge would make any computer that successfully connects to the VPN a LAN-connected computer. Except if you have made access list rules on the virtual hub that may interfere. If you did, try disabling any major blocking rules and see if it helps.
-
- Posts: 32
- Joined: Mon Nov 02, 2015 7:45 am
Re: replacing SecureNAT with local bridge?
qupfer wrote:
> Softether is a so called "Layer-2-VPN" protocoll (Layer2 is for
> example Ethernet).
> If you "bridge direct to your server NIC", its like you put a
> cable between your vpn-client and the (virtual) switchport of your server.
> I would say, amazon did not like that. From the view of amazon, its a bit
> like you plugin a seconed server next to yours.
>
> So, you should instead bridge to a virtual device (tap device) and then
> doing NAT between the new virtual device and the "real" nic.
> I have no idea, how to do it on a windows server. On normaler user windows
> (7,8,10) its called "Inernet sharing". Maybe this helps.
Thanks a lot for your post! That makes sense.
I have seen online guides with references to a "tap device", and was beginning to suspect that its absence in my configuration was to blame.
Do you happen to know how to create a tap device in Windows 7/8/10? I believe Internet Sharing is a fairly wide ranging windows service that covers a lot of ground.
> Softether is a so called "Layer-2-VPN" protocoll (Layer2 is for
> example Ethernet).
> If you "bridge direct to your server NIC", its like you put a
> cable between your vpn-client and the (virtual) switchport of your server.
> I would say, amazon did not like that. From the view of amazon, its a bit
> like you plugin a seconed server next to yours.
>
> So, you should instead bridge to a virtual device (tap device) and then
> doing NAT between the new virtual device and the "real" nic.
> I have no idea, how to do it on a windows server. On normaler user windows
> (7,8,10) its called "Inernet sharing". Maybe this helps.
Thanks a lot for your post! That makes sense.
I have seen online guides with references to a "tap device", and was beginning to suspect that its absence in my configuration was to blame.
Do you happen to know how to create a tap device in Windows 7/8/10? I believe Internet Sharing is a fairly wide ranging windows service that covers a lot of ground.
-
- Posts: 32
- Joined: Mon Nov 02, 2015 7:45 am
Re: replacing SecureNAT with local bridge?
mbrcomp wrote:
> Technically, it should work. The bridge would make any computer that
> successfully connects to the VPN a LAN-connected computer. Except if you
> have made access list rules on the virtual hub that may interfere. If you
> did, try disabling any major blocking rules and see if it helps.
Thanks for getting back to me. I think the problem may be that Amazon won't assign me an IP address if they see my laptop/desktop connected to their LAN network.
One solution may be to bridge to an intermediate "tap device". Do you happen to know how to create such a device on Windows?
> Technically, it should work. The bridge would make any computer that
> successfully connects to the VPN a LAN-connected computer. Except if you
> have made access list rules on the virtual hub that may interfere. If you
> did, try disabling any major blocking rules and see if it helps.
Thanks for getting back to me. I think the problem may be that Amazon won't assign me an IP address if they see my laptop/desktop connected to their LAN network.
One solution may be to bridge to an intermediate "tap device". Do you happen to know how to create such a device on Windows?
-
- Posts: 202
- Joined: Wed Jul 10, 2013 2:07 pm
Re: replacing SecureNAT with local bridge?
xodc wrote:
> I have seen online guides with references to a "tap device", and was beginning to
> suspect that its absence in my configuration was to blame.
The TAP-Device is easy to create :-)
https://usa.07q.de/tap.png
For enabling NAT, maybe this helps (I just forget the link in my first answer^^)
https://technet.microsoft.com/en-us/lib ... 69812.aspx
http://www.dell.com/support/article/us/ ... OW10169/EN
> I have seen online guides with references to a "tap device", and was beginning to
> suspect that its absence in my configuration was to blame.
The TAP-Device is easy to create :-)
https://usa.07q.de/tap.png
For enabling NAT, maybe this helps (I just forget the link in my first answer^^)
https://technet.microsoft.com/en-us/lib ... 69812.aspx
http://www.dell.com/support/article/us/ ... OW10169/EN
-
- Posts: 32
- Joined: Mon Nov 02, 2015 7:45 am
Re: replacing SecureNAT with local bridge?
qupfer wrote:
> xodc wrote:
> > I have seen online guides with references to a "tap device", and was
> beginning to
> > suspect that its absence in my configuration was to blame.
>
> The TAP-Device is easy to create :-)
> https://usa.07q.de/tap.png
>
> For enabling NAT, maybe this helps (I just forget the link in my first answer^^)
> https://technet.microsoft.com/en-us/lib ... 69812.aspx
> http://www.dell.com/support/article/us/ ... OW10169/EN
\
I just managed to get Softether installed on an Ubuntu server. I created a tap device to bridge the virtual hub with, and I followed this guide here for local bridging: http://blog.lincoln.hk/blog/2013/05/17/ ... al-bridge/
Now, when I connect via VPN, I get an IP address. However, I am still unable to access the internet. Any ideas? Thanks!
