L3 site-to-site one-way communication

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
yyyyl8023
Posts: 6
Joined: Wed Apr 03, 2024 8:26 am

L3 site-to-site one-way communication

Post by yyyyl8023 » Fri Apr 12, 2024 2:19 am

Dear friends,

I am a novice with SoftEther, and after reading the manual and browsing forums, I have set up communication between two sites using an L3 virtual switch and cascading.

Site 1 - BJ (Main Site)
Server IP: 172.17.3.107/24
Gateway/L3 virtual interface: 172.17.3.252

Site 2 - SH (Branch)
Server IP: 192.168.11.50/24
Gateway/L3 virtual interface: 192.168.11.252

I then set up interconnectivity between the two sites using a Windows PC, adding routes on each test machine.

Currently, communication between the two sites is good, but now I want to achieve one-way communication, where 192.168.11.0/24 can access 172.17.3.0/24, but not vice versa.

I tried configuring the virtual hub's access list management by adding 'discard' rules and 'pass' rules, where the 'pass' rules have higher priority than the 'discard' rules. I set it up like this:

-'Pass rule': Source IP address 192.168.11.0, Subnet mask 255.255.255.0, Destination IP address 172.17.3.0, Subnet mask 255.255.255.0
-'Discard' rule: Opposite of the above pass rule

However, as soon as I enable the 'discard' rule, communication between BJ and SH stops. What should I do?

Thank you in advance.

solo
Posts: 1505
Joined: Sun Feb 14, 2021 10:31 am

Re: L3 site-to-site one-way communication

Post by solo » Fri Apr 12, 2024 2:34 am


yyyyl8023
Posts: 6
Joined: Wed Apr 03, 2024 8:26 am

Re: L3 site-to-site one-way communication

Post by yyyyl8023 » Fri Apr 12, 2024 10:19 am

Hi, solo

thanks for your help!

But the problem is not over yet.

I added groups in two rules, but unfortunately, as long as I add a group in the 'drop' rule, the 'drop' rule does not work.

solo
Posts: 1505
Joined: Sun Feb 14, 2021 10:31 am

Re: L3 site-to-site one-way communication

Post by solo » Fri Apr 12, 2024 11:05 am


yyyyl8023
Posts: 6
Joined: Wed Apr 03, 2024 8:26 am

Re: L3 site-to-site one-way communication

Post by yyyyl8023 » Wed Apr 17, 2024 12:47 am

Hi solo,

Sorry for the long time no reply

I still can't achieve the effect I want. Look at my Access List, where is the problem?
You do not have the required permissions to view the files attached to this post.

solo
Posts: 1505
Joined: Sun Feb 14, 2021 10:31 am

Re: L3 site-to-site one-way communication

Post by solo » Thu Apr 18, 2024 3:31 am

Hello yyyyl8023, delete those and add only one rule:

Code: Select all

Action: Discard, Status: Enable, Priority: 1000, Contents: (ipv4) DstIPv4=192.168.11.0/24, Protocol=TCP, Unestablished

yyyyl8023
Posts: 6
Joined: Wed Apr 03, 2024 8:26 am

Re: L3 site-to-site one-way communication

Post by yyyyl8023 » Fri Apr 19, 2024 3:59 am

Hi solo,

thank you for your help!

With your method, I have achieved it.

The current situation should be that TCP/IP traffic can only flow in one direction. I am wondering why ICMP and UDP traffic cannot do the same as TCP?

Thanks in advance

Post Reply