A setup for VPN, VLAN and NAT

[+PeterUK MVC]

Just to share a setup using a M4100 series switch for another solution to this:
https://www.neowin.net/forum/topic/1210869-vpn-something-xp-can-do-that-7-cant/

 

The reason Mirror Interface is used in this setup and not Redirect Interface which would be the right type to ideally use is the switch thinks it can't forward to a non-existing MAC where the Mirror Interface does not care something I might let netgear know.

 

So here's what happens in this VPN server setup for windows 7.

 

Client connects and sends internet traffic down which needs to be NAT's but this is sent out on the VPN servers WAN side with the VPN Clients IP as source 192.168.137.4 this is where Mirror Interface comes in. The Mirror Interface takes the VPN Clients traffic and send it to ICS or NAT LAN side to then go out to the internet. The way back ARP is done for 192.168.137.4 on the ICS or NAT that is to the VPN server that takes the traffic and sends it down the VPN to the Client.

[+BudMan MVC]

Your drawing is missing..

see

VPN%20NAT%20VLAN.png

[+PeterUK MVC]

I've tested this page using morphium and it loads fine. :ninja:
http://morphium.info/webproxy/

[+BudMan MVC]

Your hosting your image here

src="http://dnsip.no-ip.org/VPN%20NAT%20VLAN.png"

Sorry its not loading.. because my work proxy blocks personal IP space like that.. Why don't you just attach it to your post like a normal person?

So now lets take a look see what your trying to do.

[+BudMan MVC]

Ok what are you actually trying to accomplish with this bowl of spaghetti ?

U and T, are you marking tagged and untagged? Also is this a work setup or your home? Why would anyone being using ICS for nat? Really?

 

Where is the vpn client? From the internet?  And you give him a 192.168.137 IP?  And he is trying to talk to what on your 192.168.137 network?

 

Why do you think this traffic should and how exactly is it suppose to get back to the vpn box?  This is NOT how you do vpn..  Its a MESS!!  You could solve all of these problems with actually running a vpn server vs trying to mirror ports on switches, giving your vpns same IP as your local network and using ISC for the nat?

[trek]

From the other thread, I am still wondering why you are assigning vpn clients addresses in your inside address range? Do it properly, give them their own subnet and ROUTE them internally.

 

VLAN 900 - ISP WAN

VLAN 100 - 192.168.137.0/24 Internal 

VLAN 101 - 192.168.138.0/24 VPN Clients

 

Personally I would get a Cisco ASA, it would do your VPN termination and intervlan routing and NAT all without that ICS garbage.

 

Port mirroring is normally used for IDS or packet capture for diagnostics. Why you would use it to get behind the inside NAT interface I have no idea.

[Hakaslak]

I am really confused by this. I want to post the pic of Jackie Chan but I want to refrain from being insulting. Either this is far beyond what I can understand or it makes no sense.

[grunger106]

EH?

It looks like you are trying to bodge something because you don't have the correct equipment.

You appear to be attempting to make a L2 switch behave like a router?

Also from that picture there is no firewall in this either.

ICS is for home use where there is no router - and even then I wouldn't use it.

Port Mirroring is something I've only really used as diagnostic aid - with wireshark normally.

Your VPN client should be on a separate subnet from you destination LAN and then routed

Setup the VLANs if required on the device as well and use it for L3 before passing the traffic down to the switch

Cisco ASA / Zyxel USG are good choices.

[trek]

Also, wth is up with ports 8 and 9 on your diagram? Let me see if I can decipher what you have there -

 

Port 6 - Trunk (vlan 7 tagged), native vlan 9 untagged

Port 7 - Trunk (vlan 8 tagged), native vlan 9 untagged

Port 8 - Trunk (vlan 9 tagged), native vlan 7 (and 8??? ) untagged

Port 9 - native vlan 200 untagged

 

And you have ports 8 and 9 physically connected... That would mean vlan 7, 8 and 200 are all untagged on that port... which means those vlans aren't segregated at all wth?

[trek]

An example of the core of my home network shows how the ASA can do everything you are trying to piece together in a much more straightforward manner...

 

[T3X4S]

An example of the core of my home network shows how the ASA can do everything you are trying to piece together in a much more straightforward manner...

 

Thats your home network ?  Jeezus

Are you doing it like this because you are wanting to get a business network enviro feel ?  Or are you doing something out of the ordinary which requires all of this ?

Seems like a cannon being used on a fly.

