NeoRouter http://www.neorouter.com/forum/ |
|
neorouter routed point to site nat gateway? http://www.neorouter.com/forum/viewtopic.php?f=4&t=5090 |
Page 1 of 1 |
Author: | neurocis [ Sun Jun 17, 2012 12:57 am ] |
Post subject: | neorouter routed point to site nat gateway? |
I am trying to setup neorouter on a VPS as a (almost default) nat gateway to tunnel my internet traffic. I have connectivity between neorouter hosts, and have setup my iptables rules. Gateway host (linux, 10.4.0.3): Quote: root@venture:~# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.4.0.0 * 255.255.0.0 U 0 0 0 nrtap default * 0.0.0.0 U 0 0 0 venet0 root@venture:~# iptables -t nat -L -v Chain PREROUTING (policy ACCEPT 31 packets, 1628 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 46 packets, 4741 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- any venet0:0 anywhere anywhere Chain OUTPUT (policy ACCEPT 46 packets, 4741 bytes) pkts bytes target prot opt in out source destination root@venture:~# iptables -L -v Chain INPUT (policy ACCEPT 10086 packets, 1202K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- venet0:0 nrtap anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT all -- nrtap venet0:0 anywhere anywhere Chain OUTPUT (policy ACCEPT 17273 packets, 5124K bytes) pkts bytes target prot opt in out source destination root@venture:~# ping 10.4.0.2 PING 10.4.0.2 (10.4.0.2) 56(84) bytes of data. 64 bytes from 10.4.0.2: icmp_req=1 ttl=128 time=590 ms 64 bytes from 10.4.0.2: icmp_req=2 ttl=128 time=96.0 ms 64 bytes from 10.4.0.2: icmp_req=3 ttl=128 time=96.0 ms 64 bytes from 10.4.0.2: icmp_req=4 ttl=128 time=140 ms 64 bytes from 10.4.0.2: icmp_req=5 ttl=128 time=268 ms --- 10.4.0.2 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4000ms rtt min/avg/max/mdev = 96.092/238.244/590.643/187.127 ms Client host (windows, 10.4.0.2) has a test route added (74.0.0.0/8): Quote: IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.0.2 192.168.0.51 266 10.4.0.0 255.255.0.0 On-link 10.4.0.2 276 10.4.0.2 255.255.255.255 On-link 10.4.0.2 276 10.4.255.255 255.255.255.255 On-link 10.4.0.2 276 74.0.0.0 255.0.0.0 10.4.0.3 10.4.0.2 21 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.0.0 255.255.255.0 On-link 192.168.0.51 266 192.168.0.51 255.255.255.255 On-link 192.168.0.51 266 192.168.0.255 255.255.255.255 On-link 192.168.0.51 266 192.168.56.0 255.255.255.0 On-link 192.168.56.1 276 192.168.56.1 255.255.255.255 On-link 192.168.56.1 276 192.168.56.255 255.255.255.255 On-link 192.168.56.1 276 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.56.1 276 224.0.0.0 240.0.0.0 On-link 192.168.0.51 266 224.0.0.0 240.0.0.0 On-link 10.4.0.2 276 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.56.1 276 255.255.255.255 255.255.255.255 On-link 192.168.0.51 266 255.255.255.255 255.255.255.255 On-link 10.4.0.2 276 =========================================================================== Persistent Routes: Network Address Netmask Gateway Address Metric 0.0.0.0 0.0.0.0 192.168.0.2 Default =========================================================================== And can ping the gateway: Quote: C:\Windows\system32>ping 10.4.0.3 Pinging 10.4.0.3 with 32 bytes of data: Reply from 10.4.0.3: bytes=32 time=162ms TTL=64 Reply from 10.4.0.3: bytes=32 time=66ms TTL=64 Reply from 10.4.0.3: bytes=32 time=66ms TTL=64 Reply from 10.4.0.3: bytes=32 time=66ms TTL=64 Ping statistics for 10.4.0.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 66ms, Maximum = 162ms, Average = 90ms Wireshark (on client) shows traffic destined for 74.x.x.x going out Neorouter TAP interface, as well as ping traffic going out for 10.4.0.3, and ARP requests, etc. TCPDump (on gateway) does not show traffic from 10.4.0.2 destined to 74.x.x.x but does show traffic from 10.4.0.2 destined to 10.4.0.3. I feel I am missing something in the configuration? Any thanks would be appreciated. |
Author: | kevinz [ Sun Jun 17, 2012 5:15 am ] |
Post subject: | Re: neorouter routed point to site nat gateway? |
Hi neurocis, For point-to-site VPN, the IP of the point computer must be in the same network as the site computers. And did you enable the bridge on the gateway machine? Please take a look at this: http://www.neorouter.com/wiki/index.php ... idge_1.png Thanks, KevinZ - NeoRouter team |
Author: | neurocis [ Sun Jun 17, 2012 5:21 pm ] |
Post subject: | Re: neorouter routed point to site nat gateway? |
Must the configuration be bridged? I was looking for routed, as the "Site" is more an SNAT gateway: Client (10.4.0.2) <--> ( Gateway (10.4.0.3) <--> SNAT (206.x.x.x) ) <--> Internet I can confirm ipforwarding is working, in fact I have OpenVPN running on this gateway as well and it is running fine, routed exactly as above but using subnet 10.8.0.0/16 instead of 1.4.0.0/16. From Wireshark and TCPDump data I see that packets initiated from a neorouter client that I wish to be SNAT'd and sent out the gateway are sent out the clients nrtap interface but are not arriving at the gateways nrtap interface. What I am trying to accomplish is to be able to use my neorouter vpn (not having to use OpenVPN) while I am on the road to tunnel my internet traffic through if I am connected at say a cafe / public location. Thanks! |
Author: | kevinz [ Tue Jun 19, 2012 7:44 am ] |
Post subject: | Re: neorouter routed point to site nat gateway? |
Hi neurocis, If you want to build a site-to-site VPN, please take a look at this: http://www.neorouter.com/wiki/index.php ... idge_2.png Since you just setup one gateway, you may want to set the LANSegment in Feature.ini properly, so that the packages from the computers, which are not in the VLAN can be released out from gateway/nrtap. Thanks, KevinZ - NeoRouter team |
Page 1 of 1 | All times are UTC - 5 hours |
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/ |