Koozali.org formerly Contribs.org

access from external av server to clients in different locations

Hi,

I'd like to enable our "external" anti virus and deployment servers to access clients connected to SME servers in different locations.

The SME servers internal IPs are 192.168.1.1 at location 1, 192.168.2.1  at location 2 and so on.
The clients (between two and a dozen) have IPs 192.168.1.x, 192.168.2.x and so on.

The anti virus Server is on the (seen to the SME servers) external Network (i.e. 10.1.x.x.) - it is still internal within another LAN, connecting SMEs ("external") and other machines.

How can I let the anti virus server and deployment servers get in contact to the clients in the different locations?
The clients can connect to the av and to the deployment machine.

I'v already seen through different approaches, but to my understanding they seem not to fit. I.e.: the chapter "remote access" rather is for accessing the server itself or a single client via a single port.

Remote Access: http://www.sme-server.de/doku/6.01/chpt-11.1.html

Thanks for saving me from even more headache.
« Last Edit: May 08, 2020, 06:15:02 AM by drestof »

Offline mmccarn

  • *
  • 2,557
Re: access from external av server to clients in different locations
« Reply #1 on: May 08, 2020, 01:23:23 PM »
If your network looks like the diagram below, and if you want to solve the problem using network routing, you need:

- a 'local network' definition on SME1 for 192.168.2.x with gateway 10.1.c.d
- a 'local network' definition on SME2 for 192.168.1.x with gateway 10.1.a.b
- routes either in "Router" or "antivirus server"
  - 192.168.1.x -> 10.1.a.b
  - 192.168.2.x -> 10.1.c.d

...plus extra firewall rules if you want to restrict access from the 10.1.x.x network to the two client networks.

Code: [Select]
     Internet
        |
     Router [LAN 10.1.x.x]
        |
        |-----[antivirus server 10.1.x.x]
       / \
      /   \
   SME1  SME2 [WAN IP 10.1.c.d]
    |         [LAN 192.168.2.x]
    |
    [WAN IP 10.1.a.b]
    [LAN 192.168.1.x]


Alternatively, you might be able to make changes to [antivirus server] to get what you need:
- Add virtual or physical network interfaces and connect them to the 192.168.1.x and 192.168.2.x networks
- Create VPNs on [antivirus server] connecting to SME1 and SME2

Finally, if your antivirus server supports client-initiated connections you might not need any of this.

[edit]swapped SME1, SME2 wanIPs
« Last Edit: May 08, 2020, 01:25:23 PM by mmccarn »

Offline ReetP

  • *
  • 2,795
Re: access from external av server to clients in different locations
« Reply #2 on: May 08, 2020, 05:14:43 PM »
As suggested, add local network is probably the way to go.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: access from external av server to clients in different locations
« Reply #3 on: May 10, 2020, 09:04:47 AM »
Big tanks 2 you, I will go with this.

The Antivirus indeed should work this way (client initiated connection), but doesen't seem to work too reliable this way.
Clients sometimes take hours to appear in the Antivir Server Console to be registered there, or they don'd appear at all on another system. I'd not like this to happen in the next system as well.
« Last Edit: May 10, 2020, 09:09:53 AM by drestof »

Re: access from external av server to clients in different locations
« Reply #4 on: May 28, 2020, 03:14:12 PM »
The SMEs, service servers (antivirus, deployment, more to come) are placed on different remote edu locations.
So a further LAN interface is not practicable. Also all the SMEs and the "service servers" can be found within the same subnet.

It is as more like this:

Code: [Select]
     Internet
        |
     Router & Firewall [LAN 10.1.x.x]
        |
        |-----[antivirus server 10.1.1.50]
        |-----[deployment server 10.1.1.51]
       / \
      /   \
     /     \
    |        SME2 [WAN IP 10.1.1.2]
    |                 [LAN 192.168.2.x]
    | SME1
    [WAN IP 10.1.1.1]
    [LAN 192.168.1.x]

Since each client behind SME1, SME2... does have a unique(!) IP, depending on the SME servers IP (SME3 would have 10.1.1.3 and its clients 192.168.3.x) I can tell the service servers behind wich SME what client can be found.

