SecureNAT / Virtual NAT mask function

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
clandolfi
Posts: 3
Joined: Thu Apr 11, 2019 3:58 pm

SecureNAT / Virtual NAT mask function

Post by clandolfi » Thu Apr 11, 2019 5:13 pm

Hello,

I've setup a SoftEther server within our VPC, but I'm having trouble getting the Virtual NAT function to work. I've enabled SecureNAT on my default virtual hub, assigned the SecureNAT IP 10.x.x.72/255.255.255.0 and the Virtual DHCP pool left as the default 192.168.30.10-200. I've created necessary routes to communicate with the local subnet the server belongs to (10.150.0.0), and everything works fine. I can successfully connect with the VPN server, which assigns my client adapter an IP of 192.168.30.10. The problem is; when I test the Virtual NAT function out, my traffic is still appearing as 192.168.30.10. I'm trying to source NAT traffic from VPN client's with the Virtual NAT address of 10.x.x.72, to be accepted across an IPSec site to site tunnel established with a client location. I've tested the NAT by browsing to sites that return your local IP such as "whatismyip.com", and they all show the correct public IP (VPN server) but they're showing the VPN client IP 192.168.30.10 instead of the NAT IP 10.x.x.72. What am I doing wrong here?

btw - I've created all necessary static routes to communicate between adapters, local subnet, and virtual adapters. No problems with any connectivity or accessibility...it's just that my VPN traffic isn't being masked with the NAT ip.

centeredki69
Posts: 329
Joined: Wed Sep 18, 2013 1:49 pm

Re: SecureNAT / Virtual NAT mask function

Post by centeredki69 » Thu Apr 11, 2019 7:44 pm

Clandofi, I believe Masking Local IP address via NAT is not applicable anymore do to WebRTC extension of HTML5 in modern Web browsers allowing javascript to query the local client IP address. A proof of concept is available here: http://net.ipcalf.com . Your PC is most likely behind a NAT, yet your local IP is displayed. The NAT did not mask it. Web sites like "whatismyip.com" use this same function to acquirer your local IP. SecureNAT works like any other router, except its a virtual Router. Even when double NATed ( NAT router behind another NAT router) those sites still seem to see my local IP.

clandolfi
Posts: 3
Joined: Thu Apr 11, 2019 3:58 pm

Re: SecureNAT / Virtual NAT mask function

Post by clandolfi » Fri Apr 12, 2019 5:51 am

(Facepalm) you’re right, I hadn’t even considered the fact...I could’ve been properly NATing traffic this whole time. Well the good news is that the NAT is only needed to traverse the tunnel, which as far as screenOS on the remote peer is concerned...should appear properly sourced with the nat ip. Thanks for pointing that out!!! Sometimes it’s too easy to get stuck inside that box and assume a problem is much bigger than it is ;)

clandolfi
Posts: 3
Joined: Thu Apr 11, 2019 3:58 pm

Re: SecureNAT / Virtual NAT mask function

Post by clandolfi » Mon Apr 15, 2019 2:07 pm

So i'm still having trouble getting this to work, and wanted to throw a couple questions out there.

1 - Does the SecureNAT / virtual NAT interface address need to belong to the same subnet at the host machine's local subnet?
2 - Does the DCHP server / VPN ip pool need to belong to the same subnet at the secureNAT interface address?
3 - If I'm trying to source all traffic with the Secure NAT IP, do I need to establish a local bridge to the VM's NIC?

centeredki69
Posts: 329
Joined: Wed Sep 18, 2013 1:49 pm

Re: SecureNAT / Virtual NAT mask function

Post by centeredki69 » Mon Apr 15, 2019 9:18 pm

@ Clandolfi, I'm no expert on SecureNat however I will try to explain how it works based on my my personal experience and observations.

1 - Does the SecureNAT / virtual NAT interface address need to belong to the same subnet at the host machine's local subnet?

NO, NOT the same as the host machine's local subnet- I believe yours is 10.150.0.0. SecureNat will works like a SoHo router that is most likely behind your primary NAT Router. In regard to the settings in "SecureNat Configurations" all settings should be on its own subnet. The SE defaults is "192.168.30.0/24" these are adjustable but should match just as it would for any SOHO router. The virtual MAC/NIC in "SecureNat Configurations" will receive IP address from the DHCP server that is broadcasting the IP address to host machine's but will be treated as separate device and have its own IP address in the 10.150.0.0 Range. Its like plugging the WAN port of a SOHO router into a switch or router connected to your 10.150.0.0 network.

centeredki69
Posts: 329
Joined: Wed Sep 18, 2013 1:49 pm

Re: SecureNAT / Virtual NAT mask function

Post by centeredki69 » Mon Apr 15, 2019 9:19 pm

2 - Does the DCHP server / VPN ip pool need to belong to the same subnet at the secureNAT interface address?

Yes it should. VPN clients connecting to this Virtual HUB that is running secureNAT will receive a 192.168.30.X address and use the gateway 192.168.30.1. which will in turn use whatever gateway or settings that the 10.150.0.0 network DHCP server issues.
Note: VPN clients on the secureNAT (192.168.30.1) network will potentially have access to the devices on the upstream 10.150.0.0 network unless packet filter rules are set in SE. However the 10.150.0.0 network should not be able to access the SecureNAT network do to the NAT being in place hence the term "secureNAT"

centeredki69
Posts: 329
Joined: Wed Sep 18, 2013 1:49 pm

Re: SecureNAT / Virtual NAT mask function

Post by centeredki69 » Mon Apr 15, 2019 9:21 pm

3 - If I'm trying to source all traffic with the Secure NAT IP, do I need to establish a local bridge to the VM's NIC?

If you enable "secureNAT" and a "Local Bridge" on the same virtual HUB the secureNAT DHCP server issuing the 192.168.30.X address will also be broadcasting on the same network as your 10.150.0.0 network so it's like having 2 DHCP servers on the same network. NOT good.

Generally "SecureNAT" is used when a "Local Bridge" is not an option or the desire is to isolate the Local host network from the VPN network. They should not be ran at the same time on the same Virtual HUB

centeredki69
Posts: 329
Joined: Wed Sep 18, 2013 1:49 pm

Re: SecureNAT / Virtual NAT mask function

Post by centeredki69 » Mon Apr 15, 2019 9:32 pm

If you want your VPN clients to be on the same Network as your local network (I believe yours is the 10.150.0.0) Just create a local bridge and NO secureNAT and the clients will recieve an IP from the same DHCP server issuing the 10.150.0.0 addresses

Post Reply