Dedicated IP for use

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
omartomi
Posts: 1
Joined: Wed Jan 25, 2023 12:05 pm

Dedicated IP for use

Post by omartomi » Wed Jan 25, 2023 12:11 pm

Dedicated IP for use
hello everyone
I have SoftEther server and 10 clients. I want to know How i can dedicate IP for user as
Use name: Test01
IP:192.168.13.10
Thank

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Dedicated IP for use

Post by solo » Wed Jan 25, 2023 12:17 pm

Virtual MAC address reservation
SoftEther VPN 4.31 Build 9727 Beta (November 18, 2019)
Added the new function to reserve and each Virtual MAC address and IP address for each user of L2TP/IPsec, SSTP and OpenVPN L3. Since SoftEther VPN Ver 4.31 Build 9727, we added the new function to make each L3 VPN users to use the reserved virtual MAC address and the virtual IP address. This function allows the DHCP server in the remote-access destination network to identify the connected user and to assign reserved IP addresses to each of users respectfully.   L3 VPN protocols, such as L2TP/IPsec, SSTP and OpenVPN L3, creates virtual L2/L3 layer-transformation adapter for each of VPN connections which are established to the Virtual Hub on SoftEther VPN Server. A virtual L2/L3 layer-transformation adapter has a virtual MAC address. In the previous versions of SoftEther VPN, virtual MAC addresses are randomly assigned each time when users connect to the VPN Server. There were no solution to assign fixed MAC addresses and IP addresses to each of users. SoftEther VPN Ver 4.31 Build 9727 and later supports the function to fix virtual MAC addresses of every L3 VPN users.
http://www.softether.org/5-download/history

shakibamoshiri
Posts: 285
Joined: Wed Dec 28, 2022 9:10 pm

Re: Dedicated IP for use

Post by shakibamoshiri » Fri Jan 27, 2023 10:37 am

solo wrote:
Wed Jan 25, 2023 12:17 pm
Virtual MAC address reservation
SoftEther VPN 4.31 Build 9727 Beta (November 18, 2019)
Added the new function to reserve and each Virtual MAC address and IP address for each user of L2TP/IPsec, SSTP and OpenVPN L3. Since SoftEther VPN Ver 4.31 Build 9727, we added the new function to make each L3 VPN users to use the reserved virtual MAC address and the virtual IP address. This function allows the DHCP server in the remote-access destination network to identify the connected user and to assign reserved IP addresses to each of users respectfully.   L3 VPN protocols, such as L2TP/IPsec, SSTP and OpenVPN L3, creates virtual L2/L3 layer-transformation adapter for each of VPN connections which are established to the Virtual Hub on SoftEther VPN Server. A virtual L2/L3 layer-transformation adapter has a virtual MAC address. In the previous versions of SoftEther VPN, virtual MAC addresses are randomly assigned each time when users connect to the VPN Server. There were no solution to assign fixed MAC addresses and IP addresses to each of users. SoftEther VPN Ver 4.31 Build 9727 and later supports the function to fix virtual MAC addresses of every L3 VPN users.
http://www.softether.org/5-download/history
Tested
Near 4 to 5 times IP allocation from dnsmasq faster

dnsmasq configuration sample

Code: Select all

# Only listen to routers' LAN NIC.  Doing so opens up tcp/udp port 53 to localhost and udp port 67 to world:
interface=tap_vpn

# dnsmasq will open tcp/udp port 53 and udp port 67 to world to help with dynamic interfaces (assigning dynamic IPs).
# dnsmasq will discard world requests to them, but the paranoid might like to close them and let the kernel handle them.
bind-interfaces

# Optionally set a domain name
domain=tra.xssl.it

# Set default gateway
dhcp-option=3,192.168.100.1

# Set DNS servers to announce
dhcp-option=6,8.8.8.8

# If your dnsmasq server is also doing the routing for your network, you can use option 121 to push a static route out.
# x.x.x.x is the destination LAN, yy is the CIDR notation (usually /24), and z.z.z.z is the host which will do the routing.
# dhcp-option=121,x.x.x.x/yy,z.z.z.z

# Dynamic range of IPs to make available to LAN PC and the lease time. 
# Ideally set the lease time to 5m only at first to test everything works okay before you set long-lasting records.
dhcp-range=192.168.100.10,192.168.100.250,12h

# Provide IPv6 DHCP leases, the range is constructed using the network interface as prefix
dhcp-range=::f,::ff,constructor:tap_vpn

# If you’d like to have dnsmasq assign static IPs to some clients, bind the LAN computers NIC MAC addresses:
dhcp-host=ae:00:00:00:00:01,192.168.100.111
dhcp-host=ae:00:00:00:00:02,192.168.100.112
More setting
https://wiki.archlinux.org/title/dnsmasq#DHCP_server

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Dedicated IP for use

Post by solo » Fri Jan 27, 2023 11:50 am

shakibamoshiri wrote:
Fri Jan 27, 2023 10:37 am
Near 4 to 5 times IP allocation from dnsmasq faster
Faster than what?

shakibamoshiri
Posts: 285
Joined: Wed Dec 28, 2022 9:10 pm

Re: Dedicated IP for use

Post by shakibamoshiri » Fri Jan 27, 2023 2:51 pm

solo wrote:
Fri Jan 27, 2023 11:50 am
shakibamoshiri wrote:
Fri Jan 27, 2023 10:37 am
Near 4 to 5 times IP allocation from dnsmasq faster
Faster than what?
I liked SecureNAT more since with built-in DHCP functionality, IP assignment was fast. On average 1 to 3 seconds to a client.
Because of High CPU usage, dnsmasq is preferable but a new issue raised and it was slow IP assignment to a client. On average 3 to 10 seconds. Much slower than SecureNAT.
So I was looking for a way of tweaking dnsmasq and did not find anything.
Then it came to my mind after seeing this post that it could be faster for dnsmasq to assign an IP statically since does not have to check its table or lookup anything. It is a kind of key-value pair (one to one) comparing to dynamic assignment which is (one to many).

So I tested dnsmasq with static IP assignment + this MAC:ae:00:00:00:00:00 feature and speed was almost like SecureNAT.

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Dedicated IP for use

Post by solo » Sat Jan 28, 2023 12:02 am

shakibamoshiri wrote:
Fri Jan 27, 2023 2:51 pm
So I was looking for a way of tweaking dnsmasq and did not find anything.
Can you check if dnsmasq' DHCP assignment is faster with the "no-ping" option?
--no-ping
(IPv4 only) By default, the DHCP server will attempt to ensure that an address is not in use before allocating it to a host. It does this by sending an ICMP echo request (aka "ping") to the address in question. If it gets a reply, then the address must already be in use, and another is tried. This flag disables this check. Use with caution.

--dhcp-reply-delay=[tag:<tag>,]<integer>
Delays sending DHCPOFFER and PROXYDHCP replies for at least the specified number of seconds. This can be used as workaround for bugs in PXE boot firmware that does not function properly when receiving an instant reply. This option takes into account the time already spent waiting (e.g. performing ping check) if any.

shakibamoshiri
Posts: 285
Joined: Wed Dec 28, 2022 9:10 pm

Re: Dedicated IP for use

Post by shakibamoshiri » Sat Jan 28, 2023 6:12 am

solo wrote:
Sat Jan 28, 2023 12:02 am
shakibamoshiri wrote:
Fri Jan 27, 2023 2:51 pm
So I was looking for a way of tweaking dnsmasq and did not find anything.
Can you check if dnsmasq' DHCP assignment is faster with the "no-ping" option?
--no-ping
(IPv4 only) By default, the DHCP server will attempt to ensure that an address is not in use before allocating it to a host. It does this by sending an ICMP echo request (aka "ping") to the address in question. If it gets a reply, then the address must already be in use, and another is tried. This flag disables this check. Use with caution.

--dhcp-reply-delay=[tag:<tag>,]<integer>
Delays sending DHCPOFFER and PROXYDHCP replies for at least the specified number of seconds. This can be used as workaround for bugs in PXE boot firmware that does not function properly when receiving an instant reply. This option takes into account the time already spent waiting (e.g. performing ping check) if any.
log for static assignment with MAC

