LAN to LAN Bridge

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
Danpoulter
Posts: 30
Joined: Sun Apr 17, 2016 9:21 pm

LAN to LAN Bridge

Post by Danpoulter » Wed Apr 20, 2016 8:49 am

Hi,
Im struggling with a LAN to LAN bridge on my company network and would really appreciate some help.
Both sites are running Windows, one is running the SoftEther VPN Server and the other is running the SoftEther Bridge. I have set up the cascading connections(which are shown as online), users and the local bridges as shown in the document but i still cannot access the main office from the secondary office. I assume i dont need to open any ports on either side?
Any help would be greatly appreciated

Many Thanks
Dan

maltyx
Posts: 65
Joined: Wed Feb 25, 2015 6:53 am

Re: LAN to LAN Bridge

Post by maltyx » Fri Apr 22, 2016 12:26 pm

I think you need to provide more details about your configuration to be possible to help you..

Danpoulter
Posts: 30
Joined: Sun Apr 17, 2016 9:21 pm

Re: LAN to LAN Bridge

Post by Danpoulter » Fri Apr 22, 2016 3:31 pm

Okay sorry for being vague just was not sure what you needed.
So one site is a 10.0.0.0/24 network the other is a 10.0.1.0/24 network
There is an AD server on the 10.0.1.0/24 network. The bridge (10.0.0.0 network) has a cascading connection set up to connect to the server on the 10.0.1.0 network which is all online and working according to softether software.however when I try and set the IP at the second location to the 10.0.1.0 network I cannot communicate with the server site.
Let me know if you need anything else or have a solution.
Thanks
Dan

maltyx
Posts: 65
Joined: Wed Feb 25, 2015 6:53 am

Re: LAN to LAN Bridge

Post by maltyx » Sat Apr 23, 2016 8:55 am

well, there are still details are missing, but I will try to explain..

from your configuration I can assume that you are using Layer 3 Lan-2-Lan bridging (different IP nets on sites), so in this scenario you need to setup 2 virtual hubs on the VPN server at central location and the to add additional routes on each VPN server in case that their serves as you default routers on each segments (or VPN bridge) so that end-point station will know how to route to remote side IPs. If your VPN servers are not default gateways you will need to configure additional routes on you border routers at each location and point routes to 10.0.0.0/24 and 10.0.1.0/24 to VPN server/bridge and vice versa.

there is useful softether manual for you type of configuration:
http://www.softether.org/4-docs/1-manua ... P_Routing)

Danpoulter
Posts: 30
Joined: Sun Apr 17, 2016 9:21 pm

Re: LAN to LAN Bridge

Post by Danpoulter » Sat Apr 23, 2016 6:54 pm

Thanks for this,

Does the VPN Bridge need to be on the 10.0.0.0 network or the 10.0.1.0 network?
If i set both the networks to be the 10.0.1.0 network will it make it more simple as I will not need to set up the routing and the layer 3 switches, correct?

Thanks again
Dan

maltyx
Posts: 65
Joined: Wed Feb 25, 2015 6:53 am

Re: LAN to LAN Bridge

Post by maltyx » Sun Apr 24, 2016 8:56 am

Yes, you can setup both segment with the same IP score .. it would be LAN L2 bridging .. That configuration does not requires any additional routing ... the only question - is it will suitable for your networks?
Probably all your network traffic will be routed through the vpn connection you will create.. just like put additional switch/hub into your main site network ..

