Dedicated IP for use
-
- Posts: 1
- Joined: Wed Jan 25, 2023 12:05 pm
Dedicated IP for use
Dedicated IP for use
hello everyone
I have SoftEther server and 10 clients. I want to know How i can dedicate IP for user as
Use name: Test01
IP:192.168.13.10
Thank
hello everyone
I have SoftEther server and 10 clients. I want to know How i can dedicate IP for user as
Use name: Test01
IP:192.168.13.10
Thank
-
- Posts: 1517
- Joined: Sun Feb 14, 2021 10:31 am
Re: Dedicated IP for use
Virtual MAC address reservation
http://www.softether.org/5-download/historySoftEther VPN 4.31 Build 9727 Beta (November 18, 2019)
Added the new function to reserve and each Virtual MAC address and IP address for each user of L2TP/IPsec, SSTP and OpenVPN L3. Since SoftEther VPN Ver 4.31 Build 9727, we added the new function to make each L3 VPN users to use the reserved virtual MAC address and the virtual IP address. This function allows the DHCP server in the remote-access destination network to identify the connected user and to assign reserved IP addresses to each of users respectfully. L3 VPN protocols, such as L2TP/IPsec, SSTP and OpenVPN L3, creates virtual L2/L3 layer-transformation adapter for each of VPN connections which are established to the Virtual Hub on SoftEther VPN Server. A virtual L2/L3 layer-transformation adapter has a virtual MAC address. In the previous versions of SoftEther VPN, virtual MAC addresses are randomly assigned each time when users connect to the VPN Server. There were no solution to assign fixed MAC addresses and IP addresses to each of users. SoftEther VPN Ver 4.31 Build 9727 and later supports the function to fix virtual MAC addresses of every L3 VPN users.
-
- Posts: 289
- Joined: Wed Dec 28, 2022 9:10 pm
Re: Dedicated IP for use
Testedsolo wrote: ↑Wed Jan 25, 2023 12:17 pmVirtual MAC address reservation
http://www.softether.org/5-download/historySoftEther VPN 4.31 Build 9727 Beta (November 18, 2019)
Added the new function to reserve and each Virtual MAC address and IP address for each user of L2TP/IPsec, SSTP and OpenVPN L3. Since SoftEther VPN Ver 4.31 Build 9727, we added the new function to make each L3 VPN users to use the reserved virtual MAC address and the virtual IP address. This function allows the DHCP server in the remote-access destination network to identify the connected user and to assign reserved IP addresses to each of users respectfully. L3 VPN protocols, such as L2TP/IPsec, SSTP and OpenVPN L3, creates virtual L2/L3 layer-transformation adapter for each of VPN connections which are established to the Virtual Hub on SoftEther VPN Server. A virtual L2/L3 layer-transformation adapter has a virtual MAC address. In the previous versions of SoftEther VPN, virtual MAC addresses are randomly assigned each time when users connect to the VPN Server. There were no solution to assign fixed MAC addresses and IP addresses to each of users. SoftEther VPN Ver 4.31 Build 9727 and later supports the function to fix virtual MAC addresses of every L3 VPN users.
Near 4 to 5 times IP allocation from dnsmasq faster
dnsmasq configuration sample
Code: Select all
# Only listen to routers' LAN NIC. Doing so opens up tcp/udp port 53 to localhost and udp port 67 to world:
interface=tap_vpn
# dnsmasq will open tcp/udp port 53 and udp port 67 to world to help with dynamic interfaces (assigning dynamic IPs).
# dnsmasq will discard world requests to them, but the paranoid might like to close them and let the kernel handle them.
bind-interfaces
# Optionally set a domain name
domain=tra.xssl.it
# Set default gateway
dhcp-option=3,192.168.100.1
# Set DNS servers to announce
dhcp-option=6,8.8.8.8
# If your dnsmasq server is also doing the routing for your network, you can use option 121 to push a static route out.
# x.x.x.x is the destination LAN, yy is the CIDR notation (usually /24), and z.z.z.z is the host which will do the routing.
