advice re: bridging subnets?

cdatgnp · Jun 13, 2014

I want to bridge subnets from remote locations over the Internet, so that network devices in those separate subnets virtually reside in the same subnet. Communication over the Internet needs to be encrypted and secure.

The crux is that these subnets are behind dynamic IP addresses, so I would need a reliable way to create the connection, say through a server with a FQDN. Best would be if the FQDN server could establish a connection between the other subnets and allow the bridged clients to transfer data directly between eachother without using the server's bandwidth, like peer-to-peer.

Can anyone suggest a way to go about this? FYI I'm not an IT pro but I like to learn, muddle around with scripting and programming now and then, and am recently getting my feet wet in Linux.

Cromewell · Jun 14, 2014

I'm trying to understand exactly what you're asking for. Do you have remote sites you need to tunnel to a central location? And your remote sites have dynamic IPs? The IP issue is relatively simple to work around.

Realistically, if you need the remote sites to talk directly to each other, have them communicate with your server to obtain the current IP address (say daily or whatever your DHCP lease is for) and update the IP they need to talk to in whatever application you are running. Since all the sites sound like they are visible to the internet you don't need to worry about updating routing tables or anything like that.

To encrypt the traffic, just use VPN.

beers · Jun 14, 2014

What are you hoping to gain by having things in the same subnet?

You could deploy a L2TP type of VPN but it would be a PITA with dynamic addresses.
http://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol

cdatgnp · Jun 18, 2014

Cromewell and beers, thanks for the feedback! I'm not sure that either site is visible from the Internet, as they're both behind routers.

Our situation: A workstation at headquarters will run software that monitors a programmable logic controller (PLC). The workstation is connected through a dynamic IP address and behind a couple routers. The PLC is located at a remote site, also through a dynamic IP address and behind a couple routers. The monitoring software will automatically recognize and connect to a PLC on the same subnet, and I believe this is the only way to connect.

We have a couple VPN-capable routers, and we also have desktop computers on both subnets. Is it possible for me to set up a VPN node on a shared web host or something, and have both VPN routers connect to that node?

-Chris

Geoff · Jun 18, 2014

Sounds like you just need a VPN to connect the multiple sites together. Setup a VPN on both routers or between a router and client if it's just one user. Having both the HQ and remote sites on the same subnet will cause major issues with DHCP, etc.

Cromewell · Jun 19, 2014

Yeah. A VPN definitely sounds like all you need.

Presumably your HQ has a static public IP address, the easiest way is to set up the VPN connections from the dynamic remote sites to a server in HQ.

Geoff · Jun 19, 2014

Using a VPN with a dynamic IP isn't a huge deal, just get a DDNS service and use a hostname instead of an IP to resolve the remote sites with dynamic IP's.

cdatgnp · Jun 19, 2014

It sounds like a VPN is the way to go. Thanks for the help, guys.

One thing that's bugging me is that I can't control the routing between HQ and the Internet, nor that between the site and Internet. So I am thinking of trying to run a VPN server on a shared web host or maybe a VPS. Any advice before I get going?

Geoff · Jun 19, 2014

cdatgnp said:
It sounds like a VPN is the way to go. Thanks for the help, guys.

One thing that's bugging me is that I can't control the routing between HQ and the Internet, nor that between the site and Internet. So I am thinking of trying to run a VPN server on a shared web host or maybe a VPS. Any advice before I get going?

A VPN is a solution to the problem of not being able to control the environment between two or more remote sites. With a VPN it doesn't matter what is between the sites, what the ISP is doing for their routing, etc., it will create a virtual network through the mess otherwise known as the internet, so that the two remote sites can operate just like they are on the same LAN.

I really don't see why you need to have a server involved.

cdatgnp · Jun 19, 2014

Our setup would look like this:
[our office computer] - [our VPN-capable office router] - [other co's router] - [other co's modem] - [Internet] - [another co's modem] - [another co's router] - [our VPN-capable on-site router] - [our PLC]

I want to be able to move or create new VPN connections without requiring anything from the "other co" or the "another co," and I don't know how you could make a connection between the VPN-capable routers without having the "other co" forward a port to our office router.

