dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1167
share rss forum feed

maniscalco

join:2013-02-07

server to client connection through lan

I need to let communicate clients and server in a point-to-point server, ideally according to the attached scheme:

As you can see, I maintain a complex network where the people who set up the LAN made for various reasons some virtual lan; each lan has got some servers, and now, I have to let communicate those servers through a point to point communication, to a remote lan which I can't manage.

The remote lan guys, will assign me an IP, and the remote clients (which need my servers), have to communicate only through that IP. But my local server belong to other ip ranges (as they are in VLAN). Moreover, the remote clients have to establish a 1-to-1 communication with my servers. So I have to recognize which client makes the request, and forward it to my server according to the IP.

What's the exact solution?


cablegeek01

join:2003-05-13
USA
kudos:1

My exact solution would be to change that layout completely. The local router is more likely than not going to have fits trying to have 4 interfaces with the same network address on each interface. Then there's the issue of using a /16 for a point to point link (/31 or /30 is preffered).
Without knowing what servers/vlans/and ports, static routes and/or NAPT configurations are impossible to guess at for the remote access portion.



clarknova

join:2010-02-23
Grande Prairie, AB
kudos:7
Reviews:
·TekSavvy DSL
reply to maniscalco

First, are you aware that the subnets in vlans 1 and 3, as well as the PtP subnet are publicly routable, and therefore your right to use them is regulated by IANA? Further, if those addresses don't belong to you, then your ability to reach those addresses (the real owners of those addresses), is impeded due to the fact that your routers think that those addresses are local.

That aside, the proper solution (based on the information provide) is that each router needs a route to the remote (V)LANs. So your router should have a static route to 10.0.0.0/8 via 192.100.0.2. The remote router should have static routes to 192.167.1.0/24, 192.168.1.0/24 and 192.169.1.0/24 via 192.100.0.1.

Note that no NAT should be occurring between any of the hosts in your diagram.
--
db



cablegeek01

join:2003-05-13
USA
kudos:1

I need to get my eyes checked. I looked at that diagram 3 times, and saw 192.168 for all 3 vlans....bleh.



DigitalXeron
There is a lack of sanity

join:2003-12-17
Hamilton, ON
reply to maniscalco

The following needs to be corrected:

- All 3 VLANs on "Compay 1" need to be on different subnets, for instance
vlan1 192.168.1.0/24 with 192.168.1.1 default gw
vlan2 192.168.2.0/24 with 192.168.2.1 default gw
vlan2 192.168.3.0/24 with 192.168.3.1 default gw

- The router itself as a whole doesn't hold a single address, interfaces are assigned individually addresses, must be unique per interface unless you're doing load balancing.

- On the "remote LAN 1", the internal default gw for 10.0.0.0/8 needs to be on the same subnet, it can't be 192.100.0.2 unless that's referring to the public-facing interface.

As far as achieving client access to the server(s), I would advise having VPN tunnelling going on between the sites if the external interface of "Company 1" only has one public address.
--
--Kradorex Xeron
[an error occurred while processing this signature]


maniscalco

join:2013-02-07
reply to maniscalco

Thanks. I corrected the schema according to the private addresses obligation. I am honest, I never asked myself the reason why the network at the moment is uncorrect and has got public addresses, neither I can investigate on it as I can't communicate with the old system admin.

Apart that, I think I explained myself uncorrect.
I can use only 1 ip address to communicate with the external network, which is according to my new scheme (the real address is different but we don't care about real numbers) 192.168.140.100. And the external router which communicates with it is 192.168.140.20, so ideally they belong to the same subnet.

The remote firm, can't see my servers local ip addresses, and so the clients can use just my router address. But I know their private addresses (which could be 10.100.10.1, 10.100.10.4 and so on), so, I want my router to receive the request and knowing the ip, to forward it to specific servers (which will be paired to the client, so 1 server can handle only 1 client until I don't change the route).

Basically, I need to handle external local ip addresses, in a way that they ask to me a server using always the same ip, and I recognize the request based on their ip, then serve them using my vlan servers.

PS: I don't know the remote hardwares, but I suppose they forward requests of the 10.0.0.0/8 LAN to a router which has my subnet LAN address.


clarknova

join:2010-02-23
Grande Prairie, AB
kudos:7
Reviews:
·TekSavvy DSL

1 recommendation

said by maniscalco:

I can use only 1 ip address to communicate with the external network

So your router is doing NAT on the PtP interface then. This complicates the scenario. Are you sure you can't turn off NAT for that interface?

If not, then you have to configure port forwarding (incoming NAT) rules to select destination IP based on source IP. The question of how to do this depends on the router you are using.

It does appear that your router can see the source IP of the initiating client, so the remote router is not doing NAT on the PtP interface, which is good.
--
db


DigitalXeron
There is a lack of sanity

join:2003-12-17
Hamilton, ON

1 edit
reply to maniscalco

said by maniscalco:

Apart that, I think I explained myself uncorrect.
I can use only 1 ip address to communicate with the external network, which is according to my new scheme (the real address is different but we don't care about real numbers) 192.168.140.100. And the external router which communicates with it is 192.168.140.20, so ideally they belong to the same subnet.

The key here to understand is that each interface on the routers have separate unique IP addresses. For instance, if the PtP link interface has 192.168.140.100, the internal network of "Company 1" behind it (with each VLAN) MUST use a different subnet and different gateway. The same with 192.168.140.20 and "Company 2". For instance, you have on your diagram each router having only one IP address, assuming this is assigned to every interface on the router, the router will be unable to route packets correctly.