# dhcp-option=121,x.x.x.x/yy,z.z.z.z
# Dynamic range of IPs to make available to LAN PC and the lease time.
# Ideally set the lease time to 5m only at first to test everything works okay before you set long-lasting records.
dhcp-range=192.168.100.10,192.168.100.250,12h
# Provide IPv6 DHCP leases, the range is constructed using the network interface as prefix
dhcp-range=::f,::ff,constructor:tap_vpn
# If you’d like to have dnsmasq assign static IPs to some clients, bind the LAN computers NIC MAC addresses:
dhcp-host=ae:00:00:00:00:01,192.168.100.111
dhcp-host=ae:00:00:00:00:02,192.168.100.112
https://wiki.archlinux.org/title/dnsmasq#DHCP_server
-
- Posts: 1517
- Joined: Sun Feb 14, 2021 10:31 am
Re: Dedicated IP for use
Faster than what?shakibamoshiri wrote: ↑Fri Jan 27, 2023 10:37 amNear 4 to 5 times IP allocation from dnsmasq faster
-
- Posts: 289
- Joined: Wed Dec 28, 2022 9:10 pm
Re: Dedicated IP for use
I liked SecureNAT more since with built-in DHCP functionality, IP assignment was fast. On average 1 to 3 seconds to a client.solo wrote: ↑Fri Jan 27, 2023 11:50 amFaster than what?shakibamoshiri wrote: ↑Fri Jan 27, 2023 10:37 amNear 4 to 5 times IP allocation from dnsmasq faster
Because of High CPU usage, dnsmasq is preferable but a new issue raised and it was slow IP assignment to a client. On average 3 to 10 seconds. Much slower than SecureNAT.
So I was looking for a way of tweaking dnsmasq and did not find anything.
Then it came to my mind after seeing this post that it could be faster for dnsmasq to assign an IP statically since does not have to check its table or lookup anything. It is a kind of key-value pair (one to one) comparing to dynamic assignment which is (one to many).
So I tested dnsmasq with static IP assignment + this MAC:ae:00:00:00:00:00 feature and speed was almost like SecureNAT.
-
- Posts: 1517
- Joined: Sun Feb 14, 2021 10:31 am
Re: Dedicated IP for use
Can you check if dnsmasq' DHCP assignment is faster with the "no-ping" option?shakibamoshiri wrote: ↑Fri Jan 27, 2023 2:51 pmSo I was looking for a way of tweaking dnsmasq and did not find anything.
--no-ping
(IPv4 only) By default, the DHCP server will attempt to ensure that an address is not in use before allocating it to a host. It does this by sending an ICMP echo request (aka "ping") to the address in question. If it gets a reply, then the address must already be in use, and another is tried. This flag disables this check. Use with caution.
--dhcp-reply-delay=[tag:<tag>,]<integer>
Delays sending DHCPOFFER and PROXYDHCP replies for at least the specified number of seconds. This can be used as workaround for bugs in PXE boot firmware that does not function properly when receiving an instant reply. This option takes into account the time already spent waiting (e.g. performing ping check) if any.
-
- Posts: 289
- Joined: Wed Dec 28, 2022 9:10 pm
Re: Dedicated IP for use
log for static assignment with MACsolo wrote: ↑Sat Jan 28, 2023 12:02 amCan you check if dnsmasq' DHCP assignment is faster with the "no-ping" option?shakibamoshiri wrote: ↑Fri Jan 27, 2023 2:51 pmSo I was looking for a way of tweaking dnsmasq and did not find anything.
--no-ping
(IPv4 only) By default, the DHCP server will attempt to ensure that an address is not in use before allocating it to a host. It does this by sending an ICMP echo request (aka "ping") to the address in question. If it gets a reply, then the address must already be in use, and another is tried. This flag disables this check. Use with caution.
--dhcp-reply-delay=[tag:<tag>,]<integer>
Delays sending DHCPOFFER and PROXYDHCP replies for at least the specified number of seconds. This can be used as workaround for bugs in PXE boot firmware that does not function properly when receiving an instant reply. This option takes into account the time already spent waiting (e.g. performing ping check) if any.