Code: Select all

# connecting
Jan 28 00:38:40 id-952032 dnsmasq-dhcp[25340]: DHCPDISCOVER(tap_vpn) ae:00:00:00:00:02
Jan 28 00:38:40 id-952032 dnsmasq-dhcp[25340]: DHCPOFFER(tap_vpn) 192.168.100.112 ae:00:00:00:00:02
Jan 28 00:38:40 id-952032 dnsmasq-dhcp[25340]: DHCPREQUEST(tap_vpn) 192.168.100.112 ae:00:00:00:00:02
Jan 28 00:38:40 id-952032 dnsmasq-dhcp[25340]: abandoning lease to ae:00:00:00:00:02 of 192.168.100.112
Jan 28 00:38:40 id-952032 dnsmasq-dhcp[25340]: Ignoring domain X.X.X.X for DHCP host name X
Jan 28 00:38:40 id-952032 dnsmasq-dhcp[25340]: DHCPACK(tap_vpn) 192.168.100.112 ae:00:00:00:00:02 78
# disconnecting
Jan 28 00:41:50 id-952032 dnsmasq-dhcp[25340]: DHCPRELEASE(tap_vpn) 192.168.100.112 ae:00:00:00:00:02 unknown lease
log for dynamic

Code: Select all

# connecting
Jan 28 00:42:52 id-952032 dnsmasq-dhcp[25340]: DHCPDISCOVER(tap_vpn) ca:53:74:bb:ff:0b
Jan 28 00:42:52 id-952032 dnsmasq-dhcp[25340]: DHCPOFFER(tap_vpn) 192.168.100.189 ca:53:74:bb:ff:0b
Jan 28 00:42:52 id-952032 dnsmasq-dhcp[25340]: DHCPDISCOVER(tap_vpn) ca:53:74:bb:ff:0b
Jan 28 00:42:52 id-952032 dnsmasq-dhcp[25340]: DHCPOFFER(tap_vpn) 192.168.100.189 ca:53:74:bb:ff:0b
Jan 28 00:42:52 id-952032 dnsmasq-dhcp[25340]: DHCPREQUEST(tap_vpn) 192.168.100.189 ca:53:74:bb:ff:0b
Jan 28 00:38:40 id-952032 dnsmasq-dhcp[25340]: Ignoring domain X.X.X.X for DHCP host name X
Jan 28 00:42:52 id-952032 dnsmasq-dhcp[25340]: DHCPACK(tap_vpn) 192.168.100.189 ca:53:74:bb:ff:0b 78
# disconnecting
Jan 28 00:43:49 id-952032 dnsmasq-dhcp[25340]: DHCPRELEASE(tap_vpn) 192.168.100.189 ca:53:74:bb:ff:0b unknown lease

switching to --no-ping

Code: Select all

/usr/sbin/dnsmasq --no-ping -x /run/dnsmasq/dnsmasq.pid -u dnsmasq -7 /etc/dnsmasq.d ...

log for dynamic with --no-ping

Code: Select all

# connecting
Jan 28 00:54:11 id-952032 dnsmasq-dhcp[25806]: DHCPDISCOVER(tap_vpn) ca:53:74:bb:ff:0b
Jan 28 00:54:11 id-952032 dnsmasq-dhcp[25806]: DHCPOFFER(tap_vpn) 192.168.100.189 ca:53:74:bb:ff:0b
Jan 28 00:54:11 id-952032 dnsmasq-dhcp[25806]: DHCPREQUEST(tap_vpn) 192.168.100.189 ca:53:74:bb:ff:0b
Jan 28 00:38:40 id-952032 dnsmasq-dhcp[25340]: Ignoring domain X.X.X.X for DHCP host name X
Jan 28 00:54:11 id-952032 dnsmasq-dhcp[25806]: DHCPACK(tap_vpn) 192.168.100.189 ca:53:74:bb:ff:0b 78
# disconnecting
Jan 28 00:55:08 id-952032 dnsmasq-dhcp[25806]: DHCPRELEASE(tap_vpn) 192.168.100.189 ca:53:74:bb:ff:0b unknown lease
log for static with --no-ping

Code: Select all

# connecting
Jan 28 00:56:22 id-952032 dnsmasq-dhcp[25806]: DHCPDISCOVER(tap_vpn) ae:00:00:00:00:02
Jan 28 00:56:22 id-952032 dnsmasq-dhcp[25806]: DHCPOFFER(tap_vpn) 192.168.100.112 ae:00:00:00:00:02
Jan 28 00:56:22 id-952032 dnsmasq-dhcp[25806]: DHCPREQUEST(tap_vpn) 192.168.100.112 ae:00:00:00:00:02
Jan 28 00:38:40 id-952032 dnsmasq-dhcp[25340]: Ignoring domain X.X.X.X for DHCP host name X
Jan 28 00:56:22 id-952032 dnsmasq-dhcp[25806]: DHCPACK(tap_vpn) 192.168.100.112 ae:00:00:00:00:02 78
# disconnecting
Jan 28 00:57:05 id-952032 dnsmasq-dhcp[25806]: DHCPRELEASE(tap_vpn) 192.168.100.112 ae:00:00:00:00:02 unknown lease
It seems to be faster with --no-ping, at least from what we see in logs that dnsmasq does less checking.
But I am afraid of collision of IPs when --no-ping is used. In this case how to be sure a new IP already has not been used?
If there be a guarantee of no IPs collision, then --no-ping could be safe to use, otherwise it may be problematic.
Also I am wondering why dnsmasq uses echo-reply technique to check if an IP has been used or no. Why not using a kind of hash-table (key-value pair) to check what IPs are used!

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Dedicated IP for use

Post by solo » Sat Jan 28, 2023 11:40 am

Great stuff, thank you for these tests. Here is a summary with rather inconsistent results for the static:
  • log for static assignment with MAC = 3s
    log for dynamic = 1s
    log for dynamic with --no-ping < 1s
    log for static with --no-ping < 1s
In any case I'd opt for no-ping as it seems to be only a double-check on records already stored in a persistent dnsmasq lease database file.

shakibamoshiri
Posts: 285
Joined: Wed Dec 28, 2022 9:10 pm

Re: Dedicated IP for use

Post by shakibamoshiri » Sat Jan 28, 2023 12:06 pm

solo wrote:
Sat Jan 28, 2023 11:40 am
Great stuff, thank you for these tests. Here is a summary with rather inconsistent results for the static:
  • log for static assignment with MAC = 3s
    log for dynamic = 1s
    log for dynamic with --no-ping < 1s
    log for static with --no-ping < 1s
In any case I'd opt for no-ping as it seems to be only a double-check on records already stored in a persistent dnsmasq lease database file.
A single test like this is not enough to make decision for using/not using --no-ping. it should be tested with e.g 100 or 200 users at least
Plus how did you calculate 3s, 1s, < 1s ? the log's time happened at a constant time, for example the fist is "00:38:40".

shakibamoshiri
Posts: 285
Joined: Wed Dec 28, 2022 9:10 pm

Re: Dedicated IP for use

Post by shakibamoshiri » Sat Jan 28, 2023 12:09 pm

solo wrote:
Sat Jan 28, 2023 11:40 am
Great stuff, thank you for these tests. Here is a summary with rather inconsistent results for the static:
  • log for static assignment with MAC = 3s
    log for dynamic = 1s
    log for dynamic with --no-ping < 1s
    log for static with --no-ping < 1s
In any case I'd opt for no-ping as it seems to be only a double-check on records already stored in a persistent dnsmasq lease database file.
I liked the idea of MAC address adding to "note" part but I prefer not to use it since I need for something else.
Actually it was better design if SE server and (manager) had a field just for MAC and mac-address setting.

eddiewu
Posts: 286
Joined: Wed Nov 25, 2020 9:10 am

Re: Dedicated IP for use

Post by eddiewu » Sat Jan 28, 2023 12:14 pm

no-ping is not safe if any of these is true:
1. dnsmasq is restarted when VPN server is running
2. some clients are not getting ip from dnsmasq (i.e. manual configuration)

please also note that dnsmasq does not probe the address every time so if you test frequently you will see it sometimes acts as if no-ping is set.

shakibamoshiri
Posts: 285
Joined: Wed Dec 28, 2022 9:10 pm

Re: Dedicated IP for use

Post by shakibamoshiri » Sat Jan 28, 2023 12:26 pm

eddiewu wrote:
Sat Jan 28, 2023 12:14 pm
no-ping is not safe if any of these is true:
1. dnsmasq is restarted when VPN server is running
2. some clients are not getting ip from dnsmasq (i.e. manual configuration)

please also note that dnsmasq does not probe the address every time so if you test frequently you will see it sometimes acts as if no-ping is set.
Yes. To me is also not safe. if this option was already safe they would add it to systemd-config so to be faster, why not.
Setting MAC:ae:00:00:00:00:00 is good but I wish they would design it with a new field or somewhere else.
"note" part has other use cases.

shakibamoshiri
Posts: 285
Joined: Wed Dec 28, 2022 9:10 pm

Re: Dedicated IP for use

Post by shakibamoshiri » Sat Jan 28, 2023 12:44 pm

eddiewu wrote:
Sat Jan 28, 2023 12:14 pm
no-ping is not safe if any of these is true:
1. dnsmasq is restarted when VPN server is running
2. some clients are not getting ip from dnsmasq (i.e. manual configuration)

please also note that dnsmasq does not probe the address every time so if you test frequently you will see it sometimes acts as if no-ping is set.
I question came to me now. Can we use SE DHCP but OS NAT.
So just using SE server DHCP to get IPs faster but for avoiding High CPU usage, delegate NAT to OS using Local Bridge ?
I think it is possible but I will test. just I was wondering it is okay or no.

