Connect local bridge to the lan not succesfull

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
roko
Posts: 6
Joined: Fri Aug 22, 2014 1:03 pm

Connect local bridge to the lan not succesfull

Post by roko » Fri Aug 22, 2014 1:26 pm

Used: FreeBSD 9.3; EtherSoft Ver 4.0.9 build 9451. I installed the VPn server.
I need help by connecting the local bridge to the internal network.
I set up the SoftEther VPN on a FreeBSD Firewall. it was surprisingly easy to connect to the VPN from a client. Then I set up the Local Bridge. Now I could connect to the VPN server from the client and the client reveives the ip adres from DHCP server. To my surprise it was not possible to ping the em0 interface. On the firewall the em0 interface is inside, 192.168.1.254. The client receives ip 192.168.1.124, net mask 255.255.255.0 and Gateway 192.168.1.254.
Then I created Layer 3 switch, configured a virtual interface with 192.168.1.253. Now i can ping from the client to 192.168.1.253 succesfully. I can not ping from the LAN to 192.168.1.253. Also i can not ping from the LAN to 192.168.1.124. But with arp -a I cannot see anything on the Free BSD system for 192.168.1.253. So address 192.168.1.253 seemed to be gone on the FreeBSD system..

What is going wrong? Do I have to adjust something?
You do not have the required permissions to view the files attached to this post.

thisjun
Posts: 2458
Joined: Mon Feb 24, 2014 11:03 am

Re: Connect local bridge to the lan not succesfull

Post by thisjun » Wed Sep 03, 2014 7:53 am


roko
Posts: 6
Joined: Fri Aug 22, 2014 1:03 pm

Re: Connect local bridge to the lan not succesfull

Post by roko » Thu Sep 04, 2014 9:56 am

Thanks thisjun for your reply.
I was reading this doc.
Still I am not sure what to do. I just want to set up a very basic vpn access. My LAN is 192.168.1.0 netmask 255.255.255.0.
Is it possible to use the bridge function and give VPN client a local Ip address?
Now the VPN client get a local adress(from the local HDCP server) but the client cannot communicate with the LAN.
All traffic stops in the FreeBSD system.
Then I created a bridge0 device on the fFreeBSD system with the em0 interface on one side.
command: ifconfig bridge0 create.
command: ifconfig bridge0 addm em0
now I can make the local bridge with SoftEther admin as a tap device.
Still it is not operating as required. I cannot ping a host on the LAN with the VPN client.
Also I cannot ping the VPN client form the LAN. But the VPN client gets a ip-address from the local DHCP server.
Is there anybody to help me out?

tafa2
Posts: 2
Joined: Thu Sep 04, 2014 6:15 pm

Re: Connect local bridge to the lan not succesfull

Post by tafa2 » Thu Sep 04, 2014 6:23 pm

Did you forward IPV4 packets in FreeBSD?
I have never used FreeBSD so can't tell you how it is done.

roko
Posts: 6
Joined: Fri Aug 22, 2014 1:03 pm

Re: Connect local bridge to the lan not succesfull

Post by roko » Fri Sep 05, 2014 8:45 am

Thanks tafa2 for your reaction.
I think that forwarding is not the isue. I made a local bridge with EtherSoft to Bridge0 with the end point on the interface em0. So on the FreeBSD firewall I should be able to ping the VPN client. This is not possible. While the VPN client could receive an ip-address from the DHCP server on the LAN.
Is this correct: the VPN Client is on the same segment as the LAN is?
When I create a virual hub with a layer 3 switch and a virtual interface with ther address 192.168.1.200 the it is possible to ping from the VPN client to the IP-Address 192.168.1.200. But stil it is not possible to ping from the LAN to the virtual IP-Address 192.168.1.200.
Is there anybody with a good idea?

dajhorn
Posts: 137
Joined: Mon Mar 24, 2014 3:59 am

Re: Connect local bridge to the lan not succesfull

Post by dajhorn » Fri Sep 05, 2014 2:46 pm

Roko,

VPN clients are unable to communicate with IP addresses on the VPN server that are bound to a bridged interface, which is why the SoftEther documentation recommends that servers have two physical interfaces. (One for bridging, and one for services.)

