VPN LAN-to-LAN and IP Masquerading

Home Page Forums Network Management ZeroShell VPN LAN-to-LAN and IP Masquerading

This topic contains 7 replies, has 0 voices, and was last updated by  DarknessBBB 3 years, 10 months ago.

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • #44208

    DarknessBBB
    Member

    Hello,
    I’ve got a problem configuring our lan to lan VPNs.

    I have a server in a lan with subnet 10.0.0.0/24
    I have some clients in a lan with subnet 10.0.2.0/24
    these two lans are connected via VPN with two zeroshell with IP 10.0.0.1 and 10.0.2.1

    Well, all connections that the server receives from the other lan have the IP masqueraded with IP 10.0.0.1

    I tried every combination of settings in the NAT section of the web interface, am I maybe missing anything?
    thank you very much!

    #53712

    redfive
    Participant

    Simple setup
    SiteA
    lan 10.0.0.0/24
    VPN00 10.0.3.1/30
    static route 10.0.2.0/24 via 10.0.3.2
    no nat on VPN00

    SiteB
    lan 10.0.2.0/24
    VPN00 10.0.3.2/30
    static route 10.0.0.0/24 via 10.0.3.1
    no nat on VPN00

    Those hosts that have ZS as default gateway (then, at leat, the hosts which belong to 10.0.0.0/24 as well as 10.0.2.0/24 networks), should be able to communicate to each other via the VPN transparently (L3) without needing any NAT.
    If instead, you are trying to ‘bridging’ the lan with the VPN, then some more info on your goals are needed…
    Regards

    #53713

    DarknessBBB
    Member

    First of all, thank you for answering

    Site A
    subnet 10.0.0.0/24
    Zeroshell IP: 10.0.0.1
    Default Gateway for clients 10.0.0.1
    NO Nat on VPN01


    Site B
    subnet 10.0.2.0/24
    Zeroshell IP: 10.0.2.1
    Default Gateway for clients 10.0.2.1
    No NAT on VPN00

    as you can see is a very simple configuration

    #53714

    DarknessBBB
    Member

    First of all, thank you for answering

    Site A
    subnet 10.0.0.0/24
    Zeroshell IP: 10.0.0.1
    Default Gateway for clients 10.0.0.1
    NO Nat on VPN01
    VPN:

    Routing:

    Site B
    subnet 10.0.2.0/24
    Zeroshell IP: 10.0.2.1
    Default Gateway for clients 10.0.2.1
    No NAT on VPN00
    VPN:

    Routing:

    as you can see is a very simple configuration

    #53715

    redfive
    Participant

    Could you post the output of route -n (or via gui, Network, Router, Routing table) and iptables -t nat -L (or via gui, Network, Router, Nat, view) …maybe, after having hidden your public ip addresses.
    Regards