Danpoulter
Posts: 30
Joined: Sun Apr 17, 2016 9:21 pm

Re: LAN to LAN Bridge

Post by Danpoulter » Sun Apr 24, 2016 9:33 pm

Yes, that would work fine for me. I have now tried this but I am still having no luck. Maybe just me being a bit simple... Obviously there is a router at each site, now one is going to be 10.0.1.1 and the other 10.0.1.2, is that okay? Then the default gatway on either site should be 10.0.1.1?
Thanks for your help I appreciated it and I do apologise for being a bit slow

Many thanks

maltyx
Posts: 65
Joined: Wed Feb 25, 2015 6:53 am

Re: LAN to LAN Bridge

Post by maltyx » Mon Apr 25, 2016 12:28 pm

well, in case you choose LAN-2-LAN-L2 config - all traffic (traffic to remote network and internet traffice also) from remote site have to go through the remote VPN bridge (that I can assume has 2 Lan cards: 1 - connected to the internet router, and 2nd - to remote site switch or whatever you have there and have to be configured with IP from main site scope ).
The IP of the remote site route should not be from IP scope of you main site .. its just connects the remote VPN bridge to the Internet ..

in case you choose Lan-2-Lan-L3 scenario - then you need add static routes for each remote side on both your VPN server and bridge and both routers that are default gateways for your subnets... main and remote and point them to VPN server and bridge on each location.
I hope I succeed to explain ..

Danpoulter
Posts: 30
Joined: Sun Apr 17, 2016 9:21 pm

Re: LAN to LAN Bridge

Post by Danpoulter » Mon Apr 25, 2016 4:03 pm

That's very helpful thank you. It clears a lot up for me. So to clarify one network card should be on the remote sites local network and the other should be the main sites network so 10.0.0.11 and 10.0.1.11 for example?

Thanks again
Dan

maltyx
Posts: 65
Joined: Wed Feb 25, 2015 6:53 am

Re: LAN to LAN Bridge

Post by maltyx » Mon Apr 25, 2016 4:28 pm

let's define what scenario you are going to use? Layer2 Bridge?

In this case: external NIC's IP address is from same subnet that your remote router IP is ... on internal NIC of Vpn bridge server you not have to set up IP at all if you going to make Lan-2-Lan-L2 bridge (you can setup an IP from main's site IP scope in case you would like to manage this VPN bridge from another PC with Admin tools installed.

Danpoulter
Posts: 30
Joined: Sun Apr 17, 2016 9:21 pm

Re: LAN to LAN Bridge

Post by Danpoulter » Mon Apr 25, 2016 8:22 pm

I have set up this connection with L2 connection and followed the steps and still have nothing?

The bridge and server are transferring packets and bytes too but I still cannot communicate with anything on the main network

Thanks
Dan

maltyx
Posts: 65
Joined: Wed Feb 25, 2015 6:53 am

Re: LAN to LAN Bridge

Post by maltyx » Tue Apr 26, 2016 1:18 pm

could you draw network diagram of your configuration for debug purpose?

Danpoulter
Posts: 30
Joined: Sun Apr 17, 2016 9:21 pm

Re: LAN to LAN Bridge

Post by Danpoulter » Tue Apr 26, 2016 5:23 pm

I have attached a network diagram for the main site and remote site.
[attachment=0]Network Diagram SoftEther.PNG[/attachment]
Thank you
Dan
You do not have the required permissions to view the files attached to this post.

maltyx
Posts: 65
Joined: Wed Feb 25, 2015 6:53 am

Re: LAN to LAN Bridge

Post by maltyx » Tue Apr 26, 2016 7:52 pm

well, I am a bit confused ..
1. Router and "Connection to internet" is the same device or there are 2 different devices on each location?
2. Main site' VPN server has only one network card?
3. In case you want to establish Lan-2-Lan-Layer2 bridge you will need to configure all network devices within the same IP scope .. Do you aware of this?

