Computer networking help needed
-
Topic author - Site Admin
- Posts in topic: 9
- Posts: 17787
- Joined: Wed Dec 22, 2004 9:31 pm
- Location: Friendswood, TX
- Contact:
Computer networking help needed
I knew this project was above my pay grade when I started. I just didn't know how far over my head. I learned enough Linux to get by; learned how to set up a VPS, register clients, etc., but now the repeaters/computers can't find each other on the VPN. It must be the way I'm setting up the IP addresses on the smart routers.
If there's a networking guru that would be willing to help this over-worked novice I'd really like to pick your brain!
Thanks,
Chas.
If there's a networking guru that would be willing to help this over-worked novice I'd really like to pick your brain!
Thanks,
Chas.
-
- Moderator
- Posts in topic: 2
- Posts: 5404
- Joined: Sun Jan 08, 2006 10:27 am
- Location: DFW
- Contact:
Re: Computer networking help needed
If you are using IPv6 addressing, try disabling it, and use IPv4.
Re: Computer networking help needed
Are you using static or dynamic IPs at the router?
-
Topic author - Site Admin
- Posts in topic: 9
- Posts: 17787
- Joined: Wed Dec 22, 2004 9:31 pm
- Location: Friendswood, TX
- Contact:
Re: Computer networking help needed
They are GL.iNet smart routers that automatically log into my VPS when turned on and create a tunnel. They have static LAN IP addresses that are assigned by the VPS.
Chas.
-
Topic author - Site Admin
- Posts in topic: 9
- Posts: 17787
- Joined: Wed Dec 22, 2004 9:31 pm
- Location: Friendswood, TX
- Contact:
Re: Computer networking help needed
I'm using IPV4 static LAN addresses.
Chas.
-
- Moderator
- Posts in topic: 2
- Posts: 5404
- Joined: Sun Jan 08, 2006 10:27 am
- Location: DFW
- Contact:
Re: Computer networking help needed
That was my best shot. Good luck to you!
I'm using IPV4 static LAN addresses.
Chas.
Re: Computer networking help needed
Got it. Are you running this on Linux or Windows? May also try changing your home network to a different subnet (192.168.10.x).Charles L. Cotton wrote: ↑Sun Sep 13, 2020 11:29 amThey are GL.iNet smart routers that automatically log into my VPS when turned on and create a tunnel. They have static LAN IP addresses that are assigned by the VPS.
Chas.
-
- Senior Member
- Posts in topic: 5
- Posts: 490
- Joined: Mon Feb 25, 2008 2:58 pm
- Location: Friendswood, TX
Re: Computer networking help needed
I have set up a number of VPN's, although not with Linux. My experience is with Check Point. That said, the principles are the same.
You have two devices (gateways) connected to the Internet at different locations, each with its own static IP address. I am going to make some assumptions at this point.
You have a private network at behind each device with the public static IP address. You wish to route traffic from the private network behind one gateway to a destination inside the private network behind the other gateway. The gateways have the VPN feature built in.
First some concepts. Private IP addresses (192.168.x.x and others - see RFC1918) cannot be routed through the Internet. If you try, your ISP will drop the packets. In order to access the Internet from a private IP address, your gateway performs Network Address Translation (NAT) to substitute its own public IP address (either static or dynamic) for your private IP address.
A VPN must be able to route your private IP address from one private network to another private network. It does so by setting up a "tunnel" between the two gateways. It routes packets using its own public IP address in such a way that the remote gateway can disassemble the packet and route the packets internally.
The gateways must also know which private IP addresses belong to which gateway, so it knows where to route private traffic. It does this by use of an encryption domain and VPN routing. Each gateway must have its own unique encryption domain (i.e., set of private IP addresses).
Beyond that the two gateways must have a mutually agreed upon method of creating the tunnel. There is a lot that goes into tunnel creation that I cannot comment on without knowing more about the specific gateways. Things to look for are shared secret, data integrity, encryption method, etc.
The gateways might make tunnel creation transparent. It might be that you just need to address the encryption domains and the NAT. The first thing I would look at is to make sure you are not using the same private IP addresses behind the two gateways. The next thing I would dig into is the NAT configuration. It must be disabled within the VPN tunnel, then VPN routing.
That is a lot to digest. I hope it helps.
You have two devices (gateways) connected to the Internet at different locations, each with its own static IP address. I am going to make some assumptions at this point.
