SITE-TO-SITE (LAN to LAN)

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
majidv2003
Posts: 2
Joined: Sat Sep 19, 2020 12:10 pm

SITE-TO-SITE (LAN to LAN)

Post by majidv2003 » Sun Sep 20, 2020 7:29 am

Dear Teams,

---Scenario---

Branch A(Office)IP: 192.168.1.1
Branch B(Warehouse) 192.168.8.1
----------------------------------------------------
My requirement is that (i have IP telephone and PBX in Office, now i need to add ip telephone in Warehouse too),
So if i make the Office and Warehouse interconnect then i just need to install only ip telephone in warehouse and they can communicate each other.

Need to connect the office and warehouse by LAN TO LAN ,so please anyone explain correctly exact procedure and step by step (if possible screenshot i appreciate)

i tried and with Soft-ether Client and server and its working fine. but for my above scenario i want LAN TO LAN. then only the devices, like DVR, IP telephone, PC can communicate each other.

sky59
Posts: 427
Joined: Tue Sep 11, 2018 5:58 pm

Re: SITE-TO-SITE (LAN to LAN)

Post by sky59 » Sun Sep 20, 2020 8:14 am

You have it already as you write

Now you should switch your mind to networking

I think masks 255.255.240.0 solves your problem

majidv2003
Posts: 2
Joined: Sat Sep 19, 2020 12:10 pm

Re: SITE-TO-SITE (LAN to LAN)

Post by majidv2003 » Sun Sep 20, 2020 12:07 pm

without L3 , is it possible?

L2 cascading connection, what my question is, is it possible by L2?

Okay, Suppose if i do the L2 cascading where should i need to add this 255.255.240.0 subnet , on both end PC where i installed softether

In Office PC i installed softether, config by "Center" and the other Warehouse PC config by "Edge" and established the cascading connection. then i tried to ping one device eg: DVR OR PBX from warehouse and its not working.

Please anyone explain the steps. i appreciate.

iam not core network expert.

itskv
Posts: 34
Joined: Thu Mar 22, 2018 11:56 am

Re: SITE-TO-SITE (LAN to LAN)

Post by itskv » Mon Jan 04, 2021 9:42 am

AFAIK, L2 traffic consist all L3 traffic and further all layer traffics. So if L2 connection is established, then L3 routing is obvious.

elheho
Posts: 17
Joined: Thu Jan 07, 2021 1:50 pm

Re: SITE-TO-SITE (LAN to LAN)

Post by elheho » Wed Jan 13, 2021 3:12 pm

hi teams
i would like some help please im stuck like 3 weeks but im still having the ping problem please help us.

itskv
Posts: 34
Joined: Thu Mar 22, 2018 11:56 am

Re: SITE-TO-SITE (LAN to LAN)

Post by itskv » Wed Jan 13, 2021 6:24 pm

elheho wrote:
Wed Jan 13, 2021 3:12 pm
hi teams
i would like some help please im stuck like 3 weeks but im still having the ping problem please help us.
you can elaborate your problem.

elheho
Posts: 17
Joined: Thu Jan 07, 2021 1:50 pm

Re: SITE-TO-SITE (LAN to LAN)

Post by elheho » Thu Jan 14, 2021 10:45 am

Hello teams
first thank you for respond,
our problem is we create an virtual hub with secure nat enabled but when i try to ping on other users pcs it failed, the vpn server is installed on an vps linux server and it operating as an standalone server and used as remote access vpn server

C:\Users\heho_02>ping 192.168.10.102

Envoi d’une requête 'Ping' 192.168.10.102 avec 32 octets de données :
Réponse de 192.168.10.171 : Impossible de joindre l’hôte de destination.
Réponse de 192.168.10.171 : Impossible de joindre l’hôte de destination.
Réponse de 192.168.10.171 : Impossible de joindre l’hôte de destination.
Réponse de 192.168.10.171 : Impossible de joindre l’hôte de destination.