    #53716

    DarknessBBB
    Member

    Thank you again

    Site A
    Routing Table

    Chain PREROUTING (policy ACCEPT 32606 packets, 2691K bytes)
    pkts bytes target prot opt in out source destination
    0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4125 to:10.0.0.2:4125
    11 899 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.0.0.2:80
    696 43472 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:10.0.0.2:443
    0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:12489 to:10.0.0.2:12489
    0 0 DNAT udp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 udp dpt:12489 to:10.0.0.2:12489
    0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:161 to:10.0.0.2:161
    0 0 DNAT udp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 udp dpt:161 to:10.0.0.2:161
    124 7132 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 to:10.0.0.2:25
    0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:38667 to:10.0.0.45:38667
    0 0 DNAT udp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 udp dpt:38667 to:10.0.0.45:38667
    0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3391 to:10.0.0.18:3389
    98 4684 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306 to:10.0.0.45:3306
    2 100 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 to:10.0.0.45:21
    0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8081 to:10.0.0.45:8081
    0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:81 to:10.0.0.45:80
    0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3393 to:10.0.0.27:3389
    0 0 DNAT tcp -- ETH02 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4125 to:10.0.0.2:4125
    2 100 DNAT tcp -- ETH02 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.0.0.2:80
    1 48 DNAT tcp -- ETH02 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:10.0.0.2:443
    0 0 DNAT tcp -- ETH02 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:12489 to:10.0.0.2:12489
    0 0 DNAT udp -- ETH02 * 0.0.0.0/0 0.0.0.0/0 udp dpt:12489 to:10.0.0.2:12489
    0 0 DNAT tcp -- ETH02 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:161 to:10.0.0.2:161
    0 0 DNAT udp -- ETH02 * 0.0.0.0/0 0.0.0.0/0 udp dpt:161 to:10.0.0.2:161
    0 0 DNAT tcp -- ETH02 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 to:10.0.0.2:25
    0 0 DNAT tcp -- ETH02 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:38667 to:10.0.0.45:38667
    0 0 DNAT udp -- ETH02 * 0.0.0.0/0 0.0.0.0/0 udp dpt:38667 to:10.0.0.45:38667
    0 0 DNAT tcp -- ETH02 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3391 to:10.0.0.18:3389
    1 40 DNAT tcp -- ETH02 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306 to:10.0.0.45:3306
    0 0 DNAT tcp -- ETH02 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 to:10.0.0.45:21
    0 0 DNAT tcp -- ETH02 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8081 to:10.0.0.45:8081
    0 0 DNAT tcp -- ETH02 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:81 to:10.0.0.45:80
    0 0 DNAT tcp -- ETH02 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3393 to:10.0.0.27:3389
    0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:34711 to:10.0.0.39:34711
    0 0 DNAT udp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 udp dpt:34711 to:10.0.0.39:34711
    0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3394 to:10.0.0.75:3389
    0 0 DNAT tcp -- ETH02 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3394 to:10.0.0.75:3389
    0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3392 to:10.0.0.76:3389
    0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:60885 to:10.0.0.23:60885
    0 0 DNAT udp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 udp dpt:60885 to:10.0.0.23:60885
    0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3399 to:10.0.0.2:3389
    0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3395 to:10.0.0.47:3389
    0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8082 to:10.0.0.8:80
    4 240 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 to:10.0.0.5:80
    0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3397 to:10.0.2.100:3389
    0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3398 to:10.0.0.96:3389
    0 0 DNAT udp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 udp dpt:3398 to:10.0.0.96:3389
    0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:9025:9040 to:10.0.0.10:9025-9040
    0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:5002:5004 to:10.0.0.10:5002-5004
    0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5001 to:10.0.0.10:5001
    0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5000 to:10.0.0.10:5000
    0 0 DNAT udp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5000 to:10.0.0.10:5000
    0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4569 to:10.0.0.3:4569
    0 0 DNAT udp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 udp dpt:4569 to:10.0.0.3:4569
    19 1008 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:16881 to:10.0.0.10:16881
    11 705 DNAT udp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 udp dpt:16881 to:10.0.0.10:16881
    0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6881 to:10.0.0.10:6881
    1536 202K DNAT udp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 udp dpt:6881 to:10.0.0.10:6881
    0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3396 to:10.0.0.77:3389
    0 0 DNAT udp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 udp dpt:3396 to:10.0.0.77:3389
    0 0 DNAT tcp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3400 to:10.0.0.64:3389
    0 0 DNAT udp -- ETH01 * 0.0.0.0/0 0.0.0.0/0 udp dpt:3400 to:10.0.0.64:3389

    Chain POSTROUTING (policy ACCEPT 8291 packets, 570K bytes)
    pkts bytes target prot opt in out source destination
    32055 2479K SNATVS all -- * * 0.0.0.0/0 0.0.0.0/0
    9167 821K MASQUERADE all -- * ETH00 0.0.0.0/0 0.0.0.0/0
    11190 854K MASQUERADE all -- * ETH01 0.0.0.0/0 0.0.0.0/0
    173 9268 MASQUERADE all -- * ETH02 0.0.0.0/0 0.0.0.0/0
    0 0 MASQUERADE all -- * ETH03 0.0.0.0/0 0.0.0.0/0
    525 33405 MASQUERADE all -- * VPN00 0.0.0.0/0 0.0.0.0/0
    173 8298 MASQUERADE all -- * VPN03 0.0.0.0/0 0.0.0.0/0
    2549 185K MASQUERADE all -- * VPN04 0.0.0.0/0 0.0.0.0/0
    1 42 MASQUERADE all -- * VPN05 0.0.0.0/0 0.0.0.0/0
    1 42 MASQUERADE all -- * VPN06 0.0.0.0/0 0.0.0.0/0
    8232 565K OpenVPN all -- * * 0.0.0.0/0 0.0.0.0/0