You have a private network at behind each device with the public static IP address. You wish to route traffic from the private network behind one gateway to a destination inside the private network behind the other gateway. The gateways have the VPN feature built in.
First some concepts. Private IP addresses (192.168.x.x and others - see RFC1918) cannot be routed through the Internet. If you try, your ISP will drop the packets. In order to access the Internet from a private IP address, your gateway performs Network Address Translation (NAT) to substitute its own public IP address (either static or dynamic) for your private IP address.
A VPN must be able to route your private IP address from one private network to another private network. It does so by setting up a "tunnel" between the two gateways. It routes packets using its own public IP address in such a way that the remote gateway can disassemble the packet and route the packets internally.
The gateways must also know which private IP addresses belong to which gateway, so it knows where to route private traffic. It does this by use of an encryption domain and VPN routing. Each gateway must have its own unique encryption domain (i.e., set of private IP addresses).
Beyond that the two gateways must have a mutually agreed upon method of creating the tunnel. There is a lot that goes into tunnel creation that I cannot comment on without knowing more about the specific gateways. Things to look for are shared secret, data integrity, encryption method, etc.
The gateways might make tunnel creation transparent. It might be that you just need to address the encryption domains and the NAT. The first thing I would look at is to make sure you are not using the same private IP addresses behind the two gateways. The next thing I would dig into is the NAT configuration. It must be disabled within the VPN tunnel, then VPN routing.
That is a lot to digest. I hope it helps.
Revolver - An elegant weapon... for a more civilized age.
NRA Endowment Life Member
TSRA Life Member
NRA Endowment Life Member
TSRA Life Member
Re: Computer networking help needed
^^^ THIS^^^dhoobler wrote: ↑Sun Sep 13, 2020 3:28 pm I have set up a number of VPN's, although not with Linux. My experience is with Check Point. That said, the principles are the same.
You have two devices (gateways) connected to the Internet at different locations, each with its own static IP address. I am going to make some assumptions at this point.
You have a private network at behind each device with the public static IP address. You wish to route traffic from the private network behind one gateway to a destination inside the private network behind the other gateway. The gateways have the VPN feature built in.
First some concepts. Private IP addresses (192.168.x.x and others - see RFC1918) cannot be routed through the Internet. If you try, your ISP will drop the packets. In order to access the Internet from a private IP address, your gateway performs Network Address Translation (NAT) to substitute its own public IP address (either static or dynamic) for your private IP address.
A VPN must be able to route your private IP address from one private network to another private network. It does so by setting up a "tunnel" between the two gateways. It routes packets using its own public IP address in such a way that the remote gateway can disassemble the packet and route the packets internally.
The gateways must also know which private IP addresses belong to which gateway, so it knows where to route private traffic. It does this by use of an encryption domain and VPN routing. Each gateway must have its own unique encryption domain (i.e., set of private IP addresses).
Beyond that the two gateways must have a mutually agreed upon method of creating the tunnel. There is a lot that goes into tunnel creation that I cannot comment on without knowing more about the specific gateways. Things to look for are shared secret, data integrity, encryption method, etc.
The gateways might make tunnel creation transparent. It might be that you just need to address the encryption domains and the NAT. The first thing I would look at is to make sure you are not using the same private IP addresses behind the two gateways. The next thing I would dig into is the NAT configuration. It must be disabled within the VPN tunnel, then VPN routing.
That is a lot to digest. I hope it helps.
I'm so rusty, that I hate to venture an opinion, but Windows, Linux, OS X, Aldebaran binary ???. I don't think any computer OS has much to do with routing. What happens to the packet AFTER the get there, oh yeah. I ran the Windows, Mac, and Linux servers to handle the data that came in over the VPNs. I relied on the CISCO pros at my place of business to get the VPN working, so never had my limits pushed. (Or likely reached my potential.) I just called in the experts. They solved every problem with CISCO command line.
dhoobler sounds to me like he knows his stuff.
-
Topic author - Site Admin
- Posts in topic: 9
- Posts: 17787
- Joined: Wed Dec 22, 2004 9:31 pm
- Location: Friendswood, TX
- Contact:
Re: Computer networking help needed
Thanks for the very detailed explanation and I do understand it.dhoobler wrote: ↑Sun Sep 13, 2020 3:28 pm I have set up a number of VPN's, although not with Linux. My experience is with Check Point. That said, the principles are the same.