Statistiques Ping pour 192.168.10.102:
Paquets : envoyés = 4, reçus = 4, perdus = 0 (perte 0%),

I've tried many ways to and eliminate much scenario that can be the reason of the problem but i didn't succus, now im trying to make each department had his own virtual hub and i don't know how to do so like ad hoc.
i would like some help if that possible please
Last edited by elheho on Thu Jan 28, 2021 10:19 am, edited 1 time in total.

sky59
Posts: 427
Joined: Tue Sep 11, 2018 5:58 pm

Re: SITE-TO-SITE (LAN to LAN)

Post by sky59 » Thu Jan 14, 2021 11:29 am

elheho wrote:
Wed Jan 13, 2021 3:12 pm
hi teams
i would like some help please im stuck like 3 weeks but im still having the ping problem please help us.
This is very poor description what you want to do, so do not expect anybody can help you

unless you describe wnat you want, the best is the picture

itskv
Posts: 34
Joined: Thu Mar 22, 2018 11:56 am

Re: SITE-TO-SITE (LAN to LAN)

Post by itskv » Fri Jan 15, 2021 6:59 am

elheho wrote:
Thu Jan 14, 2021 10:45 am

I've tried many ways to and eliminate much scenario that can be the reason of the problem but i didn't succus, now im trying to make each department had his own virtual hub and i don't know how to do so like ad hoc.
i would like some help if that possible please
Is there any firewall before server or client network?? Because, for L2TP tunnel, you need to open UDP ports (500, 4500 and 1701) on main router/firewall. That might be the reason.

elheho
Posts: 17
Joined: Thu Jan 07, 2021 1:50 pm

Re: SITE-TO-SITE (LAN to LAN)

Post by elheho » Fri Jan 15, 2021 9:13 am

sky59 wrote:
Thu Jan 14, 2021 11:29 am
elheho wrote:
Wed Jan 13, 2021 3:12 pm
hi teams
i would like some help please im stuck like 3 weeks but im still having the ping problem please help us.
This is very poor description what you want to do, so do not expect anybody can help you

unless you describe want you want, the best is the picture
i want to have different branch can communicate with each others
like lan 1 hosts can ping on lan 2 hosts

sky59
Posts: 427
Joined: Tue Sep 11, 2018 5:58 pm

Re: SITE-TO-SITE (LAN to LAN)

Post by sky59 » Fri Jan 15, 2021 11:50 am

this is very poor description, if you are not able to provide picture (if you would you can make it by yourself) then write
the IP address of every computer just as an example

will they have static addresses? or you have somewhere DHCP server?

are these networks 1&2 in the same subnet??

I recommend you to make a picture, because without it you do not know what you want (the only thing you know it is pinging.... :)

elheho
Posts: 17
Joined: Thu Jan 07, 2021 1:50 pm

Re: SITE-TO-SITE (LAN to LAN)

Post by elheho » Thu Jan 28, 2021 10:40 am

hi sky sorry my bad english
here is my requirement
we have the vpn server is installed on a vps and we the HQ branch and two agency lets name them agency1 and agency2
and each branch had a bridge installed

vpn server : 46.50.190.12 create 3 virtual hub HQ hub , agency1hub, agency2hub and they are cascading to each bridge
HQ branch : 192.168.30.0 / 192.168.30.1 for bridge, and 192.168.1.254 for local network dhcp only in fibre router
agency 1 : 192.168.40.0 / 192.168.40.1 for bridge, and 192.168.5.254 for local network dhcp only in fibre router
agency 2 : 192.168.50.0 / 192.168.50.1 for bridge, and 192.168.6.254 for local network dhcp only in fibre router

in each branch we have dvr, printer, computers, PBX, telephone ip, and computers like 40 devices on each branch
we don't use securenat is disabled client pcs are using static ip
im really need help

sky59
Posts: 427
Joined: Tue Sep 11, 2018 5:58 pm

Re: SITE-TO-SITE (LAN to LAN)

Post by sky59 » Thu Jan 28, 2021 2:32 pm

elheho, I can only guess from the info you at last provided, but it is still very poor info

you should provide info that "I need" not the useless info, if it was a picture it would be clearer

anyway, based on the minimal info you provided:

from what you have written it seems you have on server 3 different HUBs and each branch connects to one of them???!