Code: Select all
# connecting
Jan 28 00:38:40 id-952032 dnsmasq-dhcp[25340]: DHCPDISCOVER(tap_vpn) ae:00:00:00:00:02
Jan 28 00:38:40 id-952032 dnsmasq-dhcp[25340]: DHCPOFFER(tap_vpn) 192.168.100.112 ae:00:00:00:00:02
Jan 28 00:38:40 id-952032 dnsmasq-dhcp[25340]: DHCPREQUEST(tap_vpn) 192.168.100.112 ae:00:00:00:00:02
Jan 28 00:38:40 id-952032 dnsmasq-dhcp[25340]: abandoning lease to ae:00:00:00:00:02 of 192.168.100.112
Jan 28 00:38:40 id-952032 dnsmasq-dhcp[25340]: Ignoring domain X.X.X.X for DHCP host name X
Jan 28 00:38:40 id-952032 dnsmasq-dhcp[25340]: DHCPACK(tap_vpn) 192.168.100.112 ae:00:00:00:00:02 78
# disconnecting
Jan 28 00:41:50 id-952032 dnsmasq-dhcp[25340]: DHCPRELEASE(tap_vpn) 192.168.100.112 ae:00:00:00:00:02 unknown lease
Code: Select all
# connecting
Jan 28 00:42:52 id-952032 dnsmasq-dhcp[25340]: DHCPDISCOVER(tap_vpn) ca:53:74:bb:ff:0b
Jan 28 00:42:52 id-952032 dnsmasq-dhcp[25340]: DHCPOFFER(tap_vpn) 192.168.100.189 ca:53:74:bb:ff:0b
Jan 28 00:42:52 id-952032 dnsmasq-dhcp[25340]: DHCPDISCOVER(tap_vpn) ca:53:74:bb:ff:0b
Jan 28 00:42:52 id-952032 dnsmasq-dhcp[25340]: DHCPOFFER(tap_vpn) 192.168.100.189 ca:53:74:bb:ff:0b
Jan 28 00:42:52 id-952032 dnsmasq-dhcp[25340]: DHCPREQUEST(tap_vpn) 192.168.100.189 ca:53:74:bb:ff:0b
Jan 28 00:38:40 id-952032 dnsmasq-dhcp[25340]: Ignoring domain X.X.X.X for DHCP host name X
Jan 28 00:42:52 id-952032 dnsmasq-dhcp[25340]: DHCPACK(tap_vpn) 192.168.100.189 ca:53:74:bb:ff:0b 78
# disconnecting
Jan 28 00:43:49 id-952032 dnsmasq-dhcp[25340]: DHCPRELEASE(tap_vpn) 192.168.100.189 ca:53:74:bb:ff:0b unknown lease
switching to --no-ping
Code: Select all
/usr/sbin/dnsmasq --no-ping -x /run/dnsmasq/dnsmasq.pid -u dnsmasq -7 /etc/dnsmasq.d ...
log for dynamic with --no-ping
Code: Select all
# connecting
Jan 28 00:54:11 id-952032 dnsmasq-dhcp[25806]: DHCPDISCOVER(tap_vpn) ca:53:74:bb:ff:0b
Jan 28 00:54:11 id-952032 dnsmasq-dhcp[25806]: DHCPOFFER(tap_vpn) 192.168.100.189 ca:53:74:bb:ff:0b
Jan 28 00:54:11 id-952032 dnsmasq-dhcp[25806]: DHCPREQUEST(tap_vpn) 192.168.100.189 ca:53:74:bb:ff:0b
Jan 28 00:38:40 id-952032 dnsmasq-dhcp[25340]: Ignoring domain X.X.X.X for DHCP host name X
Jan 28 00:54:11 id-952032 dnsmasq-dhcp[25806]: DHCPACK(tap_vpn) 192.168.100.189 ca:53:74:bb:ff:0b 78
# disconnecting
Jan 28 00:55:08 id-952032 dnsmasq-dhcp[25806]: DHCPRELEASE(tap_vpn) 192.168.100.189 ca:53:74:bb:ff:0b unknown lease
Code: Select all
# connecting
Jan 28 00:56:22 id-952032 dnsmasq-dhcp[25806]: DHCPDISCOVER(tap_vpn) ae:00:00:00:00:02
Jan 28 00:56:22 id-952032 dnsmasq-dhcp[25806]: DHCPOFFER(tap_vpn) 192.168.100.112 ae:00:00:00:00:02
Jan 28 00:56:22 id-952032 dnsmasq-dhcp[25806]: DHCPREQUEST(tap_vpn) 192.168.100.112 ae:00:00:00:00:02
Jan 28 00:38:40 id-952032 dnsmasq-dhcp[25340]: Ignoring domain X.X.X.X for DHCP host name X
Jan 28 00:56:22 id-952032 dnsmasq-dhcp[25806]: DHCPACK(tap_vpn) 192.168.100.112 ae:00:00:00:00:02 78
# disconnecting
Jan 28 00:57:05 id-952032 dnsmasq-dhcp[25806]: DHCPRELEASE(tap_vpn) 192.168.100.112 ae:00:00:00:00:02 unknown lease
But I am afraid of collision of IPs when --no-ping is used. In this case how to be sure a new IP already has not been used?
