Sign in to follow this  
Followers 0

A setup for VPN, VLAN and NAT


14 posts in this topic

Posted

Just to share a setup using a M4100 series switch for another solution to this:
http://www.neowin.net/forum/topic/1210869-vpn-something-xp-can-do-that-7-cant/

 

The reason Mirror Interface is used in this setup and not Redirect Interface which would be the right type to ideally use is the switch thinks it can't forward to a non-existing MAC where the Mirror Interface does not care something I might let netgear know.

 

So here's what happens in this VPN server setup for windows 7.

 

Client connects and sends internet traffic down which needs to be NAT's but this is sent out on the VPN servers WAN side with the VPN Clients IP as source 192.168.137.4 this is where Mirror Interface comes in. The Mirror Interface takes the VPN Clients traffic and send it to ICS or NAT LAN side to then go out to the internet. The way back ARP is done for 192.168.137.4 on the ICS or NAT that is to the VPN server that takes the traffic and sends it down the VPN to the Client.

VPN%20NAT%20VLAN.png

Share this post


Link to post
Share on other sites

Posted

Your drawing is missing..

see

VPN%20NAT%20VLAN.png

Share this post


Link to post
Share on other sites

Posted

I've tested this page using morphium and it loads fine. :ninja:
http://morphium.info/webproxy/

Share this post


Link to post
Share on other sites

Posted

Your hosting your image here

src="http://dnsip.no-ip.org/VPN%20NAT%20VLAN.png"

Sorry its not loading.. because my work proxy blocks personal IP space like that.. Why don't you just attach it to your post like a normal person?

post-14624-0-61287200-1399668979.png

So now lets take a look see what your trying to do.

Share this post


Link to post
Share on other sites

Posted

Ok what are you actually trying to accomplish with this bowl of spaghetti ?

U and T, are you marking tagged and untagged? Also is this a work setup or your home? Why would anyone being using ICS for nat? Really?

 

Where is the vpn client? From the internet?  And you give him a 192.168.137 IP?  And he is trying to talk to what on your 192.168.137 network?

 

Why do you think this traffic should and how exactly is it suppose to get back to the vpn box?  This is NOT how you do vpn..  Its a MESS!!  You could solve all of these problems with actually running a vpn server vs trying to mirror ports on switches, giving your vpns same IP as your local network and using ISC for the nat?

Share this post


Link to post
Share on other sites

Posted

From the other thread, I am still wondering why you are assigning vpn clients addresses in your inside address range? Do it properly, give them their own subnet and ROUTE them internally.

 

VLAN 900 - ISP WAN

VLAN 100 - 192.168.137.0/24 Internal 

VLAN 101 - 192.168.138.0/24 VPN Clients

 

Personally I would get a Cisco ASA, it would do your VPN termination and intervlan routing and NAT all without that ICS garbage.

 

Port mirroring is normally used for IDS or packet capture for diagnostics. Why you would use it to get behind the inside NAT interface I have no idea.

Share this post


Link to post
Share on other sites

Posted

I am really confused by this. I want to post the pic of Jackie Chan but I want to refrain from being insulting. Either this is far beyond what I can understand or it makes no sense.

Share this post


Link to post
Share on other sites

Posted

EH? It looks like you are trying to bodge something because you don't have the correct equipment. You appear to be attempting to make a L2 switch behave like a router? Also from that picture there is no firewall in this either. ICS is for home use where there is no router - and even then I wouldn't use it. Port Mirroring is something I've only really used as diagnostic aid - with wireshark normally. Your VPN client should be on a separate subnet from you destination LAN and then routed Setup the VLANs if required on the device as well and use it for L3 before passing the traffic down to the switch Cisco ASA / Zyxel USG are good choices.

Share this post


Link to post
Share on other sites

Posted

Also, wth is up with ports 8 and 9 on your diagram? Let me see if I can decipher what you have there -

 

Port 6 - Trunk (vlan 7 tagged), native vlan 9 untagged

Port 7 - Trunk (vlan 8 tagged), native vlan 9 untagged

Port 8 - Trunk (vlan 9 tagged), native vlan 7 (and 8??? ) untagged

Port 9 - native vlan 200 untagged

 

And you have ports 8 and 9 physically connected... That would mean vlan 7, 8 and 200 are all untagged on that port... which means those vlans aren't segregated at all wth?

Share this post


Link to post
Share on other sites

Posted

An example of the core of my home network shows how the ASA can do everything you are trying to piece together in a much more straightforward manner...

 

homelan_core2014.jpg

Share this post


Link to post
Share on other sites

Posted

An example of the core of my home network shows how the ASA can do everything you are trying to piece together in a much more straightforward manner...

 

homelan_core2014.jpg

Thats your home network ?  Jeezus

Are you doing it like this because you are wanting to get a business network enviro feel ?  Or are you doing something out of the ordinary which requires all of this ?

Seems like a cannon being used on a fly.

Understand, I am not saying anything is wrong, and I am not saying its not needed - just wondering why - thats all.

Share this post


Link to post
Share on other sites

Posted

So now lets take a look see what your trying to do.

not trying its done and works.

 

Where is the vpn client? From the internet?

Yes or LAN

 

If everybody is having a hard time working out how it works setting it up with a M4100 series switch is the only way you know why it works.

 

Also from that picture there is no firewall in this either.

Their is a firewall on both WANs.

 

Port Mirroring is something I've only really used as diagnostic aid - with wireshark normally.

This is not Port Mirroring this is Mirror Interface an option in ACL in the M4100 series switch as said I would like to of used Redirect Interface but it doesn

Share this post


Link to post
Share on other sites

Posted

trek why would you trunk your internet traffic through your whole network like that..  Firewall should be at the edge of your network..  The way I see that internet traffic traverses your physical wiring twice?

 

Your layer 1 seems a bit odd..  Your going to be sending traffic in and out the same interfaces a few times because the SVIs are at the asa?  So wireless client say on treklab wants to talk to homelan your going over the same physical connection between your server cab switch to get to the asa, and then back out the same trunk to get to your esxi setup?

 

This cuts your avail bandwidth /2

 

I don't see where all your other devices are but this physical wiring seems a bit off?  Also is your modem doing nat? 3825 is a wireless gateway device - so did you just bridge it, or is it natting?

Share this post


Link to post
Share on other sites

Posted

trek why would you trunk your internet traffic through your whole network like that..  Firewall should be at the edge of your network..  The way I see that internet traffic traverses your physical wiring twice?

 

Your layer 1 seems a bit odd..  Your going to be sending traffic in and out the same interfaces a few times because the SVIs are at the asa?  So wireless client say on treklab wants to talk to homelan your going over the same physical connection between your server cab switch to get to the asa, and then back out the same trunk to get to your esxi setup?

 

This cuts your avail bandwidth /2

 

I don't see where all your other devices are but this physical wiring seems a bit off?  Also is your modem doing nat? 3825 is a wireless gateway device - so did you just bridge it, or is it natting?

The way the house is laid out unfortunately I have to trunk the outside wan all the way to the basement. but its only 50Mbps max on a gig pipe between the switches so its pretty inconsequential. Not in the diagram but the trunk to the asa carries only vlan 10 and 20. Vlan 999 has a dedicated port. Also 999 only appears on the trunk between the switches.

Lab traffic between vlan 10 and 20 is minimal. Say a couple sip sessions or rdp. I use it to keep my playing around isolated from the rest of the family. But yes the hairpining would decrease the available bw if i needed it.

Isp modem is bridged. Nat is done by asa for all snets.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.