Wiki

NeoRouterWiki:NetworkBridge

From NeoRouterWiki

(Difference between revisions)
Jump to: navigation, search
(Routing Setup – site to site VPN)
(Routing Setup – site to site VPN)
Line 173: Line 173:
  > route –p add 192.168.3.0 mask 255.255.255.0 10.0.1.102
  > route –p add 192.168.3.0 mask 255.255.255.0 10.0.1.102
-
4. Setup route stable. When using routing method, you need to tell your other machines how to cross the VPN to access computers on the opposite network.
+
4. Setup route table. When using routing method, you need to tell your other machines how to cross the VPN to access computers on the opposite network.
Option1:  
Option1:  

Revision as of 16:45, 17 January 2012

Contents

Network Bridge

Overview

NeoRouter (v0.9.9 or later) supports the Network Bridge feature, which uses two very different means for interconnecting networks: routing and bridging. Once the feature is enabled, the ACL feature will be disabled automatically, as we cannot control the packets from the external networks anymore and may cause security issues if it's not setup properly. So, this is an advanced feature for the users who know about it every well.

  • Routing - refers to the interconnection of separate and independent "sub-networks" (subnets) which have non-overlapping ranges of IP addresses. Upon receiving a packet sent to it, a network "router" examines the destination IP address to determine which of several connected networks should receive it, after which that packet is forwarded to the proper network.
  • Bridging - by comparison, is much simpler. A network "bridge" is simply an electrical interconnection between separate physical networks that are all carrying the same ranges of IP addresses. Standard dumb network "hubs" and "switches" are examples of network bridges. With a hub, packets arriving at any port are "bridged" and sent out to every other port. A switch is a bit smarter, since it is able to adaptively learn which network interface cards (NICs) are attached to which ports. But a switch is still interconnecting network segments carrying the same ranges of IP addresses.

Routing vs. Bridging

Although "routed" connections are the most common and straightforward to configure, they suffer from significant operational limitations. By comparison, "bridged" connections are generally much trickier to configure, and are not even natively available under all operating systems, so they are not the default connection type. But when bridging is properly setup it correctly does everything that we want.

Bridging and routing are functionally very similar, with the major difference being that a routed VPN will not pass IP broadcasts while a bridged VPN will.

  • Routing advantages
    • Efficiency and scalability.
    • Allows better tuning of MTU for efficiency.
  • Routing disadvantages
    • Clients must use a WINS server (such as samba) to allow cross-VPN network browsing to work.
    • Routes must be set up linking each subnet.
    • Software that depends on broadcasts will not "see" machines on the other side of the VPN.
    • Works only with IPv4 in general, and IPv6 in cases where tun drivers on both ends of the connection support it explicitly.
  • Bridging advantages
    • Broadcasts traverse the VPN -- this allows software that depends on LAN broadcasts such as Windows NetBIOS file sharing and network neighborhood browsing to work.
    • No route statements to configure.
    • Works with any protocol that can function over ethernet
    • Relatively easy-to-configure solution for road warriors.
  • Bridging disadvantages
    • Less efficient than routing, and does not scale well.

Setup network bridge

With either bridging mode or routing mode, one can create point-to-site VPN, site-to-site VPN or even multiple site-to-site networks. Once a network structure is well designed, one can use Feature.ini file to control NeoRouter client service to implement it.

  • The file Feature.ini is located in the main configuration folder, which can be various for different OS.
On Windows Xp:
X:\Documents and Settings\All Users\Application Data\ZebraNetworkSystems\NeoRouter

On Vista+:
X:\Users\All Users\ZebraNetworkSystems\NeoRouter
On Linux and Mac OSX:
/usr/local/ZebraNetworkSystems/NeoRouter 
On in-a-box:
/jffs

If it does not exist, please create one.

  • The only thing to do is define the parameters in the Feature.ini file.
    • NetworkBridge=1
    • LANSegment parameter - this is a set of parameters used for mapping the external IP address or IP range to a virtual IP address, so that NeoRouter can route the packets to the proper tunnel. It's defined in the following format:
LANSegment[index]=[IP|IP range|segment],VIP
[index] - number, start from 1, for example: 1,2,3...
[IP] - a valid external IP address, for example: 192.168.129.126
[IP range] - a set of external IP addresses, in the format as IP_BEGIN-IP_END. For example: 192.168.129.126-192.168.129.128
[segment] - a set of external IP addresses, in the format as SUBNETWORK/NETMASK. For example: 192.168.129.0/255.255.255.0

For example:

[Default]
NetworkBridge=1
LANSegment1=192.168.129.126-192.168.129.128,192.168.129.204
LANSegment2=192.168.129.120,192.168.129.205
LANSegment3=192.168.3.0/255.255.255.0,192.168.129.206

In the sample above, the setting tells NeoRouter how to route packets.


Here are several common scenarios.

Bridging Setup – point to site VPN

  • Requirement: A company wants create a point-to-site VPN, so that the employees can remotely access the printers or computers in the office from home or customer site. Since NeoRouter client cannot be installed on the printers and some computers, that are running Unix OS (HP-Unix, Solaris or SCO Unix), the NeoRouter Network Bridge feature would the best choice.
  • Design:

Since we want to use the printer, it's better to use the bridging mode. Depending on the requirements, we split the network into 3 groups.

