dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
479
share rss forum feed


Thinkdiff
Premium,MVM
join:2001-08-07
Bronx, NY
kudos:11

Issues with Bridged VPN

Having issues with my bridged VPN setup yet again.

Here's the basic setup:

Site A:
- 192.168.1.0/24 network
- Running openvpn/tap on Linux
- tap0 is bridged with eth0. br0 has an IP in the 192.168.1.0/24 network
- Main router has a static route to 192.168.2.0/24 via 192.168.1.135

Site B:
- pfSense (FreeBSD)
- 192.168.2.0/24 network on physical interface 1
- 192.168.1.160/28 network on physical interface 2
- interface 3 is openvpn/tap0 with IP address 192.168.1.135
- I have a bridge interface setup which bridges interface 2 and interface 3. The bridge interface has no IP address set

While on physical interface 2, I'd like to have the option of connecting to the 192.168.1.160/28 network via static IP or the 192.168.1.0/24 network via DHCP.

So far all of that is working. The problem is when I'm on Site B, interface 2 with DHCP, transfer speeds to the internet are abysmal.

If I download a file from a server at Site A, I get full speed (1MB/sec). If I download a file from a server on the internet, I get 1KB/sec or less and passive packet loss.

I tried to run Wireshark while downloading and I see a large number of TCP Retransmission packets, TCP segments, and TCP Window updates.

Does anybody see an obvious problem here that I may be overlooking? Any ideas on troubleshooting this setup?

Thanks!
--
University of Southern California - Fight On!

bdnhsv

join:2012-01-20
Huntsville, AL
Your IP addressing probably needs some closer inspection. You have 192.168.1.0/24 defined on Site A and 192.168.1.160/28 defined on Site B. If these 2 sites weren't connected that would be fine, but since you are using a VPN this may represent an overlap - depending on which pool of addresses you have reserved for remote use to your VPN server. Your static route on Site A probably should be via the IP you have on BR0 on that device.

It might help if you could diagram your setup and show the IP assignments for the various physical and virtual interfaces.


Thinkdiff
Premium,MVM
join:2001-08-07
Bronx, NY
kudos:11
reply to Thinkdiff
Click for full size
Here's a diagram - hopefully it's clear enough.

So the issue is when connecting devices to vlan4 at Site B. Ideally, I'd like to have the option of setting a static IP in the 192.168.1.160/28 space and having all internet traffic be routed by Router B.

If you use DHCP on vlan4, it should (and does) grab an IP address from Router A's space through the br0 and bridge0 combination. Then all internet traffic from the device will be routed by Router A using it's own public IP. While in this configuration, if I download a file from the Linux Server at Site A, I get full speed - no packet loss. If I download a file from any internet site, it's less than 1KB/sec and massive packet loss.
--
University of Southern California - Fight On!

Bink
Villains... knock off all that evil

join:2006-05-14
Castle Rock, CO
kudos:4
Reviews:
·VOIPO
reply to Thinkdiff
Sorry to say, but this looks like quite the mess to me. I imagine you have a very good reason for having hosts on VLAN4 using both siteA’s and B’s Internet bandwidth (as opposed to just B’s) when doing anything online, but this network is really screaming for proper subnets—and doing this will likely make your issues vanish. That said, I’ve never been a fan of bridging LANs over VPNs over the Internet.


Thinkdiff
Premium,MVM
join:2001-08-07
Bronx, NY
kudos:11
How would you recommend I set it up then?

Running multiple networks on VLAN4 was for an old situation that came up a few months ago. I technically don't need to keep the 192.168.1.160/28 network, so I was thinking about removing it. However, I'm not sure how that would be effecting throughput to Router A.

I've had a bridge LAN setup via openvpn for quite awhile now. I can't live without it!
--
University of Southern California - Fight On!

Bink
Villains... knock off all that evil

join:2006-05-14
Castle Rock, CO
kudos:4
Reviews:
·VOIPO
The usual way—each LAN/VLAN has its own subnet and you route between them. The way you have it now, for every file downloaded from the Internet from VLAN4, the packets are downloaded to siteA, uploaded from siteA to siteB and, subsequently, downloaded to siteB—talk about inefficient! While that doesn’t explain your 1KBps, you’re likely hitting some bug somewhere due to this non-standard “routing” and I’d probably blame the Belkin first.

Routing across the VPN—as opposed to bridging—will likely address the nonsense above and will also keep broadcast traffic off the VPN/Internet connection (and likely make a little more bandwidth available as a result). What is it that is forcing you to have layer 2 going over the VPN versus the standard layer 3?


Thinkdiff
Premium,MVM
join:2001-08-07
Bronx, NY
kudos:11
said by Bink:

Routing across the VPN—as opposed to bridging—will likely address the nonsense above and will also keep broadcast traffic off the VPN/Internet connection (and likely make a little more bandwidth available as a result). What is it that is forcing you to have layer 2 going over the VPN versus the standard layer 3?

Exactly the "Con" that you stated. I want all traffic to go over the tunnel. My goal for VLAN4 was to be able to plug in an ethernet cable or join vlan4's wireless network and have everything function exactly the same as if I plugged in at Site A. I have a number of devices/applications that rely on broadcast messages and devices being on the same subnet for everything to work. I was under the impression if I did routed subnets between Site A and Site B, much of this stuff would break. There's also a few times per month where I need to use Site A's public IP address rather than Site B's - all I have to do currently is switch ethernet ports/wireless networks.

For the time being, I wiped out all my firewall rules, got rid of the 192.168.1.160/28 network (figured out a workaround), and rebuilt it all from scratch. I'm getting full speeds now and things seem pretty stable so far. But I'm still interested if there's a better way to set this up, so any suggestions are appreciated.
--
University of Southern California - Fight On!

bdnhsv

join:2012-01-20
Huntsville, AL
reply to Thinkdiff
Are the 2 static routes actually defined as they are shown in the diagram? (192.168.2.0/24 and 192.168.1.0/24) If so, have you ever tried defining them as the actual IP's of the 2 routers? (i.e.. 192.168.1.1 and 192.168.2.1 ).

You've also mentioned some speed issues/questions. You'll be limited by the slowest portion of your 2 internet connections - which will be upload speed on one of the connections if you have ADSL or Cable. If you need more info about that then let us know.


Thinkdiff
Premium,MVM
join:2001-08-07
Bronx, NY
kudos:11
Not sure your first point works. Wouldn't that only forward packets destined for that single IP address across the VPN? How would devices connected to 192.168.2.0/24 know how to reach 192.168.1.11 if the network was not defined in Router B's routing table?

For the second point, of course. site A is a fiber connection with plenty of bandwidth. Site B is 12/1 DSL. I was getting downloads stuck at 1KB/sec.
--
University of Southern California - Fight On!

bdnhsv

join:2012-01-20
Huntsville, AL
yeah - you're right. momentary senior moment on my part I guess.