Routing Tables and some other questions ...
Sep 26 07 9:05 pm
hi.
We are having a "masternode" based network, and every clients may talk to any other client. All Clients are allways connected to MasterNode.
We are not using any Windows networking, only IP routing.
This is a great functionnality, but sometimes, some clients are unable to communicate to others. The only issue is to disconnect/connect one of them from masterNode and then everything goes fine.
As far as we are about de deploy about +100 clients all over the world (we are now having 20), this may become very injury.
It seems like the routing table of these clients have disapear somewhere. It makes the all system quite unstable.
Is there a way to show all routing tables of a Wingate Engine (without checking one by one with the treeview) ?
It could also be nice for each client to give a reachability report of each learnedVPN (by sending a test sequence in the crypted data chanel,or any other way ...) ( ... and send it to masternode ?!)
It could also be nice to have a command line facily like :
wingate -connect myVPN1
wingate -disconnect myVPN1
wingate -connect ALL
wingate -disconnect ALL
wingate -restart
...
Are you about to release a new version in the few day / month ?
Thanks and sorry for my poor english ...
Best regards
Jeff
We are having a "masternode" based network, and every clients may talk to any other client. All Clients are allways connected to MasterNode.
We are not using any Windows networking, only IP routing.
This is a great functionnality, but sometimes, some clients are unable to communicate to others. The only issue is to disconnect/connect one of them from masterNode and then everything goes fine.
As far as we are about de deploy about +100 clients all over the world (we are now having 20), this may become very injury.
It seems like the routing table of these clients have disapear somewhere. It makes the all system quite unstable.
Is there a way to show all routing tables of a Wingate Engine (without checking one by one with the treeview) ?
It could also be nice for each client to give a reachability report of each learnedVPN (by sending a test sequence in the crypted data chanel,or any other way ...) ( ... and send it to masternode ?!)
It could also be nice to have a command line facily like :
wingate -connect myVPN1
wingate -disconnect myVPN1
wingate -connect ALL
wingate -disconnect ALL
wingate -restart
...
Are you about to release a new version in the few day / month ?
Thanks and sorry for my poor english ...
Best regards
Jeff
Oct 27 07 12:32 pm
Hi Jeff
sorry this question has gone so long unanswered.
When you have a large VPN with many nodes, you will end up with many routes. especially when each node is able to communicate with all the others. This can slow down packet processing due to the route lookups.
I wonder whether it would be better in your case to have several master nodes, and interconnect them. Do all nodes really need to communicate with every single other one?
We've got a few large networks we know of out there (like one of 175 nodes), but they aren't using node-node communications, just all back to the central node.
I like your other ideas. We've played with the idea of training sequences before as well (to determine latency, MTU etc).
sorry this question has gone so long unanswered.
When you have a large VPN with many nodes, you will end up with many routes. especially when each node is able to communicate with all the others. This can slow down packet processing due to the route lookups.
I wonder whether it would be better in your case to have several master nodes, and interconnect them. Do all nodes really need to communicate with every single other one?
We've got a few large networks we know of out there (like one of 175 nodes), but they aren't using node-node communications, just all back to the central node.
I like your other ideas. We've played with the idea of training sequences before as well (to determine latency, MTU etc).
Nov 28 07 6:34 am
Thanks for your reply. (and sorry for my late answer !!!)
I'm also having some questions about the firewall and again routing.
(sorry, living with wingate vpn 24/7 !!)
I'm having this kind of network (nothing particular):
AS I would like to manage the CISCO router thru the VPN, I forced the publishing of the complete Wingate EXT LAN. (not published by default)
I add a static routes in the CISCO Router :
router management machine => Wingate EXT interface.
(router management Machine is reachable thru a VPN)
And then .... it works !!!! ;-))
without changing the wingate firewall settings !! (only UDP Data chanel Port allowed.). Router can also initiate trafic to management machine.
Then, as far as a telnet traffic comes from the "EXTERNAL" interface, the firewall doesn't seem, in this case, to stop this traffic. (telnet not allowed)
Is this because I forced ext LAN to be published ? (and so Wingate consider it's a trusted IP, and then bypass the Firewall ?).
