Community


All times are UTC - 5 hours




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: neorouter routed point to site nat gateway?
PostPosted: Sun Jun 17, 2012 12:57 am 
Offline

Joined: Sun Jun 17, 2012 12:07 am
Posts: 3
I am trying to setup neorouter on a VPS as a (almost default) nat gateway to tunnel my internet traffic. I have connectivity between neorouter hosts, and have setup my iptables rules.

Gateway host (linux, 10.4.0.3):
Quote:
root@venture:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.4.0.0 * 255.255.0.0 U 0 0 0 nrtap
default * 0.0.0.0 U 0 0 0 venet0
root@venture:~# iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 31 packets, 1628 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 46 packets, 4741 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- any venet0:0 anywhere anywhere

Chain OUTPUT (policy ACCEPT 46 packets, 4741 bytes)
pkts bytes target prot opt in out source destination
root@venture:~# iptables -L -v
Chain INPUT (policy ACCEPT 10086 packets, 1202K bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- venet0:0 nrtap anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- nrtap venet0:0 anywhere anywhere

Chain OUTPUT (policy ACCEPT 17273 packets, 5124K bytes)
pkts bytes target prot opt in out source destination
root@venture:~# ping 10.4.0.2
PING 10.4.0.2 (10.4.0.2) 56(84) bytes of data.
64 bytes from 10.4.0.2: icmp_req=1 ttl=128 time=590 ms
64 bytes from 10.4.0.2: icmp_req=2 ttl=128 time=96.0 ms
64 bytes from 10.4.0.2: icmp_req=3 ttl=128 time=96.0 ms
64 bytes from 10.4.0.2: icmp_req=4 ttl=128 time=140 ms
64 bytes from 10.4.0.2: icmp_req=5 ttl=128 time=268 ms

--- 10.4.0.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4000ms
rtt min/avg/max/mdev = 96.092/238.244/590.643/187.127 ms


Client host (windows, 10.4.0.2) has a test route added (74.0.0.0/8):
Quote:
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.2 192.168.0.51 266
10.4.0.0 255.255.0.0 On-link 10.4.0.2 276
10.4.0.2 255.255.255.255 On-link 10.4.0.2 276
10.4.255.255 255.255.255.255 On-link 10.4.0.2 276
74.0.0.0 255.0.0.0 10.4.0.3 10.4.0.2 21
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.51 266
192.168.0.51 255.255.255.255 On-link 192.168.0.51 266
192.168.0.255 255.255.255.255 On-link 192.168.0.51 266
192.168.56.0 255.255.255.0 On-link 192.168.56.1 276
192.168.56.1 255.255.255.255 On-link 192.168.56.1 276
192.168.56.255 255.255.255.255 On-link 192.168.56.1 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.56.1 276
224.0.0.0 240.0.0.0 On-link 192.168.0.51 266
224.0.0.0 240.0.0.0 On-link 10.4.0.2 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.56.1 276
255.255.255.255 255.255.255.255 On-link 192.168.0.51 266
255.255.255.255 255.255.255.255 On-link 10.4.0.2 276
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 192.168.0.2 Default
===========================================================================


And can ping the gateway:
Quote:
C:\Windows\system32>ping 10.4.0.3

Pinging 10.4.0.3 with 32 bytes of data:
Reply from 10.4.0.3: bytes=32 time=162ms TTL=64
Reply from 10.4.0.3: bytes=32 time=66ms TTL=64
Reply from 10.4.0.3: bytes=32 time=66ms TTL=64
Reply from 10.4.0.3: bytes=32 time=66ms TTL=64

Ping statistics for 10.4.0.3:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 66ms, Maximum = 162ms, Average = 90ms


Wireshark (on client) shows traffic destined for 74.x.x.x going out Neorouter TAP interface, as well as ping traffic going out for 10.4.0.3, and ARP requests, etc.

TCPDump (on gateway) does not show traffic from 10.4.0.2 destined to 74.x.x.x but does show traffic from 10.4.0.2 destined to 10.4.0.3.

I feel I am missing something in the configuration?

Any thanks would be appreciated.


Top
 Profile  
 
 Post subject: Re: neorouter routed point to site nat gateway?
PostPosted: Sun Jun 17, 2012 5:15 am 
Offline

Joined: Sun Nov 16, 2008 6:41 am
Posts: 1878
Hi neurocis,

For point-to-site VPN, the IP of the point computer must be in the same network as the site computers. And did you enable the bridge on the gateway machine?

Please take a look at this: http://www.neorouter.com/wiki/index.php ... idge_1.png

Thanks,
KevinZ - NeoRouter team


Top
 Profile  
 
 Post subject: Re: neorouter routed point to site nat gateway?
PostPosted: Sun Jun 17, 2012 5:21 pm 
Offline

Joined: Sun Jun 17, 2012 12:07 am
Posts: 3
Must the configuration be bridged? I was looking for routed, as the "Site" is more an SNAT gateway:

Client (10.4.0.2) <--> ( Gateway (10.4.0.3) <--> SNAT (206.x.x.x) ) <--> Internet

I can confirm ipforwarding is working, in fact I have OpenVPN running on this gateway as well and it is running fine, routed exactly as above but using subnet 10.8.0.0/16 instead of 1.4.0.0/16.

From Wireshark and TCPDump data I see that packets initiated from a neorouter client that I wish to be SNAT'd and sent out the gateway are sent out the clients nrtap interface but are not arriving at the gateways nrtap interface.

What I am trying to accomplish is to be able to use my neorouter vpn (not having to use OpenVPN) while I am on the road to tunnel my internet traffic through if I am connected at say a cafe / public location.

Thanks!


Top
 Profile  
 
 Post subject: Re: neorouter routed point to site nat gateway?
PostPosted: Tue Jun 19, 2012 7:44 am 
Offline

Joined: Sun Nov 16, 2008 6:41 am
Posts: 1878
Hi neurocis,

If you want to build a site-to-site VPN, please take a look at this:
http://www.neorouter.com/wiki/index.php ... idge_2.png

Since you just setup one gateway, you may want to set the LANSegment in Feature.ini properly, so that the packages from the computers, which are not in the VLAN can be released out from gateway/nrtap.

Thanks,
KevinZ - NeoRouter team


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 13 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron