SITE 2 SITE L3

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
elheho
Posts: 23
Joined: Thu Jan 07, 2021 1:50 pm

SITE 2 SITE L3

Post by elheho » Mon Mar 01, 2021 3:30 pm

Hello Team,

I've been trying to complete a project about a VPN solution than i found that softether vpn can do me more than i was wish
I liked to idee of this solution and i start working on it since 3 month ago i have create a remote access by L2. Now i'm trying to make a layer 3 connection between different sites and completed most of it,
1. I'm using an OVH cloud vps on a linux OS as the main softether vpn server
2. On my local site (SITE1) I'm using a windows 10 as a server manager and another pc as a bridge that cascading to a hub that I create on the server and the same configuration on the other site (SITE2).

Here is my configuration that i make so far

On The server side:
1. Virtual hubs :

1.1 for the virtual hub (SITE1)

* SECURENAT :Enabled
* ip address : 192.168.30.1/24
* DHCP range : 192.168.30.10/24 TO 200
* Lease time : 7200
* default Gateway : 192.168.30.1
* DNS server : 192.168.30.1
* MTU : 1500
* TCP session : 1800
* UDP session : 60
And for static route table to push i did add 192.168.40.0/255.255.255.0/192.168.30.254

1.2 for the virtual hub (SITE2)
* SECURENAT :Enabled
* ip address : 192.168.40.1/24
* DHCP range : 192.168.40.10/24 TO 200
* Lease time : 7200
* default Gateway : 192.168.40.1
* DNS server : 192.168.40.1
* MTU : 1500
* TCP session : 1800
* UDP session : 60
And for static route table to push i did add 192.168.30.0/255.255.255.0/192.168.40.254, 198.168.1.0/255.255.255.0/192.168.40.253

2. In Layer 3 switching setting i created one virtual layer 3 switch with two virtual interfaces for each virtual hub

* Virtual interface site 1 : 192.168.30.254/24
* Virtual interface site 2 : 192.168.40.254/24

with no routing table

3. for the local bridge setting i haven't add anything,

4. VPN azure is disable,

5. DDNS it enable,

6. IPsec / L2TP are enable

On the bridges side:
ON SITE1 :

1. Cascading :

On the bridge one virtual hub is created by default and i cascade from the virtual hub on bridge to the virtual hub that i create already on the server side
the configuration like this
* Setting name : site012hq
* Host name : SERVER IP
* Port number : 443
* virtual hub name : HQ
* user authentication : user created on the server site

The status is online

2. SECURENAT setting :

SECURENAT :Disabled
* ip address : 192.168.30.1/24
* DHCP range : 192.168.30.10/24 TO 200
* Lease time : 7200
* default Gateway : 192.168.30.1
* DNS server : 192.168.30.1
* MTU : 1500
* TCP session : 1800
* UDP session : 60

And for static route table to push i haven't add any static route table

3. LOCAL BRIDGE settings:

For the local bridge settings I add an usb network adapter and connect it to the internet, and the integrated adapter on the pc is connected from the pc to a switch POE and from that switch to the clients.

That all the configuration that i make i haven't add any port forward or static route on the router or the clients also on the firewall.
the problem is
1- when the clients are connect to vpn i can't access to my local device like i can't access to my router or printer ... but when i activate SECURENAT on bridge i can access to it but the IP address i get is ISP address.
2- when i activate the anti virus or firewall it stop the ping and communication between sites
3- i can' access to printer or dvr .... the only device i can access to is laptop

as i mention before i haven't make any configuration the router (port forwordig or static route) or firewall or clients

I really need your help. I spent a lot of time im soo close.