Now (sadly still) I'd like to enable the service servers to (initially) access the clients behind SME1, SME2, SME3...
Since I spent some time figuring out the iptables clockwork's doing my respect is growing...

Before I even can think about using SME's methods as listed in:
https://wiki.contribs.org/Firewall#Open_Ports_in_Private_Server.2FGateway_Mode

I have questions about to enable the communication from the service servers:

1. iptables -I INPUT 2 -i eth1 -s 10.1.1.50 -j ACCEPT
2. how to forward this to the clients?
3. does there have to be a NAT thing?
4. and how to properly return answers i.e. a ping from 10.1.1.50 to client 192.168.1.10 behind SME 10.1.1.1?

If I'd at least could do so, in the next step I could worry about how to realize this without the thought of missusing init.d or cronjobs to getting this behaviour in iptalbles.

p.s.: Tried adding a local network via the server-manager, but I (I shoudn't wonder, would I?) haven't been able to add the server's external IP range as internal network, since the "service servers" are right within this range. I got something like (translated) "The answer is 'Error the Router-Adress can not be accessed from internal network."

p.p.s. Woud a VPN make any of this more simple? I rather see a solution in the iptables configuration.

Offline ReetP

  • *
  • 2,795
Re: access from external av server to clients in different locations
« Reply #5 on: May 29, 2020, 12:33:54 AM »
I think you just need to get your Local Networks setup correctly.

That should automagically fix your iptables.

However, I think your issue might be that your basic network layout is flakey.

The WAN IP adresses of SME 1 & 2 should be on different subnets eg

SME 1
10.1.1.0 -> 10.1.1.1/32 gateway ip 10.1.x.x

SME 2
10.1.2.0 -> 10.1.2.1/32 gateway ip 10.1.x.x

You can then set the local networks like:

192.168.1.x/24 gateway/router 10.1.2.1
192.168.2.x/24 gateway/router 10.1.1.1

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline mmccarn

  • *
  • 2,557
Re: access from external av server to clients in different locations
« Reply #6 on: May 29, 2020, 01:08:30 PM »
Code: [Select]
     Internet
        |
     Router & Firewall [LAN 10.1.x.x]
        |
        |-----[antivirus server 10.1.1.50]
        |-----[deployment server 10.1.1.51]
       / \
      /   \
     /     \
    |        SME2 [WAN IP 10.1.1.2]
    |                 [LAN 192.168.2.x]
    | SME1
    [WAN IP 10.1.1.1]
    [LAN 192.168.1.x]

It looks from your diagram like you have other 10.1.x.x networks (other than 10.1.1.x with the two AV servers).

1) Routing on SME1 & SME2
You need to open the firewalls and disable masquerading between 192.168.1.x, 192.168.2.x and 10.1.1.50 and 10.1.1.51.  The easiest way to do this is in SME to create a "Local Network".

I don't know for sure that this will work, but if you can create local networks for each single IP you'll have less firewall cleanup to deal with:
So:
Create two local networks on each SME:
a) 10.1.1.50 / 255.255.255.255 / gw: 10.1.1.50
b) 10.1.1.51 / 255.255.255.255 / gw 10.1.1.51

Technically, if the WAN IP for SME[12] is 10.1.x.x/255.255.0.0, you should create a 'local network' for this entire network, with the gateway pointing to your router.  However, this opens all systems behind your SME servers to any traffic from any system on any of your 10.1.x.x networks - which might not be what you want...