If there be a guarantee of no IPs collision, then --no-ping could be safe to use, otherwise it may be problematic.
Also I am wondering why dnsmasq uses echo-reply technique to check if an IP has been used or no. Why not using a kind of hash-table (key-value pair) to check what IPs are used!
-
- Posts: 1517
- Joined: Sun Feb 14, 2021 10:31 am
Re: Dedicated IP for use
Great stuff, thank you for these tests. Here is a summary with rather inconsistent results for the static:
- log for static assignment with MAC = 3s
log for dynamic = 1s
log for dynamic with --no-ping < 1s
log for static with --no-ping < 1s
-
- Posts: 289
- Joined: Wed Dec 28, 2022 9:10 pm
Re: Dedicated IP for use
A single test like this is not enough to make decision for using/not using --no-ping. it should be tested with e.g 100 or 200 users at leastsolo wrote: ↑Sat Jan 28, 2023 11:40 amGreat stuff, thank you for these tests. Here is a summary with rather inconsistent results for the static:
In any case I'd opt for no-ping as it seems to be only a double-check on records already stored in a persistent dnsmasq lease database file.
- log for static assignment with MAC = 3s
log for dynamic = 1s
log for dynamic with --no-ping < 1s
log for static with --no-ping < 1s
Plus how did you calculate 3s, 1s, < 1s ? the log's time happened at a constant time, for example the fist is "00:38:40".
-
- Posts: 289
- Joined: Wed Dec 28, 2022 9:10 pm
Re: Dedicated IP for use
I liked the idea of MAC address adding to "note" part but I prefer not to use it since I need for something else.solo wrote: ↑Sat Jan 28, 2023 11:40 amGreat stuff, thank you for these tests. Here is a summary with rather inconsistent results for the static:
In any case I'd opt for no-ping as it seems to be only a double-check on records already stored in a persistent dnsmasq lease database file.
- log for static assignment with MAC = 3s
log for dynamic = 1s
log for dynamic with --no-ping < 1s
log for static with --no-ping < 1s
Actually it was better design if SE server and (manager) had a field just for MAC and mac-address setting.
-
- Posts: 286
- Joined: Wed Nov 25, 2020 9:10 am
Re: Dedicated IP for use
no-ping is not safe if any of these is true:
1. dnsmasq is restarted when VPN server is running
2. some clients are not getting ip from dnsmasq (i.e. manual configuration)
please also note that dnsmasq does not probe the address every time so if you test frequently you will see it sometimes acts as if no-ping is set.
1. dnsmasq is restarted when VPN server is running
2. some clients are not getting ip from dnsmasq (i.e. manual configuration)
please also note that dnsmasq does not probe the address every time so if you test frequently you will see it sometimes acts as if no-ping is set.
-
- Posts: 289
- Joined: Wed Dec 28, 2022 9:10 pm
Re: Dedicated IP for use
Yes. To me is also not safe. if this option was already safe they would add it to systemd-config so to be faster, why not.eddiewu wrote: ↑Sat Jan 28, 2023 12:14 pmno-ping is not safe if any of these is true:
1. dnsmasq is restarted when VPN server is running
2. some clients are not getting ip from dnsmasq (i.e. manual configuration)
please also note that dnsmasq does not probe the address every time so if you test frequently you will see it sometimes acts as if no-ping is set.
Setting MAC:ae:00:00:00:00:00 is good but I wish they would design it with a new field or somewhere else.
"note" part has other use cases.