Understand, I am not saying anything is wrong, and I am not saying its not needed - just wondering why - thats all.

[+PeterUK MVC]

So now lets take a look see what your trying to do.

not trying its done and works.

 

Where is the vpn client? From the internet?

Yes or LAN

 

If everybody is having a hard time working out how it works setting it up with a M4100 series switch is the only way you know why it works.

 

Also from that picture there is no firewall in this either.

Their is a firewall on both WANs.

 

Port Mirroring is something I've only really used as diagnostic aid - with wireshark normally.

This is not Port Mirroring this is Mirror Interface an option in ACL in the M4100 series switch as said I would like to of used Redirect Interface but it doesn?t work.

 

Also, wth is up with ports 8 and 9 on your diagram? Let me see if I can decipher what you have there -

Port 6 - Trunk (vlan 7 tagged), native vlan 9 untagged

Port 7 - Trunk (vlan 8 tagged), native vlan 9 untagged

Port 8 - Trunk (vlan 9 tagged), native vlan 7 (and 8??? ) untagged

Port 9 - native vlan 200 untagged

And you have ports 8 and 9 physically connected... That would mean vlan 7, 8 and 200 are all untagged on that port... which means those vlans aren't segregated at all wth?

I have a Cisco SG300-10 and I can't get its VLAN to do what Netgear switches can do so I guess thats why your having a hard time working out how to do it in a Cisco switch. You don't have to have VLAN 200 you can connect port 8 to the gateway its just their so you can deny 192.168.137.4 on port 9 after you permit the mirror to port 2 on port 6. Its also a cool trick to get more ACL rules in.

And its:

Port 8 - Trunk (vlan 9 tagged), native vlan 7 and 6 untagged

 

From the other thread, I am still wondering why you are assigning vpn clients addresses in your inside address range? Do it properly, give them their own subnet and ROUTE them internally.

It can't be done properly because if you have a VPN server giving out LAN IPs and the client wants internet assess the VPN server in windows 7 sends that traffic out to the WAN where nothing will happen. Where as XP you can have ICS and a VPN server on one PC and it NATs the clients wanting internet assess windows 7 does not do this so there is no proper way for doing it unless you have many WAN IP's that you use for the VPN server to hand out even then the IP's have to be in the same subnet.

 

EH? It looks like you are trying to bodge something because you don't have the correct equipment. You appear to be attempting to make a L2 switch behave like a router?

Their are ways and then there are ways and either way it works if you understand and know what you are doing that you might not know something I know.

[+BudMan MVC]

trek why would you trunk your internet traffic through your whole network like that..  Firewall should be at the edge of your network..  The way I see that internet traffic traverses your physical wiring twice?

 

Your layer 1 seems a bit odd..  Your going to be sending traffic in and out the same interfaces a few times because the SVIs are at the asa?  So wireless client say on treklab wants to talk to homelan your going over the same physical connection between your server cab switch to get to the asa, and then back out the same trunk to get to your esxi setup?

 

This cuts your avail bandwidth /2

 

I don't see where all your other devices are but this physical wiring seems a bit off?  Also is your modem doing nat? 3825 is a wireless gateway device - so did you just bridge it, or is it natting?

[trek]

trek why would you trunk your internet traffic through your whole network like that..  Firewall should be at the edge of your network..  The way I see that internet traffic traverses your physical wiring twice?

 

Your layer 1 seems a bit odd..  Your going to be sending traffic in and out the same interfaces a few times because the SVIs are at the asa?  So wireless client say on treklab wants to talk to homelan your going over the same physical connection between your server cab switch to get to the asa, and then back out the same trunk to get to your esxi setup?

 

This cuts your avail bandwidth /2

 

I don't see where all your other devices are but this physical wiring seems a bit off?  Also is your modem doing nat? 3825 is a wireless gateway device - so did you just bridge it, or is it natting?

The way the house is laid out unfortunately I have to trunk the outside wan all the way to the basement. but its only 50Mbps max on a gig pipe between the switches so its pretty inconsequential. Not in the diagram but the trunk to the asa carries only vlan 10 and 20. Vlan 999 has a dedicated port. Also 999 only appears on the trunk between the switches.

Lab traffic between vlan 10 and 20 is minimal. Say a couple sip sessions or rdp. I use it to keep my playing around isolated from the rest of the family. But yes the hairpining would decrease the available bw if i needed it.

Isp modem is bridged. Nat is done by asa for all snets.