Creating a second bridge from the virtual hub to a new tap interface is a good way to solve this problem if the VPN server has only one physical interface.

roko
Posts: 6
Joined: Fri Aug 22, 2014 1:03 pm

Re: Connect local bridge to the lan not succesfull

Post by roko » Mon Sep 08, 2014 2:19 pm

Thanks dajhorn for your reply!
Sorry but I don't understand your answer.. This is what I have right now:
a FreeBSD firewall with 2 interfaces: em0; this is the LAN with 192.168.1.0/24 and 2nd interface em1 with 192.168.178.0/24. This is were the VPN server is running. Now I need to create a local bridge for the VPN traffic. So I created a bridge0 device on the FreeBSD system with on one side the em0 interface. The other side should be the virtual hub.
Do I need to create more interfaces on this system?
Many thanks for your input.

dajhorn
Posts: 137
Joined: Mon Mar 24, 2014 3:59 am

Re: Connect local bridge to the lan not succesfull

Post by dajhorn » Mon Sep 08, 2014 8:18 pm

Interface em0 has address 192.168.1.254, and interface em0 is bridged in promiscuous mode, therefore 192.168.1.254 is inaccessible to VPN clients. This is a limitation in SoftEther that confuses people who otherwise understand IPv4 networking.

You have two choices:

* Create a third interface em2 and attach it to the same ethernet switch as em0. Move 192.168.1.254 from em0 to em2.

OR

* Create a new interface tap0 and bridge it into the same virtual hub as em0. Put a static IP address on tap0 that is different than em0. The IP address on tap0 is the IP address that VPN clients must use to contact the server. IP addresses on em0 remain inaccessible to VPN clients.

roko
Posts: 6
Joined: Fri Aug 22, 2014 1:03 pm

Re: Connect local bridge to the lan not succesfull

Post by roko » Tue Sep 09, 2014 6:01 am

Thank you dajhorn for your answer.
Now I have 2 questions:
For solution 1: can you explain the use of interface em0 to me? and what Ip-Address should I give to em0? Because why should there be a em0 interface?
Solution 2 is a solution I don't understand. When I create a tap0 interface with a different Ip-Address on it then the VPN client could reach this address. But the LAN is not useable for the VPN client. What is the advantage for the VPN client then?

dajhorn
Posts: 137
Joined: Mon Mar 24, 2014 3:59 am

Re: Connect local bridge to the lan not succesfull

Post by dajhorn » Tue Sep 09, 2014 6:53 pm

> For solution 1: can you explain the use of interface em0 to me?

The em0 interface would be used only for L2 bridging.


> and what Ip-Address should I give to em0?

The em0 interface would not have an IP address.


> Because why should there be a em0 interface?

This is explained in the SoftEther documentation.


> Solution 2 is a solution I don't understand. When I create a tap0 interface
> with a different Ip-Address on it then the VPN client could reach this
> address. But the LAN is not useable for the VPN client. What is the
> advantage for the VPN client then?

This provides a way for VPN clients to use services on the SoftEther host without adding a second physical interface to the LAN.

alfer
Posts: 3
Joined: Fri Sep 12, 2014 11:48 pm

Re: Connect local bridge to the lan not succesfull

Post by alfer » Sat Sep 13, 2014 12:43 am

After struggling with this for the better part of a day I finally found the solution on an obscure post. I too was not able to connect to any services running on the server running SoftEther, although I was able to connect out to the Internet and to all other IP's on my LAN. To resolve this, like the documentation in section 3.6.11 says you have to create another physical interface. If you have a physical server that means installing another NIC if you dont have two already, in my case I'm using VirtualBox so I simply attached another virtual NIC to my VM's instance (which is attached to the same physical NIC on the host machine as the primary virtual NIC).

What the documentation doesn't tell you, is that this second NIC needs to be on a different subnet than your primary. So say your primary NIC's IP is 192.168.1.2, gateway 192.168.1.1. Your secondary NIC needs to be on for example 192.168.2.2, with gateway 192.168.2.1. Even though that gateway may well not exist (it doesnt in my case) this simple change fixed the problem and I am now able to SSH and access other services running on the VPN server. In Ubuntu 12.04 Linux I was able to modify my NIC config in /etc/network/interfaces to read:

auto eth2
iface eth2 inet static
address 192.168.2.2
netmask 255.255.255.0
gateway 192.168.2.1
dns-nameservers 8.8.8.8

Once your second NIC is up and running, just connect a local bridge from your virtual hub to the second NIC (eth2 in my case). You dont need to use a local bridge to the primary NIC, it is unnecessary. Hope it helps someone, and I also hope the fine developers at UoT can update section 3.6.11, and 11.1.2 of the manual to make this a bit more clear!

roko
Posts: 6
Joined: Fri Aug 22, 2014 1:03 pm

Re: Connect local bridge to the lan not succesfull

Post by roko » Mon Sep 15, 2014 10:42 am

Thank You alfer for your reply. It helped me a lot. Now I can connect to the the LAN by VPN!!
In my case it wasn't even necessary to add an IP-Addres or subnet.
I agree that the de developpers should adjust their manual because now it takes many hours of trying without the apropiate knowledge.
Also I want to thank dajhorn for the good input to solve this problem.
Now I can set up all my clients to this SoftEther VPN.

Post Reply