2) Routing on 10.1.1.x
Make sure that 10.1.1.50 and 10.1.1.51] can reach 192.168.[12].x
You can do this in either of these two ways:
a) Add local routes to each antivirus server server
b) Add local routes on the router (but if you do this you may need another 'local network' on each SME to allow traffic from the router/firewall...)
Either way, both antivirus systems need to know that if they want to reach 192.168.1.x, they need to send their packets to 10.1.1.1, and if they want to reach 192.168.2.x the packets need to go to 10.1.1.2

3) Firewalls on the antivirus servers
Your antivirus servers need to be told to allow traffic from 192.168.[12].x, but their default settings may be blocking this traffic

4) Firewalls on LAN workstations
The workstations on 192.168.[12].x may be blocking traffic from outside their local network, and may need to be adjusted.

If the antivirus servers only need to protect the workstations behind the SME servers, your configuration gets much simpler if you move both of them behind one of the SMEs.

For example - if you move the antivirus servers behind SME1 with IPs 192.168.1.50, 192.168.1.51, then you only need to tell the two SME servers to route traffic back and forth (create a local network on SME1 for 192.168.2.x / 255.255.255.0 / gw 10.1.1.2, then create a local network on SME2 for 192.168.1.x / 255.255.255.0 / gw 10.1.1.1).  However, this also removes any isolation between 192.168.1.x and 192.168.2.x...

Yet another solution -
I've solved similar issues in the past by putting a cheap router in the middle with the router WAN interface on the SME LAN:

192.168.1.x router:
- LAN DHCP Disabled
- WAN IP 192.168.1.50, connected to SME1 LAN
- LAN IP 10.1.1.x
- Antivirus traffic directed to 10.1.1.50
- Deployment traffic directed to 10.1.1.51
- Routes on 10.1.1.50 and 10.1.1.51 directing traffic for 192.168.1.x to the LAN ip of the router

192.168.2.x router:
- same as above

And finally - give us the specific antivirus and deployment server info and we'll check for other options...
« Last Edit: May 29, 2020, 01:12:57 PM by mmccarn »

Offline ReetP

  • *
  • 2,795
Re: access from external av server to clients in different locations
« Reply #7 on: May 29, 2020, 04:05:01 PM »
Quote
However, this opens all systems behind your SME servers to any traffic from any system on any of your 10.1.x.x networks - which might not be what you want...

That's essentially why I would probably break it up and separate SME 1 and SME 2 onto different subnets.

Easier to control.

Even maybe leave the AV and deployment boxes on 10.1.1.x, put SME 1 on 10.1.2.x and SME 2 on 10.1.3.x

They can both use 10.1.1.x as their gateway with the correct gateway subnet mask, and route their own internal networks to each other via Local Networks.

There may be a thousand reason why this is not a good idea :-)
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: access from external av server to clients in different locations
« Reply #8 on: June 02, 2020, 04:47:44 AM »
Thanks to you for your quick and comprehensive answers.

Trying to tell long things short:

I didn't transfer the representation of the IPs properly before: indeed each location differs in the third octet.
A slight Exception in the layout is, call it Location3, where additional to the SME3 server the "service machines" (AV, PDQdeploy deployment and a yet to come...) are located. By now not behind SME3. And the additional SME Test server uses differing IPs external and internal.

Root of my main problem has been not to understand the way the "add network" is meant to be used.
Docu feels a little bit thin in relation to my knowledge foundation.

Trying to add the deployment server 10.1.3.51 to the "add network" definition to SME 9.2 Test Server:

network address 10.1.3.0
Subnet-Mask 255.255.255.255
Router description 10.1.3.51   (translated straight back from german)

is not accepted ("router address can not be acdessed from internal network - network not created") , so to my understanding an internal attached router is required as the third parameter?

This input is accepted:

network address 10.1.3.0
Subnet-Mask 255.255.255.255
Router description 192.168.99.1   (translated straight back from german)

Actually I believe attaching a properly configured router/switch to each SMEs internal network might be the only way using "add network". Sadly, since this would mean having to get and configure more than two dozens routers for locations SMEs. Yet a solution.