That's where I'm coming up with the idea of a separate VPN server behind a static IP. Is there a better way to go about this? Maybe I should just try it with the VPN routers where they are(*) and see if it works?

* In case this matters: for testing, I have the "on-site router" set up at my home, behind another router.

Geoff · Jun 20, 2014

Do you know for sure that this "other co" is blocking ports necessary for a VPN? If no, then there is no problem running a VPN behind another router as long as traffic can get to and from it, this would be the ideal solution. I don't have any experience using a server in the middle, so I'm no help there.

Cromewell · Jun 20, 2014

Presumably the server is the thing hosting the software that talks to the PLCs.

Even if this other company is blocking the normal ports, just tunnel it through a port that isn't blocked and you'll be fine.

cdatgnp · Jun 20, 2014

How would the VPNs be able to "find" each other without a node somewhere on a static IP address? I could point the routers to a FQDN that points to our office WAN IP address with FreeDNS Update; but I'm not sure how the other company's router would know to pass the message along to ours, so to speak.

Cromewell · Jun 21, 2014

This other company likely isn't blocking your VPN ports. If they, as I said earlier you can just set up tunnels (http://en.wikipedia.org/wiki/Tunneling_protocol)

Your offices have routes to the internet correct? FreeDNS or whatever should be able to talk just fine over any number of routers, it does already when you browse the internet.

Geoff · Jun 21, 2014

cdatgnp said:
How would the VPNs be able to "find" each other without a node somewhere on a static IP address? I could point the routers to a FQDN that points to our office WAN IP address with FreeDNS Update; but I'm not sure how the other company's router would know to pass the message along to ours, so to speak.

Each VPN would be set up with an IP, and updated using a DDNS updater so server1.yourhost.com would resolve to your dynamic IP. When you connect to server1.yourhost.com it resolves to your current IP, and it will communicate back to the address the request came from. The only requirement is that the port you're using on your VPN server can be accessed from the outside.

cdatgnp · Jun 23, 2014

Ok, I think you guys have really cleared up my confusion. I'm going to turn off my targeting computer and give it a shot.

cdatgnp · Jun 24, 2014

I set up the VPN but am getting no connectivity. I used the open port check tool at yougetsignal to test 50, 51, 500, and 4500 on our IP, and they are all closed by the other company. I have the "Tunnel" mode set - is that what is meant by setting up tunnels?

Edit: the site router is set up at my home with identical settings, except the FQDNs and subnet IPs are switched around.
Here are screenshots of the office router's IPsec policy settings:

Cromewell · Jun 24, 2014

A tunnel in the sense I was referring to is burying your traffic in another port that's open and restoring it on the other end. It's kind of like VPN but not really.

Here's a fairly simple howto http://bodhizazen.net/Tutorials/VPN-Over-SSH/

Geoff · Jun 24, 2014

Tunnel mode in the VPN config just means that all traffic will be routed over the VPN, so if the end user is working on documents from your office's server and is also surfing the web, that web traffic is going over the VPN. Generally you don't need or want a tunneled VPN unless you want all traffic to be secure between the sites. Otherwise normal internet traffic is just tying up bandwidth on both ends needlessly.

If the ports are closed, that is your issue. Cromewell was referring to using open ports for the VPN.

cdatgnp · Jul 9, 2014

Looks like I accidentally disabled my notifications for this thread, sorry guys. Since my last post, I have made some progress and come up with more troubles. I am setting up a VPS to act as a visible VPN node for the office and site to establish connection to. I've chronicled my troubles in this new thread, since it's much more specific to the software I'm trying to use now.

Cromewell, I think I understand what you mean by tunneling now. Unfortunately, the NAT routers on both ends seem to have all ports closed.

WRXGuy, thanks for clearing me up on the tunneling vs "tunnel" mode. P.S. I think tunnel mode should be OK for us; the VPN routers on the site and office ends have only the PLC and monitoring workstation in their respective subnets, so all the other traffic from the office is external.

advice re: bridging subnets?

New Member

Administrator

Moderator

New Member

VIP Member

Administrator

VIP Member

New Member

VIP Member

New Member

VIP Member

Administrator

New Member

Administrator

VIP Member

New Member

New Member

Administrator

VIP Member

New Member