> xodc wrote:
> > I have seen online guides with references to a "tap device", and was
> beginning to
> > suspect that its absence in my configuration was to blame.
>
> The TAP-Device is easy to create :-)
> https://usa.07q.de/tap.png
>
> For enabling NAT, maybe this helps (I just forget the link in my first answer^^)
> https://technet.microsoft.com/en-us/lib ... 69812.aspx
> http://www.dell.com/support/article/us/ ... OW10169/EN
\
I just managed to get Softether installed on an Ubuntu server. I created a tap device to bridge the virtual hub with, and I followed this guide here for local bridging: http://blog.lincoln.hk/blog/2013/05/17/ ... al-bridge/
Now, when I connect via VPN, I get an IP address. However, I am still unable to access the internet. Any ideas? Thanks!
-
- Posts: 202
- Joined: Wed Jul 10, 2013 2:07 pm
Re: replacing SecureNAT with local bridge?
please post the output of
"cat /proc/sys/net/ipv4/ip_forward"
and
"sudo iptables -t nat -L -v"
That you get an IP from dnsmasq is good sing, because that mean your VPN itself is working.
"cat /proc/sys/net/ipv4/ip_forward"
and
"sudo iptables -t nat -L -v"
That you get an IP from dnsmasq is good sing, because that mean your VPN itself is working.
-
- Posts: 32
- Joined: Mon Nov 02, 2015 7:45 am
Re: replacing SecureNAT with local bridge?
qupfer wrote:
> please post the output of
> "cat /proc/sys/net/ipv4/ip_forward"
> and
> "sudo iptables -t nat -L -v"
>
> That you get an IP from dnsmasq is good sing, because that mean your VPN
> itself is working.
cat /proc/sys/net/ipv4/ip_forward
1
sudo iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 383 packets, 57154 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 166 packets, 30507 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2694K packets, 555M bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 2694K packets, 555M bytes)
pkts bytes target prot opt in out source destination
663 52321 SNAT all -- any any ip-192-168-7-0.ap-northeast-1.compute.internal/24 anywhere to:[VPN Server IP]
0 0 SNAT all -- any any ip-192-168-7-0.ap-northeast-1.compute.internal/24 anywhere to:[VPN Server IP]
> please post the output of
> "cat /proc/sys/net/ipv4/ip_forward"
> and
> "sudo iptables -t nat -L -v"
>
> That you get an IP from dnsmasq is good sing, because that mean your VPN
> itself is working.
cat /proc/sys/net/ipv4/ip_forward
1
sudo iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 383 packets, 57154 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 166 packets, 30507 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2694K packets, 555M bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 2694K packets, 555M bytes)
pkts bytes target prot opt in out source destination
663 52321 SNAT all -- any any ip-192-168-7-0.ap-northeast-1.compute.internal/24 anywhere to:[VPN Server IP]
0 0 SNAT all -- any any ip-192-168-7-0.ap-northeast-1.compute.internal/24 anywhere to:[VPN Server IP]
-
- Posts: 32
- Joined: Mon Nov 02, 2015 7:45 am
Re: replacing SecureNAT with local bridge?
I noticed something strange: the "public" IP address of my VPN server (i.e. the address I SSH to)
is different from the IP address of the ethernet adapter. In the screenshot, I SSH'd to the 127 IP, but for eth0, it was 217
Could this be the cause of connection issues?
---
UPDATE: tried both IPs using the command: iptables -t nat -A POSTROUTING -s 192.168.7.0/24 -j SNAT --to-source [IP Address]
neither worked.
is different from the IP address of the ethernet adapter. In the screenshot, I SSH'd to the 127 IP, but for eth0, it was 217
Could this be the cause of connection issues?
---
UPDATE: tried both IPs using the command: iptables -t nat -A POSTROUTING -s 192.168.7.0/24 -j SNAT --to-source [IP Address]
neither worked.
You do not have the required permissions to view the files attached to this post.
-
- Posts: 32
- Joined: Mon Nov 02, 2015 7:45 am
Re: replacing SecureNAT with local bridge?
Perhaps this post is instructive: viewtopic.php?t=3452&p=8210#p8210
But I'm not sure what he means by "using the built in softether DHCP server + iptables"
I thought the built in DHCP server also gets disabled if you disable SecureNAT?
But I'm not sure what he means by "using the built in softether DHCP server + iptables"
I thought the built in DHCP server also gets disabled if you disable SecureNAT?
-
- Posts: 2458
- Joined: Mon Feb 24, 2014 11:03 am
Re: replacing SecureNAT with local bridge?
In latest version of SoftEther, SecureNAT is faster than tap in Linux.
-
- Posts: 289
- Joined: Wed Dec 28, 2022 9:10 pm
Re: replacing SecureNAT with local bridge?
It has been said for years and many times that SE virtual NAT is slow and has overhead and should be avoided to maximize throughput.
I also noticed a new release on Github
Are you referring to this new version ?
https://github.com/SoftEtherVPN/SoftEth ... /5.02.5181
Is there any official release note mentioning this change ?
Still I see people reporting issue about speed of DE version
https://github.com/SoftEtherVPN/SoftEth ... 2077762338