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Dedicated IP for use

Post by solo » Sat Jan 28, 2023 1:57 pm

shakibamoshiri wrote:
Sat Jan 28, 2023 12:44 pm
I question came to me now. Can we use SE DHCP but OS NAT.
Yes, it works very well.

shakibamoshiri
Posts: 285
Joined: Wed Dec 28, 2022 9:10 pm

Re: Dedicated IP for use

Post by shakibamoshiri » Sat Jan 28, 2023 2:51 pm

solo wrote:
Sat Jan 28, 2023 1:57 pm
shakibamoshiri wrote:
Sat Jan 28, 2023 12:44 pm
I question came to me now. Can we use SE DHCP but OS NAT.
Yes, it works very well.
How? As I tested did not work with DE version.

Here is the way
- create a local bridge tap_tap
- systemctl stop dnsmasq.service
- ip addr add 192.168.100.1/24 brd + dev tap_tap
- in SE server > Manage Virtual Hub > Virtual NAT and Virtual DHCP > Enable -- but disable "Use Virtual Nat Function" part

log

Code: Select all

...
Connection "CID-175" terminated by the cause "Connection has been disconnected." (code 3).
Connection "CID-175" has been terminated.
...

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Dedicated IP for use

Post by solo » Sat Jan 28, 2023 11:09 pm

shakibamoshiri wrote:
Sat Jan 28, 2023 2:51 pm
How? As I tested did not work with DE version.
Post as code:

Code: Select all

vpncmd localhost:port /server /password:*** /adminhub:@@@ /cmd SecureNatStatusGet
vpncmd localhost:port /server /password:*** /adminhub:@@@ /cmd SecureNatHostGet
vpncmd localhost:port /server /password:*** /adminhub:@@@ /cmd DhcpGet
//replace: *** with SE admin password; @@@ with VPN hub's name
Of the SecureNAT functions, it is possible to enable only the DHCP server. In other words, it is possible to use only the DHCP server function operating within the Virtual Hub Ethernet segment. This allows VPN Clients and local bridge destination client computers remotely accessing the Virtual Hub to receive IP addresses assigned by the virtual DHCP server.
https://www.softether.org/index.php?tit ... ureNAT_Use

shakibamoshiri
Posts: 285
Joined: Wed Dec 28, 2022 9:10 pm

Re: Dedicated IP for use

Post by shakibamoshiri » Thu Feb 02, 2023 6:44 pm

solo wrote:
Sat Jan 28, 2023 11:09 pm
shakibamoshiri wrote:
Sat Jan 28, 2023 2:51 pm
How? As I tested did not work with DE version.
Post as code:

Code: Select all

vpncmd localhost:port /server /password:*** /adminhub:@@@ /cmd SecureNatStatusGet
vpncmd localhost:port /server /password:*** /adminhub:@@@ /cmd SecureNatHostGet
vpncmd localhost:port /server /password:*** /adminhub:@@@ /cmd DhcpGet
//replace: *** with SE admin password; @@@ with VPN hub's name
Of the SecureNAT functions, it is possible to enable only the DHCP server. In other words, it is possible to use only the DHCP server function operating within the Virtual Hub Ethernet segment. This allows VPN Clients and local bridge destination client computers remotely accessing the Virtual Hub to receive IP addresses assigned by the virtual DHCP server.
https://www.softether.org/index.php?tit ... ureNAT_Use

SecureNatStatusGet

Code: Select all

VPN Server/VPN>SecureNatStatusGet
SecureNatStatusGet command - Get the Operating Status of the Virtual NAT and DHCP Server Function (SecureNat Function)
Item                     |Value
-------------------------+---------
Virtual Hub Name         |VPN
NAT TCP/IP Sessions      |0 Session
NAT UDP/IP Sessions      |0 Session
NAT ICMP Sessions        |0 Session
NAT DNS Sessions         |0 Session
Allocated DHCP Clients   |1 Client
Kernel-mode NAT is Active|No
Raw IP mode NAT is Active|No
The command completed successfully.
SecureNatHostGet