Danpoulter
Posts: 30
Joined: Sun Apr 17, 2016 9:21 pm

Re: LAN to LAN Bridge

Post by Danpoulter » Tue Apr 26, 2016 7:57 pm

The routers connect the network to the internet
The main site VPN server has two but they are both on the same subnet and all the devices on the network are set by dhcp server apart from the servers which are all on the same subnet

Thanks

Danpoulter
Posts: 30
Joined: Sun Apr 17, 2016 9:21 pm

Re: LAN to LAN Bridge

Post by Danpoulter » Tue Apr 26, 2016 7:58 pm

I'm saying that the switches on the remote site are the two different networks one being the main network and the other the local connection

Thanks

maltyx
Posts: 65
Joined: Wed Feb 25, 2015 6:53 am

Re: LAN to LAN Bridge

Post by maltyx » Tue Apr 26, 2016 8:14 pm

ok,
1. "Main site internet connection" device located on the Main site - right?
2. Main site' VPN server has NICs - good, 1st - configured with IP will serve you to connect the VPN server to the Main site network (by the way - maybe you have any DMZ at the main site - I would put the 1st NIC into a DMZ and publish it to the internet with public IP), the 2nd NIC will have NO IP at all and will be connected to the MAin site Lan switch and will be configured as a NIC for your virtualHub on VPN server)
3. Create VirtualHub for the main site (name it somehow) bind the 2nd NIC to this virtualhub and create any user in this Hub for remote site connection
4. On the Remote side: configure VPN bridge with 2 NICs as following: 1st NIC to connect VPN brifge to the Internet, 2nd may have no IP or if you would like to manage it remotely from the Main site set it with IP from Main IP scope. Create virtualHUB, bind the 2nd NIC to it and make a cascade connection to the main site with the user that has been configured earlier.
5. If you succeed to establish a connection all you network device at the remote side will recieve an IP from DCHP server and will be part of that subnet.

Danpoulter
Posts: 30
Joined: Sun Apr 17, 2016 9:21 pm

Re: LAN to LAN Bridge

Post by Danpoulter » Tue Apr 26, 2016 8:25 pm

Yes all of that is done and setup exactly like that and my cascading connection is established and there are all the devices on the network are shown in the IP tables in the sessions section. But I cannot ping the main network from the remote one and it won't get an IP via the DHCP server either

maltyx
Posts: 65
Joined: Wed Feb 25, 2015 6:53 am

Re: LAN to LAN Bridge

Post by maltyx » Tue Apr 26, 2016 8:30 pm

did you enabled Security policy for your VPN user?

Danpoulter
Posts: 30
Joined: Sun Apr 17, 2016 9:21 pm

Re: LAN to LAN Bridge

Post by Danpoulter » Tue Apr 26, 2016 8:33 pm

no i didnt... should i have?

Thanks

maltyx
Posts: 65
Joined: Wed Feb 25, 2015 6:53 am

Re: LAN to LAN Bridge

Post by maltyx » Tue Apr 26, 2016 8:47 pm

Security policy defines what a user can do ..
and I think it will be better to remove all protocols bindings from those NIS that was configured within virtualhubs on vpnserver, (uncheck all V-s in properties for the Network interface ...)

Danpoulter
Posts: 30
Joined: Sun Apr 17, 2016 9:21 pm

Re: LAN to LAN Bridge

Post by Danpoulter » Tue Apr 26, 2016 8:52 pm

i assumed if i left it then the user could do everything. so shall i start the whole process again, will that be easier? sorry just not too sure what you mean when you say 'uncheck all V-s in properties for the Network interface'

Thanks

maltyx
Posts: 65
Joined: Wed Feb 25, 2015 6:53 am

Re: LAN to LAN Bridge

Post by maltyx » Tue Apr 26, 2016 9:03 pm

1. I think you need to enable Security policy for you VPN user (by defaul its allows all traffic to flow) - You can do that any time in User's settings no need to start all over ..
2. By saying uncheck all V-s .. well on Network card properties window disable all protocols IPv4 and IPv6 ..
http://www2.leeward.hawaii.edu/itg/site ... pDHCP3.png