-
- Posts: 289
- Joined: Wed Dec 28, 2022 9:10 pm
Re: Dedicated IP for use
I question came to me now. Can we use SE DHCP but OS NAT.eddiewu wrote: ↑Sat Jan 28, 2023 12:14 pmno-ping is not safe if any of these is true:
1. dnsmasq is restarted when VPN server is running
2. some clients are not getting ip from dnsmasq (i.e. manual configuration)
please also note that dnsmasq does not probe the address every time so if you test frequently you will see it sometimes acts as if no-ping is set.
So just using SE server DHCP to get IPs faster but for avoiding High CPU usage, delegate NAT to OS using Local Bridge ?
I think it is possible but I will test. just I was wondering it is okay or no.
-
- Posts: 1517
- Joined: Sun Feb 14, 2021 10:31 am
Re: Dedicated IP for use
Yes, it works very well.shakibamoshiri wrote: ↑Sat Jan 28, 2023 12:44 pmI question came to me now. Can we use SE DHCP but OS NAT.
-
- Posts: 289
- Joined: Wed Dec 28, 2022 9:10 pm
Re: Dedicated IP for use
How? As I tested did not work with DE version.solo wrote: ↑Sat Jan 28, 2023 1:57 pmYes, it works very well.shakibamoshiri wrote: ↑Sat Jan 28, 2023 12:44 pmI question came to me now. Can we use SE DHCP but OS NAT.
Here is the way
- create a local bridge tap_tap
- systemctl stop dnsmasq.service
- ip addr add 192.168.100.1/24 brd + dev tap_tap
- in SE server > Manage Virtual Hub > Virtual NAT and Virtual DHCP > Enable -- but disable "Use Virtual Nat Function" part
log
Code: Select all
...
Connection "CID-175" terminated by the cause "Connection has been disconnected." (code 3).
Connection "CID-175" has been terminated.
...
-
- Posts: 1517
- Joined: Sun Feb 14, 2021 10:31 am
Re: Dedicated IP for use
Post as code:
Code: Select all
vpncmd localhost:port /server /password:*** /adminhub:@@@ /cmd SecureNatStatusGet
vpncmd localhost:port /server /password:*** /adminhub:@@@ /cmd SecureNatHostGet
vpncmd localhost:port /server /password:*** /adminhub:@@@ /cmd DhcpGet
//replace: *** with SE admin password; @@@ with VPN hub's name
https://www.softether.org/index.php?tit ... ureNAT_UseOf the SecureNAT functions, it is possible to enable only the DHCP server. In other words, it is possible to use only the DHCP server function operating within the Virtual Hub Ethernet segment. This allows VPN Clients and local bridge destination client computers remotely accessing the Virtual Hub to receive IP addresses assigned by the virtual DHCP server.
-
- Posts: 289
- Joined: Wed Dec 28, 2022 9:10 pm
Re: Dedicated IP for use
solo wrote: ↑Sat Jan 28, 2023 11:09 pmPost as code:Code: Select all
vpncmd localhost:port /server /password:*** /adminhub:@@@ /cmd SecureNatStatusGet vpncmd localhost:port /server /password:*** /adminhub:@@@ /cmd SecureNatHostGet vpncmd localhost:port /server /password:*** /adminhub:@@@ /cmd DhcpGet //replace: *** with SE admin password; @@@ with VPN hub's name
https://www.softether.org/index.php?tit ... ureNAT_UseOf the SecureNAT functions, it is possible to enable only the DHCP server. In other words, it is possible to use only the DHCP server function operating within the Virtual Hub Ethernet segment. This allows VPN Clients and local bridge destination client computers remotely accessing the Virtual Hub to receive IP addresses assigned by the virtual DHCP server.
SecureNatStatusGet
Code: Select all
VPN Server/VPN>SecureNatStatusGet
SecureNatStatusGet command - Get the Operating Status of the Virtual NAT and DHCP Server Function (SecureNat Function)
Item |Value
-------------------------+---------
Virtual Hub Name |VPN
NAT TCP/IP Sessions |0 Session
NAT UDP/IP Sessions |0 Session
NAT ICMP Sessions |0 Session
NAT DNS Sessions |0 Session
Allocated DHCP Clients |1 Client
Kernel-mode NAT is Active|No
Raw IP mode NAT is Active|No
The command completed successfully.