Code: Select all

VPN Server/VPN>SecureNatHostGet
SecureNatHostGet command - Get Network Interface Setting of Virtual Host of SecureNAT Function
Item       |Value
-----------+-----------------
MAC Address|xx-xx-xx-xx-xx-xx
IP Address |192.168.30.1
Subnet Mask|255.255.255.0
The command completed successfully.
DhcpGet

Code: Select all

VPN Server/VPN>DhcpGet
DhcpGet command - Get Virtual DHCP Server Function Setting of SecureNAT Function
Item                           |Value
-------------------------------+--------------
Use Virtual DHCP Function      |Yes
Start Distribution Address Band|192.168.30.10
End Distribution Address Band  |192.168.30.100
Subnet Mask                    |255.255.255.0
Lease Limit (Seconds)          |7200
Default Gateway Address        |192.168.30.1
DNS Server Address 1           |8.8.8.8
DNS Server Address 2           |1.1.1.1
Domain Name                    |
Save NAT and DHCP Operation Log|Yes
Static Routing Table to Push   |
The command completed successfully.

SessionList (notice this is hop-2 -- so it is a double vpn -- SID-E4ZLAM-19 is a link from hop-1)

Code: Select all

VPN Server/VPN>SessionList
SessionList command - Get List of Connected Sessions
Item            |Value
----------------+------------------
Session Name    |SID-LOCALBRIDGE-13
VLAN ID         |-
Location        |Local Session
User Name       |Local Bridge
Source Host Name|Ethernet Bridge
TCP Connections |None
Transfer Bytes  |1,157,604
Transfer Packets|8,080
----------------+------------------
Session Name    |SID-E4ZLAM-19
VLAN ID         |-
Location        |Local Session
User Name       |e4zlam
Source Host Name|X.X.X.X
TCP Connections |8 / 8
Transfer Bytes  |69,808
Transfer Packets|1,224
----------------+------------------
Session Name    |SID-SECURENAT-20
VLAN ID         |-
Location        |SecureNAT Session
User Name       |SecureNAT
Source Host Name|Virtual Host
TCP Connections |None
Transfer Bytes  |56,240
Transfer Packets|1,106
The command completed successfully.
iptables -S -t nat

Code: Select all

-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A POSTROUTING -s 192.168.30.0/24 ! -d 192.168.30.0/24 -j SNAT --to-source 95.216.168.78
sysctl -a | grep ip_for

Code: Select all

net.ipv4.ip_forward = 1
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0
ip route show | grep tap

Code: Select all

192.168.30.0/24 dev tap_tap proto kernel scope link src 192.168.30.1
ping

Code: Select all

$ ping -c4 192.168.30.1
PING 192.168.30.1 (192.168.30.1) 56(84) bytes of data.
64 bytes from 192.168.30.1: icmp_seq=1 ttl=128 time=159 ms
64 bytes from 192.168.30.1: icmp_seq=2 ttl=128 time=166 ms
64 bytes from 192.168.30.1: icmp_seq=3 ttl=128 time=168 ms
64 bytes from 192.168.30.1: icmp_seq=4 ttl=128 time=213 ms

--- 192.168.30.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 159.743/176.945/213.058/21.094 ms
$
$ ping -c4 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3129ms
result
can ping hop-2 gateway, but cannot ping public Internet
if "dnsmasq" be enabled it is okay but "dnsmasq" has been disabled and only SecreNAT > DHCP has been enabled.
It is worth mentioning that I tested built-in WireGuard it is okay and can ping public internet even disabling DHCP of SecreuNAT since WG client sets static ip. so with this configuration I was expecting
- DHCP form SecureNAT while Virtual NAT has been disabled
- Local Bridge to avoid CPU overhead of Virtual NAT

what I have done wrong?