No Protocol Stack is Used for the Local Bridge Network Adapter

Where there is a network adapter prepared on the computer for use exclusively in local bridging, it is recommended that the TCP/IP protocol and other protocol stacks be disabled on that network adapter to enhance performance. The role of the local bridge network adapter is to release Ethernet frames between the Virtual Hub and the physical LAN, entirely without the need for intervention from the protocol stack of the OS running the Virtual Hub.
In the case of Windows, it is possible to remove all protocols and services from the local bridge network adapter including the TCP/IP protocol and other network protocols, and the Microsoft Network Client file sharing service. To perform this setting, open the network adapter property in the [Network connections] property and deselect all of the protocol and service checkboxes.
http://www.softether.org/4-docs/1-manua ... al_Bridges

Danpoulter
Posts: 30
Joined: Sun Apr 17, 2016 9:21 pm

Re: LAN to LAN Bridge

Post by Danpoulter » Tue Apr 26, 2016 9:09 pm

Okay ive done step 1 and enabled the security policy and ahhh okay i see, do i need to do this on both the main server and the remote server?

Thanks

maltyx
Posts: 65
Joined: Wed Feb 25, 2015 6:53 am

Re: LAN to LAN Bridge

Post by maltyx » Wed Apr 27, 2016 7:58 am

ideally you should remove all protocols binding from NICs on both sides of bridge connection to improve performance of vpn server

Danpoulter
Posts: 30
Joined: Sun Apr 17, 2016 9:21 pm

Re: LAN to LAN Bridge

Post by Danpoulter » Wed Apr 27, 2016 8:43 am

Okay, check that off the list, that is all done now.
All the devices on the network are shown in the IP address list tables as shown in the screenshot provided, i assume this means the connection is active and working, but still i cannot seem to communicate with the main server.
You do not have the required permissions to view the files attached to this post.

maltyx
Posts: 65
Joined: Wed Feb 25, 2015 6:53 am

Re: LAN to LAN Bridge

Post by maltyx » Wed Apr 27, 2016 8:58 am

does MAC address table contain MAC addresses from the remote site?
a question about the Main site configuration: both VPN server are connected to the same switch?

and also some manual notes:
--------------------------------
3.6.10 Points to Note when Local Bridging in Windows
The following precautions should be noted when using the local bridge function on a Windows operating system.
To use the local bridge function it is necessary to launch the VPN Server / VPN Bridge in service mode (Administrators authority is required when launching in user mode).
The local bridge function is disabled when the VPN Server / VPN Bridge is launched with general user authority.
For users of old Windows versions (Windows 98 / Windows 98 Second Edition / Windows Millennium Edition / Windows NT 4.0 Workstation / Windows NT 4.0 Server / Windows NT 4.0 Server, Enterprise Edition), WinPcap software must be installed when making a local bridge connection. Using the VPN Server Manager automatically launches the WinPcap installer and performs the installation.
WinPcap installation is not required for the Windows 2000 and later versions. Instead, the SoftEther VPN performs the necessary local bridge processing by running a local bridge program inside the kernel.
It is recommended that the computer be rebooted after configuring the local bridge connection when using a network adapter which supports hardware offloading to make the local bridge connection. Although the local bridge operates even without rebooting, communication may become unstable, in which case the computer should be rebooted. A setting to disable hardware offloading is applied upon rebooting, after which operation becomes stable.
The device name which can be designated in the local bridge destination network adapter list is displayed as the name reported by that device's hardware device driver. When two or more devices of the same type are connected, the second and subsequent device names are distinguished by attaching (2), (3) and so on to the end of their name. While it is generally not defined as to which network adapter name corresponds to which physical network adapter, once the settings have been correctly performed, the order of the devices is typically not altered even after re-launching.

Danpoulter
Posts: 30
Joined: Sun Apr 17, 2016 9:21 pm

Re: LAN to LAN Bridge

Post by Danpoulter » Wed Apr 27, 2016 9:12 am

It contains just the main site mac addresses
And the VPN server is connected to the core switch of the network? Is that correct?

maltyx
Posts: 65
Joined: Wed Feb 25, 2015 6:53 am

Re: LAN to LAN Bridge

Post by maltyx » Wed Apr 27, 2016 12:23 pm

are both NICs of the VPN server at main site connected to the same switch?