Though, the PtP link should use the same subnet since it is the same network, but it must be unique from "Company 1" and "Company 2" networks.

For instance, on "Company 2":

...===PtP link==[IF1:192.168.140.20 Router IF2:10.0.0.1]==internal network...

said by maniscalco:

The remote firm, can't see my servers local ip addresses, and so the clients can use just my router address. But I know their private addresses (which could be 10.100.10.1, 10.100.10.4 and so on), so, I want my router to receive the request and knowing the ip, to forward it to specific servers (which will be paired to the client, so 1 server can handle only 1 client until I don't change the route).

Ideally, you need to disable NAT masquerading on the PtP link and have both networks aware of each other's subnets. How NAT works is that when traffic is crossing the routers, the actual source IP on the packets is altered to the router's PtP link IP address (e.g. 192.168.140.x on your diagram) and the routers simply keep a session table of what incoming traffic is solicited and what system has what connections open. That incoming traffic is then re-translated BACK to the original IP address of the system that solicited the traffic. Everything that is not on that table or port forwarding is refused or discarded.

Port forwarding/DNAT is a feature used to statically set port numbers on a "Public" interface (in this case the PtP link for instance) to direct to what internal systems which since it sounds like you have multiple servers wanting to run services on the same ports, there is no way with everything with NAT enabled on your setup for a client to be directed internally as you desire.

A solution is that, the "Company 2" network needs NAT disabled on the PtP interface for the "Company 1" network router to be aware of the incoming "Company 2" client IP. From there, THEN the "Company 1" router can have multiple routing tables and appropriate routing policies to specify what source IPs to use what routing tables (Each client having a separate routing table). In the like, "Company 1" would have to have at its router to know to route 10.0.0.0/8 to 192.168.140.20 for the response traffic to make it back to the client (This would be specified on all client routing tables).
--
--Kradorex Xeron
[an error occurred while processing this signature]

maniscalco

join:2013-02-07
reply to maniscalco

I have to say that the diagram is what I want to obtain.
I still haven't reached this solution and my router is not doing that work.

At the moment I'm using some static ip addresses which directly connects to the remote gateway/router and serves the clients.

I want to switch this and discard all my expensive ip addresses, keeping just one.

I can't manage the remote gateway/router. The only thing I know is that to my knowledge they are not doing any NAT, as I said, I can see my clients ip addresses.



Jahntassa
What, I can have feathers
Premium
join:2006-04-14
Conway, SC
kudos:4

Unless your router (in your diagram as 192.168.140.100) can explicitly see your client's internal IPs (10.0.0.1/8), there is no way you can get this scenario to work without some sort of creative port forwarding or VPN connection.

It's late, I may not be understanding something, but best I can tell there's no EoIP tunnel between the two routers, it's not necessarily a Point to Point so much as two routers on the internet.


Bink
Villains... knock off all that evil

join:2006-05-14
Castle Rock, CO
kudos:4
Reviews:
·VOIPO
reply to maniscalco

If this is really a P2P link, your options are a bit limited, but this is doable. I don’t know what magic IP Company 2 is going to assign you, but without a fully routed infrastructure or changes to the remote router, the only useable IP in this case is 192.168.140.100 and you’ll need to use NAT, preferably some kind of conditional NAT. For example, if remote client 10.0.0.1 connects to 192.168.140.100:80, the local router would have a conditional NAT entry that would redirect this to 192.168.30.1:80.


maniscalco

join:2013-02-07

Bink, this is exactly what I had in mind. :- )

I confirm to the previous poster Jahntassa, that I can explicit see my client's ip, so I suppose there's no nat overthere.
And yes, it's PtP, the companies are distant about 10 miles each other. There's no internet related, no VPN, just PtP.

So, have I to study NAT and precisely conditional NAT? Would you be so kind to address me some guide?



DigitalXeron
There is a lack of sanity

join:2003-12-17
Hamilton, ON

said by maniscalco:

Bink, this is exactly what I had in mind. :- )

I confirm to the previous poster Jahntassa, that I can explicit see my client's ip, so I suppose there's no nat overthere.
And yes, it's PtP, the companies are distant about 10 miles each other. There's no internet related, no VPN, just PtP.

So, have I to study NAT and precisely conditional NAT? Would you be so kind to address me some guide?

This is very dependent upon the "Company 1" router make and model, as not every guide or manual will work with every router, so if you could provide details on that, it would be helpful.

For instance, if this router offers netfilter/iptables (e.g. if it runs a Linux), you would want to look at the 'nat' table, especially the target option 'DNAT', for instance at the router's CLI:

iptables -t nat -A PREROUTING -s <CLIENT_IP>/32 -d <ROUTER PtP LINK IP>/32 -p tcp -m tcp --dport <DESTPORT> -j DNAT --to-destination <SERVER>:<PORT>
 

replacing the <OPTION> sections as appropriate.

then use the iptables-save or other similar mechanism to save the rules to the router's bootup iptables file.

But again, this is very dependant on the make/model of the router, if you do not have CLI (console) access on the router, it may complicate matters if the web interface isn't extensive, so you may want to look into this if you haven't already.
--
--Kradorex Xeron
[an error occurred while processing this signature]

maniscalco

join:2013-02-07
reply to maniscalco

I want to use a zeroshell server, but I'm beginning to study it. Is it doable?



clarknova

join:2010-02-23
Grande Prairie, AB
kudos:7

zeroshell is Linux-based, so it should work fine. I don't know if the GUI will do this for you or if you will have to resort to iptables.

m0n0wall is another option if you like a clean usable web UI.
--
db