if yes, this is the problem, you need only one (1 piece) HUB on server and all BRIDGEs will connect to it, then you have L2 connection between all 3 branches you want to connect together

keep in mind, it is only a halfway, softether will provide you "cable" between all 3 branches, then you have to set up network properly

if you need more help, provide CLEAR PICTURE - if you would be able then it means you finally understand problem, because now it is clear you still do not know what you want

elheho
Posts: 17
Joined: Thu Jan 07, 2021 1:50 pm

Re: SITE-TO-SITE (LAN to LAN)

Post by elheho » Thu Jan 28, 2021 3:09 pm

hi sky
thank you for quick replay as i said my english it bad a little
im still cant now where is the problem exactly soo it will be batter if we communicate directly and live on any kind of social network telegram whatsApp outlook ... whatever if that okay with you after all i'll be more active to help autres cause its need to more user helping each other for this problem
thank you

sky59
Posts: 427
Joined: Tue Sep 11, 2018 5:58 pm

Re: SITE-TO-SITE (LAN to LAN)

Post by sky59 » Thu Jan 28, 2021 3:13 pm

can you draw picture what you have now?

you need only one HUB on server, not three

elheho
Posts: 17
Joined: Thu Jan 07, 2021 1:50 pm

Re: SITE-TO-SITE (LAN to LAN)

Post by elheho » Thu Jan 28, 2021 3:20 pm

hi sir,
as i said i want site 2 site connection the l2 is 80% done i can ping on the pc that connect with me on the same hub share files but we are on the same hub
but im looking for L3 connection between all the sites like each branch had here own address i don't know if you understand me well but im struggling to have this right
thank you

sky59
Posts: 427
Joined: Tue Sep 11, 2018 5:58 pm

Re: SITE-TO-SITE (LAN to LAN)

Post by sky59 » Thu Jan 28, 2021 3:50 pm

elheho, you must be chinese

because if I ask for tea ten times and they do not have it they will offer 10 times cofee...

it is not possible to help you, it seems you have also not sufficient knowledge about networking?

I suggest you a classic principle: step-by-step

connect only 1 branch to the server HUB. use the same subnet, just divide it on two halfs:

server will use 192.168.30.1 to 127 and branch will use 192.168.30.128 to 254

this is the simplest possible configuration, if you succeed then you can continue to extend features

elheho
Posts: 17
Joined: Thu Jan 07, 2021 1:50 pm

Re: SITE-TO-SITE (LAN to LAN)

Post by elheho » Thu Jan 28, 2021 4:37 pm

HI SKY
Here is how its configured now. SecureNAT and DHCP completely disabled.
in the bridge i enabled SecureNAT than i bridged the network adapter from load balancing to bridge for internet access and create an network adapter that is connected from bridge network adapter to a switch than i cabled all computers from switch with and it seems working well

does i make all right ?

internet access adapter (from load balancing) address is : https://imgur.com/a/5ZHw7zC
the bridge interface address is : https://imgur.com/a/46i6UTS
computers pool start from 192.168.30.10/24 to 100
our local network without load balancing is : 192.168.1.0/24

Thank you

sky59
Posts: 427
Joined: Tue Sep 11, 2018 5:58 pm

Re: SITE-TO-SITE (LAN to LAN)

Post by sky59 » Fri Jan 29, 2021 10:14 am

OK, now I believe you, you did not understand what I wanted :)

/I did not want photo, but sketch drawn by hand how everything is connected/

My second try is this:

SERVER: running on its own hardware (VPS?), there is a HUB installed with name you can select for instance VPN1, server is connected to internet, has got public IP address, no another physical cable going to HQ and branch 1&2

HQ: you already have network there = LAN cable, so you need ANOTHER computer running BRIDGE (can be even raspberrypi with 2 network cards), one card is connected to the internet to connect to the server on public IP address, other network card is used for local bridge to connect existing LAN cable for HQ network
this special computer is running BRIDGE that connects to the HUB VPN1 on server, also provides local bridge from VPN1 to second network card

there is also another possibility: no need for another computer, but you have to install on each PC in HQ vpn client that connects to the HUB VPN1 directly

for branches 1&2 it is exactly the same as for HQ

elheho
Posts: 17
Joined: Thu Jan 07, 2021 1:50 pm

Re: SITE-TO-SITE (LAN to LAN)

Post by elheho » Fri Jan 29, 2021 3:28 pm

hi sky,
im really really sorry for my bad english
her is the topology for now https://imgur.com/a/ZCs4gKE

sky59
Posts: 427
Joined: Tue Sep 11, 2018 5:58 pm

Re: SITE-TO-SITE (LAN to LAN)

Post by sky59 » Fri Jan 29, 2021 7:33 pm

Finally some picture! Super

4G, fibre, load ballancer only provide internet access? I am sceptic with it, because vpn needs fixed path to server, or maybe I am not right, but I would disconnect for now one of them, eithet 4G or fibre

Bridge is PC running softether bridge? Laptop adapter is internet access and usb adapter is local bridge for softether?

Switch is one of HQ, branch1 or branch2?

This picture is similar for all 3 HQ, branch 1&2?

It looks not bad. Do you have only one HUB on server? Do all 3 nets connect to this hub?

Where is dhcp server for switch and its network? How pc123 get ip?

sky59
Posts: 427
Joined: Tue Sep 11, 2018 5:58 pm

Re: SITE-TO-SITE (LAN to LAN)

Post by sky59 » Mon Feb 01, 2021 10:09 am

elheho,

may be you can even make a simple test before the first steps.....

I would take two PC computers with windows systems and installed on them Softether Windows Clients, this will also create on each PC also virtual network card

Set up on each PC static address on virtual network card, for instance 192.168.99.5 mask 255.255.255.0 and on second PC 192.168.99.6 mask the same

connect both PC Windows Clients to the same HUB on server

then you MUST be able to ping both PC from each other, from x.x.x.5 ping x.x.x.6 and from x.x.x.6 ping x.x.x.5

this test would prove that server is OK and there is no other problem regarding clients

Untitled.png
Untitled1.png
You do not have the required permissions to view the files attached to this post.

elheho
Posts: 17
Joined: Thu Jan 07, 2021 1:50 pm

Re: SITE-TO-SITE (LAN to LAN)

Post by elheho » Tue Feb 02, 2021 11:43 am

hi sky,

the load balancer we use it to make sure we wont lose internet connection and we use fibre and 4G cause some places are not cabled yet with fibre,

yes it is a pc running as softether bridge and yes you right pc adapter is for internet access usb for local bridge,

switch is one of HQ,

yes all the branch will have the same topology,

for now i'm trying to fix all problems that can disrupting connection and it sometimes i lose internet and sometimes and the ip of the server, i create 3 hubs for each branch, no each net should connect to his specific hub,

i shutdown all dhcp on i only left SecureNAT on the bridge side, pcs get address static

sky59
Posts: 427
Joined: Tue Sep 11, 2018 5:58 pm

Re: SITE-TO-SITE (LAN to LAN)

Post by sky59 » Tue Feb 02, 2021 12:11 pm

where you create 3 hubs? on server? if yes you can never connect 3 branches together to be able to ping between PCs

or, if you do this you probably might still ping between branches but then you have to play with routers and setting up correct gateways

elheho
Posts: 17
Joined: Thu Jan 07, 2021 1:50 pm

Re: SITE-TO-SITE (LAN to LAN)

Post by elheho » Wed Feb 03, 2021 9:41 am

hi sky,
yes i create 3 hubs on the server and use an pc as bridge to cascading from bridge to server, why i can't connect 3 branches together that is the purpose of use this solution. as i said i tried to many ways and i still can get is work it will be a pleasure if you helped me out, sent your skyp to be much effective
Thnak you

sky59
Posts: 427
Joined: Tue Sep 11, 2018 5:58 pm

Re: SITE-TO-SITE (LAN to LAN)

Post by sky59 » Wed Feb 03, 2021 11:58 am

I have written you 100 times.... you have to have ONE HUB on server and connect all bridges to it

elheho
Posts: 17
Joined: Thu Jan 07, 2021 1:50 pm

Re: SITE-TO-SITE (LAN to LAN)

Post by elheho » Wed Feb 03, 2021 3:53 pm

hi sky,

Yes i understant what you tring to said but all bridged connected to one hub is not what we want
in each site we have like 60 device similar to each site and we use static ip for printers ...

we would like to each site have his own subnet like
HQ : ***.***.30.***
site1 : ***.***.40.***
site2: ***.***.50.***
site3 : ***.***.60.***
*
*
*

that why im trying to have your skyp to i can explain to you batter and im really sorry if i disturbing you