Danpoulter
Posts: 30
Joined: Sun Apr 17, 2016 9:21 pm

Re: LAN to LAN Bridge

Post by Danpoulter » Wed Apr 27, 2016 2:35 pm

Yes they are, are they not supposed to be?

maltyx
Posts: 65
Joined: Wed Feb 25, 2015 6:53 am

Re: LAN to LAN Bridge

Post by maltyx » Wed Apr 27, 2016 3:00 pm

well, personally I've never used that kind of configuration .. usually when publishing some IP service to the internet I am using DMZ .. but this just security measures ..
Actually, NIC with configured IP should be used to connecting the VPN server to Internet and the NIC without any protocol bind used for connection internal network to a virtualhub.
please, make sure you bond the right network card to your virtual hub on your VPN server ...
all other config look OK ..
Last edited by maltyx on Wed Apr 27, 2016 6:00 pm, edited 1 time in total.

Danpoulter
Posts: 30
Joined: Sun Apr 17, 2016 9:21 pm

Re: LAN to LAN Bridge

Post by Danpoulter » Wed Apr 27, 2016 3:16 pm

So, the NIC without protocols is bound to the virtual hub ( I assume that's the local bridge connection?) And the other one has an IP and connects to the internet

maltyx
Posts: 65
Joined: Wed Feb 25, 2015 6:53 am

Re: LAN to LAN Bridge

Post by maltyx » Wed Apr 27, 2016 6:12 pm

just double check which NIC is bounded to the virtualhub at remote location .. the one that connected to the lan side, not to internet router ..

just for test, did you tried to get connected with softether vpn client from any PC on remote side (without vpn bridge)? I just try to understand on which side your problem is..

maltyx
Posts: 65
Joined: Wed Feb 25, 2015 6:53 am

Re: LAN to LAN Bridge

Post by maltyx » Thu Apr 28, 2016 7:38 am

one more thing - because the vpn server connected to the same swith with both NIC could you check that switch does not block one on NICs with spanning tree or other loop-protection protocol ...

Danpoulter
Posts: 30
Joined: Sun Apr 17, 2016 9:21 pm

Re: LAN to LAN Bridge

Post by Danpoulter » Thu Apr 28, 2016 1:38 pm

yes, i made sure that was the case. Also I tried the client and it says its connected and it is transferring packets but it will not get an IP address from the DHCP server and wont connect to the main network.

maltyx
Posts: 65
Joined: Wed Feb 25, 2015 6:53 am

Re: LAN to LAN Bridge

Post by maltyx » Fri Apr 29, 2016 6:40 pm

well.. I start to run out of ideas .. :)

I would ask for advise from Softether VPN Gurus, may be they can help us to figure out how to configure your server. Maybe the fact that 2 NICs (the one is used as local bridge (LAN interface) and second as connection to the net of the server (WAN interface)) of the VPN server connected cause this kind of issues?

Do you have (or can create maybe) any DMZ at your main site? Just to put the internet NIC of the server to a separate network from the Main site LAN?

Danpoulter
Posts: 30
Joined: Sun Apr 17, 2016 9:21 pm

Re: LAN to LAN Bridge

Post by Danpoulter » Fri Apr 29, 2016 8:15 pm

Yes, I just cannot seem to find where the issues are, especially as they receiving and sending packets both way? I just cannot seem to get an IP or communicate with the devices on the main network. So are you saying it could be causing a loopback?