Code: Select all
VPN Server/VPN>SecureNatHostGet
SecureNatHostGet command - Get Network Interface Setting of Virtual Host of SecureNAT Function
Item |Value
-----------+-----------------
MAC Address|xx-xx-xx-xx-xx-xx
IP Address |192.168.30.1
Subnet Mask|255.255.255.0
The command completed successfully.
Code: Select all
VPN Server/VPN>DhcpGet
DhcpGet command - Get Virtual DHCP Server Function Setting of SecureNAT Function
Item |Value
-------------------------------+--------------
Use Virtual DHCP Function |Yes
Start Distribution Address Band|192.168.30.10
End Distribution Address Band |192.168.30.100
Subnet Mask |255.255.255.0
Lease Limit (Seconds) |7200
Default Gateway Address |192.168.30.1
DNS Server Address 1 |8.8.8.8
DNS Server Address 2 |1.1.1.1
Domain Name |
Save NAT and DHCP Operation Log|Yes
Static Routing Table to Push |
The command completed successfully.
SessionList (notice this is hop-2 -- so it is a double vpn -- SID-E4ZLAM-19 is a link from hop-1)
Code: Select all
VPN Server/VPN>SessionList
SessionList command - Get List of Connected Sessions
Item |Value
----------------+------------------
Session Name |SID-LOCALBRIDGE-13
VLAN ID |-
Location |Local Session
User Name |Local Bridge
Source Host Name|Ethernet Bridge
TCP Connections |None
Transfer Bytes |1,157,604
Transfer Packets|8,080
----------------+------------------
Session Name |SID-E4ZLAM-19
VLAN ID |-
Location |Local Session
User Name |e4zlam
Source Host Name|X.X.X.X
TCP Connections |8 / 8
Transfer Bytes |69,808
Transfer Packets|1,224
----------------+------------------
Session Name |SID-SECURENAT-20
VLAN ID |-
Location |SecureNAT Session
User Name |SecureNAT
Source Host Name|Virtual Host
TCP Connections |None
Transfer Bytes |56,240
Transfer Packets|1,106
The command completed successfully.
Code: Select all
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A POSTROUTING -s 192.168.30.0/24 ! -d 192.168.30.0/24 -j SNAT --to-source 95.216.168.78
Code: Select all
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0
Code: Select all
192.168.30.0/24 dev tap_tap proto kernel scope link src 192.168.30.1
Code: Select all
$ ping -c4 192.168.30.1
PING 192.168.30.1 (192.168.30.1) 56(84) bytes of data.
64 bytes from 192.168.30.1: icmp_seq=1 ttl=128 time=159 ms
64 bytes from 192.168.30.1: icmp_seq=2 ttl=128 time=166 ms
64 bytes from 192.168.30.1: icmp_seq=3 ttl=128 time=168 ms
64 bytes from 192.168.30.1: icmp_seq=4 ttl=128 time=213 ms
--- 192.168.30.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 159.743/176.945/213.058/21.094 ms
$
$ ping -c4 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3129ms
can ping hop-2 gateway, but cannot ping public Internet
if "dnsmasq" be enabled it is okay but "dnsmasq" has been disabled and only SecreNAT > DHCP has been enabled.
It is worth mentioning that I tested built-in WireGuard it is okay and can ping public internet even disabling DHCP of SecreuNAT since WG client sets static ip. so with this configuration I was expecting
- DHCP form SecureNAT while Virtual NAT has been disabled
- Local Bridge to avoid CPU overhead of Virtual NAT
what I have done wrong?
-
- Posts: 1517
- Joined: Sun Feb 14, 2021 10:31 am
Re: Dedicated IP for use
Ain't this glaring obvious? C'mon, you've done some complex VPNs but missed it ;-)shakibamoshiri wrote: ↑Thu Feb 02, 2023 6:44 pm- ip addr add 192.168.100.1/24 brd + dev tap_tap
....
Get Network Interface Setting of Virtual Host of SecureNAT Function
IP Address |192.168.30.1
....
what I have done wrong?