You have two devices (gateways) connected to the Internet at different locations, each with its own static IP address. I am going to make some assumptions at this point.
You have a private network at behind each device with the public static IP address. You wish to route traffic from the private network behind one gateway to a destination inside the private network behind the other gateway. The gateways have the VPN feature built in.
First some concepts. Private IP addresses (192.168.x.x and others - see RFC1918) cannot be routed through the Internet. If you try, your ISP will drop the packets. In order to access the Internet from a private IP address, your gateway performs Network Address Translation (NAT) to substitute its own public IP address (either static or dynamic) for your private IP address.
A VPN must be able to route your private IP address from one private network to another private network. It does so by setting up a "tunnel" between the two gateways. It routes packets using its own public IP address in such a way that the remote gateway can disassemble the packet and route the packets internally.
The gateways must also know which private IP addresses belong to which gateway, so it knows where to route private traffic. It does this by use of an encryption domain and VPN routing. Each gateway must have its own unique encryption domain (i.e., set of private IP addresses).
Beyond that the two gateways must have a mutually agreed upon method of creating the tunnel. There is a lot that goes into tunnel creation that I cannot comment on without knowing more about the specific gateways. Things to look for are shared secret, data integrity, encryption method, etc.
The gateways might make tunnel creation transparent. It might be that you just need to address the encryption domains and the NAT. The first thing I would look at is to make sure you are not using the same private IP addresses behind the two gateways. The next thing I would dig into is the NAT configuration. It must be disabled within the VPN tunnel, then VPN routing.
That is a lot to digest. I hope it helps.
I suspect the private IP addresses are the problem. The VPS is Linux and I executed several scripts to set it up. One of those scripts set up variables including the IPV4 IP range. I used 192.168.73.0 -- 255.255.255.0. Another script assigns static private IP addresses to the database for each client. Yet another script creates what I call certificates for each client that is imported into the GL.iNet routers. When I check the VPN settings in the routers, it shows the static IP addresses I assigned to that client on the VPS. It also shows a small amount of traffic between the router and the server.
The first two repeaters were assigned 192.168.73.2 and 192.168.73.3. Based upon your explanation, I suspect this is the problem, but I don't know how to fix that. The only IPV4 range I set up on the VPS was 192.168.73.0. (The set-up instructions only required creating one IP range for IPV4.) If I understand correctly, one router needs to be assigned 192.168.73.0 and the other must have 192.168.x.0. Both should have 255.255.255.0 as the subnet mask.
Another issue is getting from the router with its static private IP address to the connected repeater. Each repeater has a private IP address that was initially assigned by DHCP, but I made that a static LAN IP address. I then opened two ports and forwarded them to the appropriate repeater IP address. (The ports opened and forwarded were the default for VPNs and a specific port used by the Yaesu software for it's repeaters.) Is this part of the process correct?
(Only one static WAN IP address was assigned with the VPN subscription.)
Thanks again,
Chas.
-
- Senior Member
- Posts in topic: 5
- Posts: 490
- Joined: Mon Feb 25, 2008 2:58 pm
- Location: Friendswood, TX
Re: Computer networking help needed
I do not know about your repeaters. I cannot comment on whether or not they are interfering with the VPN function. I can offer an explanation about IP addresses.
The relationship between IP address and subnet mask can be confusing. An IP address is a string of 32 bits. The dots are for human consumption. Your computer does not see them.
The 32 bits of the IP address is split between a network part and a host part. The split between the two is determined by the subnet mask.
There are three standard subnet masks, 255.0.0.0 (class A), 255.255.0.0 (class B) and 255.255.255.0 (class C). The bits in the subnet mask that are 1 indicate that the corresponding bit in the IP address is network part of the IP address. The zeros indicate host part. As an example, your IP address, 192.168.73.2 with subnet mask 255.255.255.0 looks like this: 11000000101010000100100100000010. The network part is 110000001010100001001001. The host part is 00000010. If the subnet mask had been 255.255.255.128, the network part would be 1100000010101000010010010 and the host part would be 0000010. The subnet mask must be a contiguous string of 1's followed by a contiguous string of 0's. 255.0.255.255 would be an illegal subnet mask.
There is no rule that says that the subnet mask must be standard, Class A, B or C. A subnet mask of 255.255.255.128 is perfectly legal. It would split a class C network into two subnets, each of which had 128 IP addresses.