I'm also having some questions about the firewall and again routing.
(sorry, living with wingate vpn 24/7 !!)
I'm having this kind of network (nothing particular):
AS I would like to manage the CISCO router thru the VPN, I forced the publishing of the complete Wingate EXT LAN. (not published by default)
I add a static routes in the CISCO Router :
router management machine => Wingate EXT interface.
(router management Machine is reachable thru a VPN)
And then .... it works !!!! ;-))
without changing the wingate firewall settings !! (only UDP Data chanel Port allowed.). Router can also initiate trafic to management machine.
Then, as far as a telnet traffic comes from the "EXTERNAL" interface, the firewall doesn't seem, in this case, to stop this traffic. (telnet not allowed)
Is this because I forced ext LAN to be published ? (and so Wingate consider it's a trusted IP, and then bypass the Firewall ?).
Nov 29 07 12:04 pm
And as far as I'm reporting some bugs I just found a new one.
I'm using scheduler functionnality.
I can launch some apps, or send a reboot command using the remote controle service (by-the-way command shell functionnality is great !)
When adding an 'execute commandline' action , I fill the command line I need, then I save. All is OK. But when I re-open schedule event properties, the action is still there, but when I want to see wich command line I entered (double-clic) It says the action is "Reminder" !!!
It seems the problem is on every actions from "execute commandline" and above. A double click doesn't fill the "Action" Combo properly. (There is a 2 combo 'listindex' mistake).
Having the same problem with the connect VPN / Disconnect VPN action.
As far as clicking another time on the "OK" button changes the original action !!
another question : when launching a command line , it seems that the task is launched as the SYSTEM 'user'. isn't it ?
I'm using scheduler functionnality.
I can launch some apps, or send a reboot command using the remote controle service (by-the-way command shell functionnality is great !)
When adding an 'execute commandline' action , I fill the command line I need, then I save. All is OK. But when I re-open schedule event properties, the action is still there, but when I want to see wich command line I entered (double-clic) It says the action is "Reminder" !!!
It seems the problem is on every actions from "execute commandline" and above. A double click doesn't fill the "Action" Combo properly. (There is a 2 combo 'listindex' mistake).
Having the same problem with the connect VPN / Disconnect VPN action.
As far as clicking another time on the "OK" button changes the original action !!
another question : when launching a command line , it seems that the task is launched as the SYSTEM 'user'. isn't it ?
Nov 29 07 1:08 pm
I just found some kind of issue for my 'router' management problem.
As I do not want to publish the entire EXT lan thru the VPNs, I just add a persistent routing rule in the WinGate host machine :
Something like :
C:\>route ADD 192.168.11.1 MASK 255.255.255.255 192.16.11.1 -p (Wingate EXT IP : 192.168.11.2 & Router LAN IP : 192.168.11.1)
Usually, this kind of routing is quite stupid, but in this case, and as wingate is looking to local machine routing rules, I can force publishing the .1 address only from the EXT LAN thru the VPNs ....
I just added many ACLs and route-maps in the CISCO router to improve security (=> prevent anyone spoofing the .1 trusted IP)
Only this address is considered as 'trusted' (I think so, because still no FireWall drops). Any other IP from the EXT Lan may be then considered as "Dangerous".
As I do not want to publish the entire EXT lan thru the VPNs, I just add a persistent routing rule in the WinGate host machine :
Something like :
C:\>route ADD 192.168.11.1 MASK 255.255.255.255 192.16.11.1 -p (Wingate EXT IP : 192.168.11.2 & Router LAN IP : 192.168.11.1)
Usually, this kind of routing is quite stupid, but in this case, and as wingate is looking to local machine routing rules, I can force publishing the .1 address only from the EXT LAN thru the VPNs ....
I just added many ACLs and route-maps in the CISCO router to improve security (=> prevent anyone spoofing the .1 trusted IP)
Only this address is considered as 'trusted' (I think so, because still no FireWall drops). Any other IP from the EXT Lan may be then considered as "Dangerous".