-
- Posts: 289
- Joined: Wed Dec 28, 2022 9:10 pm
Re: Dedicated IP for use
if you refer to thissolo wrote: ↑Thu Feb 02, 2023 10:42 pmAin't this glaring obvious? C'mon, you've done some complex VPNs but missed it ;-)shakibamoshiri wrote: ↑Thu Feb 02, 2023 6:44 pm- ip addr add 192.168.100.1/24 brd + dev tap_tap
....
Get Network Interface Setting of Virtual Host of SecureNAT Function
IP Address |192.168.30.1
....
what I have done wrong?
Code: Select all
- ip addr add 192.168.100.1/24 brd + dev tap_tap
For WG I changed and went first with SecureNAT enabled, then I did not modify it and kept it
Thus the current network address is 192.168.30.0/24
ip -br a
Code: Select all
ip -br a
lo UNKNOWN 127.0.0.1/8 172.27.52.224/32 fd00::b:34e0/128 ::1/128
enp1s0 UP X.X.X.X/32 fe80::9400:1ff:fecd:2074/64
tap_tap UNKNOWN 192.168.30.1/24 fe80::5c93:e1ff:fe03:39e4/64
Code: Select all
iptables -S -t nat | grep NAT
-A POSTROUTING -s 192.168.30.0/24 ! -d 192.168.30.0/24 -j SNAT --to-source 95.216.168.78
Code: Select all
ip route show | grep tap
192.168.30.0/24 dev tap_tap proto kernel scope link src 192.168.30.1
-
- Posts: 1517
- Joined: Sun Feb 14, 2021 10:31 am
Re: Dedicated IP for use
Incorrect.
192.168.30.1 is the DHCP server.
192.168.30.2 for tap_tap (or other below "Start Distribution Address Band|192.168.30.10")
192.168.30.1 is the DHCP server.
192.168.30.2 for tap_tap (or other below "Start Distribution Address Band|192.168.30.10")
-
- Posts: 289
- Joined: Wed Dec 28, 2022 9:10 pm
Re: Dedicated IP for use
Done.
Solved
- local bridge 192.168.30.2
- SecureNAT > DHCP gateway 192.168.30.2
Thank you
why I asked this question here and did not asked separately :|
-
- Posts: 1
- Joined: Mon Aug 14, 2023 1:09 pm
DHCP Client ip is not assigned to PC
After 500 session connected New vpn user connected but dhcp ip address is note assigned. My subnet range is 255.255.248.0
-
- Posts: 1
- Joined: Sun Sep 24, 2023 11:07 am
Re: Dedicated IP for use
Hi community i asked for your help
We had next setup:
Softether VPN server, with enabled OpenVPN clone server function, L2TP/Ipsec function
Freeradius runnig in docker for user authentication
DNSMASQ for ip address leasing
Task is to mapping (reserver) ip address for specific clients which connecting to server over openvpn clients, L2tp/ipscec (windows clients), Softether native client.
I've tried bind adress via dnsmasq.conf but its doesn't worked
We had next setup:
Softether VPN server, with enabled OpenVPN clone server function, L2TP/Ipsec function
Freeradius runnig in docker for user authentication
DNSMASQ for ip address leasing
Task is to mapping (reserver) ip address for specific clients which connecting to server over openvpn clients, L2tp/ipscec (windows clients), Softether native client.
I've tried bind adress via dnsmasq.conf but its doesn't worked
-
- Posts: 1517
- Joined: Sun Feb 14, 2021 10:31 am
Re: Dedicated IP for use
https://www.softether.org/5-download/historyWhen the user object is using the RADIUS authentication, you need to configure your RADIUS server to reply the "Framed-Interface-Id" (Attribute Number: 96) RADIUS Attribute as the MAC addesses which you want to assign to the user. The reply string must be a 6-bytes ASCII-encoded HEX string, such like "AE0000000001" or "AE-00-00-00-00-01". The string may have "-" or ":" as delimiter.
Note 1: The RADIUS server can identify if the client is L2 VPN client or L3 VPN client by checking whether the RADIUS Attribute "Proxy-State" (Attribute Number: 33) starts with "L3:" or not. This helps you to realize the solution on the RADIUS server to accept only L3 VPN clients, and deny connections from L2 VPN clients.
Note 2: Do not assign to the same single MAC address to multiple VPN clients. When two or more VPN sessions have the duplicated MAC address at the same time, the communication will be unstable.