Thank you

sky59
Posts: 427
Joined: Tue Sep 11, 2018 5:58 pm

Re: SITE-TO-SITE (LAN to LAN)

Post by sky59 » Wed Feb 03, 2021 4:03 pm

no you do not disturbe..

can you make a sketch by hand what you want? with IP addresses? no need details about internet connection, just server and 3 branches

if you want to have different subnets then you need router somewhere, may be more if I am not wrong

because if you want to go from one subnet to different subnet you need router with gateway, so all trafic to foreign subnet will be forwarded over gateway

may be, you can enable on each branch (bridge) virtual NAT with gateways like xx.xx.30.1 xx.xx.40.1 xx.xx.50.1 and also with DHCPs
then you still need to connect all bridges to one hub on server!

then, I believe, server will see all virtual routers from bridges because all bridges will say "hello to server, it is me xx.xx.30.1" and other two as well

then server should any comming trafic from gateway xx.xx.30.1 leading to subnet xx.xx.40.xx forward to the gateway xx.xx.40.1 because it knows such gatweay exists! and similarly for all combinations..... server knows about all 3 gateways

ps: I have no skype, also if you do not speak good english (you say this) I can not imagine how we could speak?
if "we" make it work then you owe me a nice bottle of champaign!! :)

sky59
Posts: 427
Joined: Tue Sep 11, 2018 5:58 pm

Re: SITE-TO-SITE (LAN to LAN)

Post by sky59 » Wed Feb 03, 2021 9:56 pm

May be, also some static routes will have to be configured

If I have a chance tomorrow I will try it

sky59
Posts: 427
Joined: Tue Sep 11, 2018 5:58 pm

Re: SITE-TO-SITE (LAN to LAN)

Post by sky59 » Thu Feb 04, 2021 9:36 am

I made following test: (I could not do exactly your case I do not have enough HW)


- I have server with hub VPN

- One BRIDGE connected to VPN hub with SecureNAT enabled like this:
(it is Ubuntu PC running BRIDGE with virtual NIC because of SecureNAT enabled)

IP Address 10.52.30.1
Mask 255.255.255.0


- PC computer with Client and Virtual NIC set up like this:
also connected to hub VPN

IP Address 10.52.31.2
Mask 255.255.252.0
GW 10.52.31.1



Then I could ping from PC (10.52.31.2) virtual NIC on Ubuntu (10.52.30.1)
I forced PC to use interface 10.52.31.2 to be sure it makes right test
----------------------------------------------------------------
C:\WINDOWS\system32>ping 10.52.30.1 -S 10.52.31.2

Pinging 10.52.30.1 from 10.52.31.2 with 32 bytes of data:
Reply from 10.52.30.1: bytes=32 time=4ms TTL=128
Reply from 10.52.30.1: bytes=32 time=4ms TTL=128
Reply from 10.52.30.1: bytes=32 time=4ms TTL=128
Reply from 10.52.30.1: bytes=32 time=5ms TTL=128
----------------------------------------------------------------


here is the part of traceroute to 10.52.30.1, it goes over internet upcbusiness.at
------------------------------------------------------------------------------------
C:\WINDOWS\system32>tracert -j 10.52.31.2 10.52.30.1

Tracing route to 10.52.30.1 over a maximum of 30 hops

1 4 ms 3 ms 3 ms 10.52.30.1
2 4 ms 4 ms 6 ms 10.81.100.1
3 5 ms 5 ms 4 ms 63-79-221-105.static.upcbusiness.at [63.79.221.105]
------------------------------------------------------------------------------------


looking at the route table in PC these lines were added to make connection between subnets:
---------------------------------------------------------------------------------
Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 10.52.31.1 10.52.31.2 291
10.52.28.0 255.255.252.0 On-link 10.52.31.2 291
10.52.31.2 255.255.255.255 On-link 10.52.31.2 291
10.52.31.255 255.255.255.255 On-link 10.52.31.2 291
---------------------------------------------------------------------------------

you can see that with mask 255.255.252.0 I can reach 10.52.28.0, 10.52.29.0, 10.52.30.0
networks

I did not need to add manually any static routes

So it seems that hub VPN automatically redirects messages between subnets (I hope I am not wrong :)

sky59
Posts: 427
Joined: Tue Sep 11, 2018 5:58 pm

Re: SITE-TO-SITE (LAN to LAN)

Post by sky59 » Thu Feb 04, 2021 10:23 am

I spoke just now with another guy about this problem.