The first IP address of a subnet is used for routing. It cannot be assigned to a host. The last IP address of the subnet is the broadcast address. It cannot be assigned to a host. In your example, 192.168.73.0 with subnet mask 255.255.255.0, the broadcast address is 192.168.73.255. If you made the subnet mask 255.255.255.128, the broadcast would be 192.168.73.127. You would be limited to addresses in the range of 192.168.73.1-126.
A host directly communicates only with other devices within its own subnet. It actually uses a MAC address, not IP address to communicate. Your computer maintains an ARP table (Address Resolution Protocol) to translate between IP address and MAC address. If you are sending to an IP address outside of your own subnet, your computer either sends to a dedicated route or (more likely) to the default gateway. If you want to see your computer's default gateway, open a CMD window and enter ipconfig /all. While you are there, you can view your ARP table by entering arp -a.
You might be able to change your subnet mask to 255.255.255.128 and use 192.168.73.x behind both gateways. You would use 192.178.73.1-126 behind one and 192.168.73.129-254 behind the other. !92.168.73.0, 192.168.73.127, 192.168.73.128 and 192.168.73.255 would not be usable because they are network addresses and broadcast addresses. I don't know how your would accomplish this, given your configuration was done by script.
The relationship between IP address and subnet mask can be confusing. An IP address is a string of 32 bits. The dots are for human consumption. Your computer does not see them.
The 32 bits of the IP address is split between a network part and a host part. The split between the two is determined by the subnet mask.
There are three standard subnet masks, 255.0.0.0 (class A), 255.255.0.0 (class B) and 255.255.255.0 (class C). The bits in the subnet mask that are 1 indicate that the corresponding bit in the IP address is network part of the IP address. The zeros indicate host part. As an example, your IP address, 192.168.73.2 with subnet mask 255.255.255.0 looks like this: 11000000101010000100100100000010. The network part is 110000001010100001001001. The host part is 00000010. If the subnet mask had been 255.255.255.128, the network part would be 1100000010101000010010010 and the host part would be 0000010. The subnet mask must be a contiguous string of 1's followed by a contiguous string of 0's. 255.0.255.255 would be an illegal subnet mask.
There is no rule that says that the subnet mask must be standard, Class A, B or C. A subnet mask of 255.255.255.128 is perfectly legal. It would split a class C network into two subnets, each of which had 128 IP addresses.
The first IP address of a subnet is used for routing. It cannot be assigned to a host. The last IP address of the subnet is the broadcast address. It cannot be assigned to a host. In your example, 192.168.73.0 with subnet mask 255.255.255.0, the broadcast address is 192.168.73.255. If you made the subnet mask 255.255.255.128, the broadcast would be 192.168.73.127. You would be limited to addresses in the range of 192.168.73.1-126.
A host directly communicates only with other devices within its own subnet. It actually uses a MAC address, not IP address to communicate. Your computer maintains an ARP table (Address Resolution Protocol) to translate between IP address and MAC address. If you are sending to an IP address outside of your own subnet, your computer either sends to a dedicated route or (more likely) to the default gateway. If you want to see your computer's default gateway, open a CMD window and enter ipconfig /all. While you are there, you can view your ARP table by entering arp -a.
You might be able to change your subnet mask to 255.255.255.128 and use 192.168.73.x behind both gateways. You would use 192.178.73.1-126 behind one and 192.168.73.129-254 behind the other. !92.168.73.0, 192.168.73.127, 192.168.73.128 and 192.168.73.255 would not be usable because they are network addresses and broadcast addresses. I don't know how your would accomplish this, given your configuration was done by script.
Revolver - An elegant weapon... for a more civilized age.
NRA Endowment Life Member
TSRA Life Member
NRA Endowment Life Member
TSRA Life Member
-
- Senior Member
- Posts in topic: 5
- Posts: 490
- Joined: Mon Feb 25, 2008 2:58 pm
- Location: Friendswood, TX
Re: Computer networking help needed
Another thing to think about. Do you have VLAN's configured? Improperly configured VLAN's can be difficult to trouble shoot.
Revolver - An elegant weapon... for a more civilized age.