    Chain SNATVS (1 references)
    pkts bytes target prot opt in out source destination

    Site B

    Chain PREROUTING (policy ACCEPT 6166K packets, 492M bytes)
    pkts bytes target prot opt in out source destination
    0 0 DNAT tcp -- ETH00 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4569 to:10.0.2.2:4569
    0 0 DNAT udp -- ETH00 * 0.0.0.0/0 0.0.0.0/0 udp dpt:4569 to:10.0.2.2:4569
    1275K 64M DNAT tcp -- ETH00 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389 to:10.0.2.3:3389
    0 0 DNAT udp -- ETH00 * 0.0.0.0/0 0.0.0.0/0 udp dpt:3389 to:10.0.2.3:3389
    6450 330K DNAT tcp -- ETH00 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3390 to:10.0.2.100:3389
    0 0 DNAT udp -- ETH00 * 0.0.0.0/0 0.0.0.0/0 udp dpt:3390 to:10.0.2.100:3389
    174K 8438K Proxy tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80

    Chain POSTROUTING (policy ACCEPT 4509K packets, 289M bytes)
    pkts bytes target prot opt in out source destination
    12M 790M SNATVS all -- * * 0.0.0.0/0 0.0.0.0/0
    3514K 235M MASQUERADE all -- * ETH00 0.0.0.0/0 0.0.0.0/0
    4079K 266M MASQUERADE all -- * ETH01 0.0.0.0/0 0.0.0.0/0

    Chain SNATVS (1 references)
    pkts bytes target prot opt in out source destination
    #53717

    redfive
    Participant

    On both sites, unless you need some kind of ‘hairpin nat’, remove from nat your internal interface (ETH00), inSiteA the 2nd entry visible in postrouting

    9167  821K MASQUERADE  all  --  *      ETH00   0.0.0.0/0            0.0.0.0/0

    2nd entry in SiteB as well

    3514K  235M MASQUERADE  all  --  *      ETH00   0.0.0.0/0            0.0.0.0/0

    These entries translate the source ip addresses of outgoing packets with the ip addresses of these interfaces.
    Also, if you need that your link be Layer 3 transparent, remove also, in SiteA, from NAT enabled interfaces, the VPN00.
    Regards

    #53718

    DarknessBBB
    Member

    If for “hairpin NAT” you mean this:
    http://wiki.mikrotik.com/wiki/Hairpin_NAT
    it’s exactly our configuration, our servers have only private address and only certains ports are forwarded to the servers inside the lan.

    in the SiteA the VPN we are talking about is VPN01, and there is no NAT for that 🙁

    #53719

    redfive
    Participant

    Ok , I wrote about remove the nat just for keep the L3 transparency across the vpn link, anyway… assuming that your internal servers are on the same broadcast domain of your internal lan (the 10.0.0.0/24 network, and not on a dedicated DMZ), try this..remove the ETH00 from NAT enabled interfaces, and in SYSTEM,Setup, Scripts/Cron, Nat and Virtual Servers, add this line and then enable the script

    iptables -t nat -I POSTROUTING -o ETH00 -s 10.0.0.0/24 -d 10.0.0.0/24 -j MASQUERADE

    This will do NAT only for packets coming from the lan and destinated to the lan as well (when you try to reach one of your server via FQDN from a pc which is in the same lan)…..
    If it will work ( and it should) then you can play with a ‘fine tuning’ of your rules…
    Regards

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.