Yes, I could ping IP address of other router, but could not ping any device in its subnet. This is because there is a NAT in the way.
It would need port forwarding for all IPs in the subnet.

The only possibility for you is to use the same subnet for all brancehs just to divide it into smaller segments. To avoid NAT.

feedtaleone
Posts: 1
Joined: Mon Feb 15, 2021 12:11 pm

Re: SITE-TO-SITE (LAN to LAN)

Post by feedtaleone » Mon Feb 15, 2021 1:56 pm

I recommend you to make a picture, because without it you do not know what you want (the only thing you know it is pinging.... :)

elheho
Posts: 17
Joined: Thu Jan 07, 2021 1:50 pm

Re: SITE-TO-SITE (LAN to LAN)

Post by elheho » Thu Feb 25, 2021 8:38 am

1. I'm using an OVH cloud vps on a linux OS as the main softether vpn server
2. On my local site (SITE1) I'm using a windows 10 as a server manager and another pc as a bridge that cascading to a hub that I create on the server and the same configuration on the other site (SITE2).

Here is my configuration that i make so far

On The server side:
1. Virtual hubs :

1.1 for the virtual hub (SITE1)

* SECURENAT :Enabled
* ip address : 192.168.30.1/24
* DHCP range : 192.168.30.10/24 TO 200
* Lease time : 7200
* default Gateway : 192.168.30.1
* DNS server : 192.168.30.1
* MTU : 1500
* TCP session : 1800
* UDP session : 60
And for static route table to push i did add 192.168.40.0/255.255.255.0/192.168.30.254

1.2 for the virtual hub (SITE2)
* SECURENAT :Enabled
* ip address : 192.168.40.1/24
* DHCP range : 192.168.40.10/24 TO 200
* Lease time : 7200
* default Gateway : 192.168.40.1
* DNS server : 192.168.40.1
* MTU : 1500
* TCP session : 1800
* UDP session : 60
And for static route table to push i did add 192.168.30.0/255.255.255.0/192.168.40.254, 198.168.1.0/255.255.255.0/192.168.40.253

2. In Layer 3 switching setting i created one virtual layer 3 switch with two virtual interfaces for each virtual hub

* Virtual interface site 1 : 192.168.30.254/24
* Virtual interface site 2 : 192.168.40.254/24

with no routing table

3. for the local bridge setting i haven't add anything,

4. VPN azure is disable,

5. DDNS it enable,

6. IPsec / L2TP are enable

On the bridges side:
ON SITE1 :

1. Cascading :

On the bridge one virtual hub is created by default and i cascade from the virtual hub on bridge to the virtual hub that i create already on the server side
the configuration like this
* Setting name : site012hq
* Host name : SERVER IP
* Port number : 443
* virtual hub name : HQ
* user authentication : user created on the server site

The status is online

2. SECURENAT setting :

SECURENAT :Disabled
* ip address : 192.168.30.1/24
* DHCP range : 192.168.30.10/24 TO 200
* Lease time : 7200
* default Gateway : 192.168.30.1
* DNS server : 192.168.30.1
* MTU : 1500
* TCP session : 1800
* UDP session : 60

And for static route table to push i haven't add any static route table

3. LOCAL BRIDGE settings:

For the local bridge settings I add an usb network adapter and connect it to the internet, and the integrated adapter on the pc is connected from the pc to a switch POE and from that switch to the clients.

That all the configuration that i make i haven't add any port forward or static route on the router or the clients also on the firewall.
i think a least it should ping between two sites and i work for 1 day but sometimes i get ip address of my ISP not VPN IP i don't know why that happened and other problem is when the clients are connect to vpn i can't access to my local device like i can't access to my router or printer ... but when i activate SECURENAT on bridge i can access to it but the IP address i get ISP address.
I really need help.

Here is some pictures : https://imgur.com/a/tNYnsAk

Thank you
REGRADS

Post Reply