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Dedicated IP for use

Post by solo » Thu Feb 02, 2023 10:42 pm

shakibamoshiri wrote:
Thu Feb 02, 2023 6:44 pm
- ip addr add 192.168.100.1/24 brd + dev tap_tap
....
Get Network Interface Setting of Virtual Host of SecureNAT Function
IP Address |192.168.30.1
....
what I have done wrong?
Ain't this glaring obvious? C'mon, you've done some complex VPNs but missed it ;-)

shakibamoshiri
Posts: 285
Joined: Wed Dec 28, 2022 9:10 pm

Re: Dedicated IP for use

Post by shakibamoshiri » Fri Feb 03, 2023 12:12 am

solo wrote:
Thu Feb 02, 2023 10:42 pm
shakibamoshiri wrote:
Thu Feb 02, 2023 6:44 pm
- ip addr add 192.168.100.1/24 brd + dev tap_tap
....
Get Network Interface Setting of Virtual Host of SecureNAT Function
IP Address |192.168.30.1
....
what I have done wrong?
Ain't this glaring obvious? C'mon, you've done some complex VPNs but missed it ;-)
if you refer to this

Code: Select all

- ip addr add 192.168.100.1/24 brd + dev tap_tap
from previous post? I have changed when trying to test WireGuard.
For WG I changed and went first with SecureNAT enabled, then I did not modify it and kept it
Thus the current network address is 192.168.30.0/24

ip -br a

Code: Select all

ip -br a
lo               UNKNOWN        127.0.0.1/8 172.27.52.224/32 fd00::b:34e0/128 ::1/128 
enp1s0           UP             X.X.X.X/32 fe80::9400:1ff:fecd:2074/64 
tap_tap          UNKNOWN        192.168.30.1/24 fe80::5c93:e1ff:fe03:39e4/64 
The current iptable

Code: Select all

iptables -S -t nat | grep NAT
-A POSTROUTING -s 192.168.30.0/24 ! -d 192.168.30.0/24 -j SNAT --to-source 95.216.168.78
The current route

Code: Select all

ip route show | grep tap
192.168.30.0/24 dev tap_tap proto kernel scope link src 192.168.30.1

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Dedicated IP for use

Post by solo » Fri Feb 03, 2023 1:08 am

Incorrect.
192.168.30.1 is the DHCP server.
192.168.30.2 for tap_tap (or other below "Start Distribution Address Band|192.168.30.10")

shakibamoshiri
Posts: 285
Joined: Wed Dec 28, 2022 9:10 pm

Re: Dedicated IP for use

Post by shakibamoshiri » Fri Feb 03, 2023 10:17 am

solo wrote:
Fri Feb 03, 2023 1:08 am
Incorrect.
192.168.30.1 is the DHCP server.
192.168.30.2 for tap_tap (or other below "Start Distribution Address Band|192.168.30.10")
Done.
Solved
- local bridge 192.168.30.2
- SecureNAT > DHCP gateway 192.168.30.2
Thank you

why I asked this question here and did not asked separately :|

sanjay
Posts: 1
Joined: Mon Aug 14, 2023 1:09 pm

DHCP Client ip is not assigned to PC

Post by sanjay » Mon Aug 14, 2023 1:16 pm

After 500 session connected New vpn user connected but dhcp ip address is note assigned. My subnet range is 255.255.248.0

MKV
Posts: 1
Joined: Sun Sep 24, 2023 11:07 am

Re: Dedicated IP for use

Post by MKV » Sun Sep 24, 2023 11:17 am

Hi community i asked for your help

We had next setup:

Softether VPN server, with enabled OpenVPN clone server function, L2TP/Ipsec function
Freeradius runnig in docker for user authentication
DNSMASQ for ip address leasing

Task is to mapping (reserver) ip address for specific clients which connecting to server over openvpn clients, L2tp/ipscec (windows clients), Softether native client.

I've tried bind adress via dnsmasq.conf but its doesn't worked

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Dedicated IP for use

Post by solo » Sun Sep 24, 2023 12:04 pm

When the user object is using the RADIUS authentication, you need to configure your RADIUS server to reply the "Framed-Interface-Id" (Attribute Number: 96) RADIUS Attribute as the MAC addesses which you want to assign to the user. The reply string must be a 6-bytes ASCII-encoded HEX string, such like "AE0000000001" or "AE-00-00-00-00-01". The string may have "-" or ":" as delimiter.

Note 1: The RADIUS server can identify if the client is L2 VPN client or L3 VPN client by checking whether the RADIUS Attribute "Proxy-State" (Attribute Number: 33) starts with "L3:" or not. This helps you to realize the solution on the RADIUS server to accept only L3 VPN clients, and deny connections from L2 VPN clients.

Note 2: Do not assign to the same single MAC address to multiple VPN clients. When two or more VPN sessions have the duplicated MAC address at the same time, the communication will be unstable.
https://www.softether.org/5-download/history

Post Reply