Thanks for your help it has been greatly appreciated

Danpoulter
Posts: 30
Joined: Sun Apr 17, 2016 9:21 pm

Re: LAN to LAN Bridge

Post by Danpoulter » Fri Apr 29, 2016 8:22 pm

I also don't have much experience with DMZ networks, do I just enable it on the router and network the server to the router directly and set the DMZ IP address to be the one of the VPN servers internal network address?

maltyx
Posts: 65
Joined: Wed Feb 25, 2015 6:53 am

Re: LAN to LAN Bridge

Post by maltyx » Sat Apr 30, 2016 7:56 am

DMZ will be useful for publishing all you services that need to accessible from internet .. for example: mail, web and .. vpn server:)

So, if you have router that supports DMZ, you will need to create a DMZ subnet with IP score that differ from from your LAN IPs and create some access policies to make the published servers available to LAN and/or Internet users. Do you have additional ethernet ports on your router marked as DMZ?
Just keep in mind, that simple routers (home routers) does not fully support DMZ scenario, they just simplify creating port forwarding rules to internal IP addresses. What you need is to create additional network segment separated by firewall from both internet and your lan segments. You will need to set routing properly for this new DMZ ips - the only question - does your router support this?

As an alternative maybe it possible to setup VPN server with single physical NIC, personally I never did it .. so we need to ask some help from people who did that.

Danpoulter
Posts: 30
Joined: Sun Apr 17, 2016 9:21 pm

Re: LAN to LAN Bridge

Post by Danpoulter » Sat Apr 30, 2016 9:10 am

Okay, due to my lack of experience with a DMZ network id like to try and get it done with one NIC on the server side and I assume still two NICs on the remote site.

maltyx
Posts: 65
Joined: Wed Feb 25, 2015 6:53 am

Re: LAN to LAN Bridge

Post by maltyx » Sat Apr 30, 2016 11:18 am

by the way, what type of internet connection do you have? can you (for test purpose) connect main site VPN server with public ip in front of your ISP router?

Danpoulter
Posts: 30
Joined: Sun Apr 17, 2016 9:21 pm

Re: LAN to LAN Bridge

Post by Danpoulter » Sat Apr 30, 2016 2:18 pm

We only have one public IP with virgin media fibre. Its a small business so we don't need multiple IPs. We were running our VPN connection with server 2012 before and that was working fine but we want a proper site to site connection as it's hassle trying to connect the PCs to the VPN before logging on

maltyx
Posts: 65
Joined: Wed Feb 25, 2015 6:53 am

Re: LAN to LAN Bridge

Post by maltyx » Sat Apr 30, 2016 3:43 pm

ok, I see .. well you always can establish site-2-site vpn connection between 2 servers on your 2 sites ... and route intersites traffic through it ... (you said you have 2 servers on both sides, right?)

like this: https://mizitechinfo.wordpress.com/2014 ... r-2012-r2/

Danpoulter
Posts: 30
Joined: Sun Apr 17, 2016 9:21 pm

Re: LAN to LAN Bridge

Post by Danpoulter » Sat Apr 30, 2016 4:28 pm

Okay that's brilliant thank you, I'll give that a go

Danpoulter
Posts: 30
Joined: Sun Apr 17, 2016 9:21 pm

Re: LAN to LAN Bridge

Post by Danpoulter » Mon May 02, 2016 6:16 pm

Just to let you know, I got it all sorted now, both sides are working and I'm getting a dhcp address from the main office in the remote location. Not 100% sure what I did but I started again and followed your steps and now it's working perfectly, so thank you for your help its really appreciated.

Thanks
Dan

maltyx
Posts: 65
Joined: Wed Feb 25, 2015 6:53 am

Re: LAN to LAN Bridge

Post by maltyx » Tue May 03, 2016 3:50 pm

:) I am Glad to help

otl
Posts: 1
Joined: Wed Sep 15, 2021 6:11 am

Re: LAN to LAN Bridge

Post by otl » Wed Sep 15, 2021 6:18 am

maltyx wrote:
Tue Apr 26, 2016 7:52 pm
well, I am a bit confused ..
1. Router and "Connection to internet" is the same device or there are 2 different devices on each location?
2. Main site' VPN server has only one network card?
3. In case you want to establish Lan-2-Lan-Layer2 bridge you will need to configure all network devices within the same IP scope .. Do you aware of this?

Thank you very much dear @maltyx for the great overlooked insight. I was not aware about the IP scope. It fixed my problem which is same to the problem presented here.

Post Reply