NRA Endowment Life Member
TSRA Life Member
NRA Endowment Life Member
TSRA Life Member
-
Topic author - Site Admin
- Posts in topic: 9
- Posts: 17787
- Joined: Wed Dec 22, 2004 9:31 pm
- Location: Friendswood, TX
- Contact:
Re: Computer networking help needed
I was able to edit the file and changed the subnet mask to 255.255.255.255 since I only need one IP address for the router. However, I think the new IP address I assigned to each router may be a problem. I used 192.168.73.200 for one and 73.250 for the other.dhoobler wrote: ↑Sun Sep 13, 2020 5:30 pm I do not know about your repeaters. I cannot comment on whether or not they are interfering with the VPN function. I can offer an explanation about IP addresses.
The relationship between IP address and subnet mask can be confusing. An IP address is a string of 32 bits. The dots are for human consumption. Your computer does not see them.
The 32 bits of the IP address is split between a network part and a host part. The split between the two is determined by the subnet mask.
There are three standard subnet masks, 255.0.0.0 (class A), 255.255.0.0 (class B) and 255.255.255.0 (class C). The bits in the subnet mask that are 1 indicate that the corresponding bit in the IP address is network part of the IP address. The zeros indicate host part. As an example, your IP address, 192.168.73.2 with subnet mask 255.255.255.0 looks like this: 11000000101010000100100100000010. The network part is 110000001010100001001001. The host part is 00000010. If the subnet mask had been 255.255.255.128, the network part would be 1100000010101000010010010 and the host part would be 0000010. The subnet mask must be a contiguous string of 1's followed by a contiguous string of 0's. 255.0.255.255 would be an illegal subnet mask.
There is no rule that says that the subnet mask must be standard, Class A, B or C. A subnet mask of 255.255.255.128 is perfectly legal. It would split a class C network into two subnets, each of which had 128 IP addresses.
The first IP address of a subnet is used for routing. It cannot be assigned to a host. The last IP address of the subnet is the broadcast address. It cannot be assigned to a host. In your example, 192.168.73.0 with subnet mask 255.255.255.0, the broadcast address is 192.168.73.255. If you made the subnet mask 255.255.255.128, the broadcast would be 192.168.73.127. You would be limited to addresses in the range of 192.168.73.1-126.
A host directly communicates only with other devices within its own subnet. It actually uses a MAC address, not IP address to communicate. Your computer maintains an ARP table (Address Resolution Protocol) to translate between IP address and MAC address. If you are sending to an IP address outside of your own subnet, your computer either sends to a dedicated route or (more likely) to the default gateway. If you want to see your computer's default gateway, open a CMD window and enter ipconfig /all. While you are there, you can view your ARP table by entering arp -a.
You might be able to change your subnet mask to 255.255.255.128 and use 192.168.73.x behind both gateways. You would use 192.178.73.1-126 behind one and 192.168.73.129-254 behind the other. !92.168.73.0, 192.168.73.127, 192.168.73.128 and 192.168.73.255 would not be usable because they are network addresses and broadcast addresses. I don't know how your would accomplish this, given your configuration was done by script.
Also, can the fact that the GL.iNet router is behind my Tenda home router cause a problem? I opened the required ports on the Tenda router as well.
Chas.
Re: Computer networking help needed
Charles, I don’t think 255.255.255.255 will work since nothing else can exist, only one host. You need at least /30 (255.255.255.252) and that will give you two hosts. More common is /24 (255.255.255.0) with host range 192.168.73.1 - 192.168.73.254.
Are you able to see them with ARP scan (arp-scan -l)? You can install ARP scan package with sudo apt install arp-scan on Ubuntu.
Without seeing the actual configs it’s hard to tell, but maybe adding 10.8.0.0/24 to the route table will work (sudo ip route add 10.8.0.0/24 via “whatever your default gateway IP is”).
Are you able to see them with ARP scan (arp-scan -l)? You can install ARP scan package with sudo apt install arp-scan on Ubuntu.
Without seeing the actual configs it’s hard to tell, but maybe adding 10.8.0.0/24 to the route table will work (sudo ip route add 10.8.0.0/24 via “whatever your default gateway IP is”).
-
- Senior Member
- Posts in topic: 5
- Posts: 490
- Joined: Mon Feb 25, 2008 2:58 pm
- Location: Friendswood, TX
Re: Computer networking help needed
I concur with parabelum that you cannot use a subnet mask of 255.255.255.255. If you could post a sketch of the network with IP addresses, I might get a better handle on your configuration.
Revolver - An elegant weapon... for a more civilized age.
NRA Endowment Life Member
TSRA Life Member
NRA Endowment Life Member
TSRA Life Member