HERE IS SOME PICTURES : https://imgur.com/a/tNYnsAk

REGARDS
ELHELO

solo
Posts: 1730
Joined: Sun Feb 14, 2021 10:31 am

Re: SITE 2 SITE L3

Post by solo » Tue Mar 02, 2021 9:52 am

For the local bridge settings I add an usb network adapter and connect it to the internet, and the integrated adapter on the pc is connected from the pc to a switch POE and from that switch to the clients.
Which is presumably pictured here.
why.png
.
This configuration is unusual. Why would you bridge the virtual hub with both: the internet USB WAN adapter and the integrated LAN adapter? It's got to hurt ;)

Remove the USB NIC from the bridge and check the VPN's stability now.
You do not have the required permissions to view the files attached to this post.

elheho
Posts: 23
Joined: Thu Jan 07, 2021 1:50 pm

Re: SITE 2 SITE L3

Post by elheho » Wed Mar 03, 2021 8:31 am

Hi solo,
Thank you solo i did that and it work fine i got the server ips client from two sites can communicate the band is stabile even there is no packet drop. Now i have two problem its still makes me confused
1- i had to disable firewall and anti virus if i want to communicate in the time i enable firewall and anti virus the ping drop and can't communicate anyone,

2- i can't access to devices from other site like:
site 1 which is my local network i can access to local device ( ROUTER,LAPTOPS, AP, PRINTER, DVR, IP PBX, ...), but on site 2 which my remote network i only can access to LAPTOPS that the only device i can access to i hope you'll understand me and sorry for my bad english

Thank you for replay

REGRADS
ELHEHO

cedar
Site Admin
Posts: 2305
Joined: Sat Mar 09, 2013 5:37 am

Re: SITE 2 SITE L3

Post by cedar » Wed Mar 03, 2021 10:26 am

Is there a DHCP server on your LAN?
How is the IP address assigned to existing devices?

solo
Posts: 1730
Joined: Sun Feb 14, 2021 10:31 am

Re: SITE 2 SITE L3

Post by solo » Wed Mar 03, 2021 10:52 am

Hello ELHEHO

#1 This is normal - no need to disable them. As you are using Layer 3, packets from the other site are non-local and the subnet should be accepted/allowed in the firewall and AV rules.

#2 you can access laptops on site 2 because they use DHCP and get your static routes for the L3 network. The inaccessible devices must be using static IPs or be on a different subnet, like the 192.168.1.0 which you are also using.

Finally, please don't use Virtual NAT in this particular configuration.

elheho
Posts: 23
Joined: Thu Jan 07, 2021 1:50 pm

Re: SITE 2 SITE L3

Post by elheho » Wed Mar 03, 2021 11:27 am

hi cedar,

the only DHCP we using is from the router that assign ips to surf the net

elheho
Posts: 23
Joined: Thu Jan 07, 2021 1:50 pm

Re: SITE 2 SITE L3

Post by elheho » Wed Mar 03, 2021 11:34 am

hello solo,

1- i had to disabled them on the clients and the bridge if the firewall or antivirus are on the communications are stopped

2- i tried to so and i set the printer with an static ip from the range of virtual hub address range and it doesn't work i can access locally but not remotely

Should i disabled from virtual hub on SE side ?

solo
Posts: 1730
Joined: Sun Feb 14, 2021 10:31 am

Re: SITE 2 SITE L3

Post by solo » Wed Mar 03, 2021 9:45 pm

the only DHCP we using is from the router that assign ips to surf the net
Have you forgotten about those two Virtual DHCP servers on your network?

Layer 3 isn't working out for you. Change it to Layer 2 and all your problems will go away. Here is a great tutorial.

elheho
Posts: 23
Joined: Thu Jan 07, 2021 1:50 pm

Re: SITE 2 SITE L3

Post by elheho » Thu Mar 04, 2021 10:03 am

hi solo,

thank you for the replay i appreciate it

if we used the l2 we will cascade all bridge to one virtual hub isn't, be cause of that we will add more sites and each site will have a ( router, ap, couple of printers and pc, POS, IP PBX, finger printer attendance...) and we would like to each base have his own ip range

we used the layer 2 but it doesn't seems like that what we want that why i'm trying to upgrade it to l3

sky59
Posts: 477
Joined: Tue Sep 11, 2018 5:58 pm

Re: SITE 2 SITE L3

Post by sky59 » Mon Mar 08, 2021 3:04 pm

If you still have the problems with L3 it is time to read:

https://www.vpnusers.com/viewtopic.php?f=7&t=66579

Post Reply