1. 192.168.129.126 - 192.168.128.128 used for computers or printers

2. 192.168.129.200 - 192.168.129.254 used for NeoRouter DHCP

3. Other IP address we don't want packets from these IP range go to our VPN

  • Setup:

1. Setup NeoRouter server and config the DHCP address to 192.168.129.200/255.255.255.0

2. Setup the gateway computer by creating a bridge to combine the NeoRouter virtual adapter and a local adapter.

 On Windows XP+ (except WinXp x64), one can use Windows tool to create a bridge. 

(check out MSDN for details).

 Since some adapters may not fully support promisc mode, one has to enable it manually. 

(check out http://support.microsoft.com/kb/302348)

 > netsh bridge show adapter
 > netsh bridge set a 1 e
 > netsh bridge set a 2 e
 On Linux, one can use brctl command to create a bridge
 > brctl addbr $br
 > brctl addif $br eth0
 > brctl addif $br nrtap
 > ifconfig nrtap 0.0.0.0 promisc up
 > ifconfig eth0 0.0.0.0 promisc up
 > ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
 >
 > ifconfig $br down
 > brctl delbr $br

3. Setup Feature.ini file on each member of the NeoRouter network. The content of the file is:

[Default]
NetworkBridge=1
LANSegment1=192.168.129.126-192.168.129.128,192.168.129.204

After setting the file, restart the nrservice or reboot computer.

Routing Setup – site to site VPN

  • Requirement: A company wants create a site-to-site VPN to link two offices located in different cities. They cannot install NeoRouter client software on their computers running Unix OS (HP-Unix, Solaris or SCO Unix). The NeoRouter Network Bridge feature would be the best choice.
  • Design:

To make the VPN fast, it's better to use the routing mode. From the requirements, we can see 3 networks.

1. 192.168.129.0/255.255.255.0 Office 1

2. 192.168.3.0/255.255.255.0 Office 2

3. 10.0.1.0/255.255.255.0 NeoRouter virtual network

  • Setup:

1. Setup NeoRouter client on each gateway computers

2. One each gateway computer, enable the feature allowing the OS to forward packets

On Windows 2000+, create  HKEY_Local_Machine\System\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter 
 as a string value equal to 1 in the registry. This will require a system reboot to take effect. To confirm it 
 is enabled, do ipconfig /all from the command line. IP Routing Enabled should say yes. If not, confirm your 
 registry setting and reboot again. This setting is flaky in non-server versions of Windows. 
 
Also refer to http://support.microsoft.com/kb/230082/en-us
On Linux, 
 > echo 1 > /proc/sys/net/ipv4/ip_forward
On Mac OS X, 
  1) The easy way is to create or edit /etc/sysctl.conf and add net.inet.ip.forwarding=1
  or
  2) > sysctl -w net.inet.ip.forwarding=1

3. Setup route on each gateway

On the gateway of the 192.168.3.x network:

> route –p add 192.168.129.0 mask 255.255.255.0 10.0.1.103

On the gateway of the 192.168.129.x network:

> route –p add 192.168.3.0 mask 255.255.255.0 10.0.1.102

4. Setup route table. When using routing method, you need to tell your other machines how to cross the VPN to access computers on the opposite network.

Option1:

This requires more work, but limits configuration changes to be at the computer level.

On each computer of the 192.168.3.x network:

> route –p add 192.168.129.0 mask 255.255.255.0 192.168.3.234

On each computer of the 192.168.129.x network:

> route –p add 192.168.3.0 mask 255.255.255.0 192.168.129.129

Option 2: (not all routers support this, but it is the minimal configuration method)

On the router acting as the default gateway for 192.168.3.x network, add a static route that says any traffic destined for 192.168.129.0 network go through 192.168.3.x (IP address of NeoRouter PC on 192.168.3.x network) On the router acting as the default gateway for 192.168.129.x network, add a static route that says any traffic destined for 192.168.3.0 network go through 192.168.129.x (IP address of NeoRouter PC on 192.168.129.x network)

Bridging Setup – site to site VPN

With bridging mode, one can also create a site-to-site VPN.


Run scripts

When Network Bridge feature is enabled, one can define commands getting called by NR Client on the following events.

These commands should be defined in the Feature.ini file.

  • 1.When initialize the tap device, but not activate it yet

CmdOnTapInit=xxxxxxxxx

  • 2.When the tap device gets activated

CmdOnTapActive=xxxxxxxxx

  • 3.When tap device gets destroyed

CmdOnTapUninit=xxxxxxxxx


These options are available on all platforms.

For example, one can define a script to setup static route table after the tap gets activated and has virtual IP address assigned.


Feature.ini

....
CmdOnTapActive=/usr/bin/setroutetable.sh
....


Tips and troubleshooting

DO NOT USE NETWORK BRIDGE FEATURE, UNLESS YOU UNDERSTAND THE DESCRIPTION ABOVE AND HAVE BASIC COMPUTER NETWORK KOWNLADGE.

  • 1. When troubleshooting, it's a good idea to turn off the OS firewall on each computer to save your time.
  • 2. When changed the IPRouterEnable paramter in the registry on a Windows XP machine, sometimes you may want to reboot twice to make it work properly.
  • 3. Wireshark and tcpdump are best tools used for troubleshooting. When troubleshooting site-to-site VPN, you may want to add some extra routes to meet your specific requirements.
  • 4. If your application requires broadcast packets, you may want to choose "bridging" approach instead of "routed", which does not pass broadcast packets.
  • 5. If you use NeoRouter Professional (v1.1.3+), it is always a good idea to use the "Packet Filter" feature, which can drop unnecessary packets.
  • 6. If you use NeoRouter Free, you will be suggested to run the gateway on a dedicated server, there would be heavy workload of broadcast packets through the gateway.