Code: [Select]
    Internet
         |
     Router & Firewall [LAN 10.1.x.x]
         |
        /\\
       /  \ \
      /    \  \
     /      \   Location3 (where the service servers are found)
    /        \      |--[antivirus server 10.1.3.50], [linux AD Server]
   /          \     |--[deployment server 10.1.3.51]
  |            \    |--[SME 9.2 Test server [WAN IP 10.1.3.99]
  |             |   |                                  [LAN 192.168.99.1]
  |             |   | SME3 [WAN IP 10.1.3.1]
  |             |             [LAN 192.168.3.x]
  |             |
  |             Location2
  |             SME2 [WAN IP 10.1.2.1]
  |                      [LAN 192.168.2.x]
  Location1
  SME1
  [WAN IP 10.1.1.1]
  [LAN 192.168.1.x]

The clients behind the SMEs of the locations already can access the "Service Servers" found on "Location 3".
Challenge, as told, is the opposite.

Via route ADD 192.168.3.0 MASK 255.255.255.0 10.1.3.99 I tell the deployment server (a Windows 10 machine) to find a bunch of clients (192.168.99.x) behind SME 9.2 Test Servers WAN 10.1.3.99

And yes, thank you for pointing out to make servers and clients of each sides of the SMEs reachable by ping, reetp.

Offline mmccarn

  • *
  • 2,557
Re: access from external av server to clients in different locations
« Reply #9 on: June 02, 2020, 01:27:24 PM »
Remote IP & Netmask
With a netmask of 255.255.255.255 you need to specify the individual IP, not a network address.

Instead of 10.1.3.0/255.255.255.255, create two rules - one for 10.1.3.50/255.255.255.255 and another for 10.1.3.51/255.255.255.255.

Otherwise, use a netmask of "255.255.255.0" to allow "local" access from the SME to everything from 10.1.3.1 - 10.1.3.254

As specified in your last post, you are creating a route that only affects the single computer with IP address 10.1.3.0.


gateway
The gateway needs to have an IP that can already be reached by the SME server.

The device with the specified 'gateway' IP must know how to reach the the IP or network specified in the 'local network' definition.

In your case the gateway IP for each 'local network' should be on the SME WAN interface, but it could also be on the SME LAN interface.

routes are bidirectional
Don't forget that you cannot possibly solve this with changes made only on the sme server.  If you create a custom route on the SME server to get to a device, then you need a corresponding route on the device to get the return traffic back to the correct SME server.

Otherwise - if you only create a route on a SME server -  the SME lan traffic will get to the AV server, but the AV server's reply will go to its own default gateway instead of back to the desired SME WAN port.

Masquerading solves this by making all the traffic from the SME LAN look like it's coming from the WAN - so the return traffic goes back to the WAN.  This is great for client-initiated traffic, but does not work when traffic needs to be initiated from the device on the WAN side, or if the WAN-connected device (the AV servers) need to differentiate between different LAN IPs.  From the AV server's perspective, all of the LAN systems have the same IP.


Another option
If Router & Firewall [LAN 10.1.x.x] has (or can be configured with) the routes needed for your SME LANs, then you can use the default router as the gateway for all of the 'local network' definitions.

That is, if the routing table on Router & Firewall [LAN 10.1.x.x] looks like this:
Default -> Internet
LAN -> 10.1.x.x
192.168.1.0/255.255.255.0 ->10.1.1.1
192.168.2.0/255.255.255.0 -> 10.1.2.1
192.168.3.0/255.255.255.0 -> 10.1.3.1

Then the 'local network' definitions on SME1 and SME2 would look the same:
SME1, SME2 'local network'
  10.1.3.50/255.255.255.255 -> 10.1x.x (the actual LAN IP of Router & Firewall [LAN 10.1.x.x])
  10.1.3.51/255.255.255.255 -> 10.1x.x (the actual LAN IP of Router & Firewall [LAN 10.1.x.x])

Offline ReetP

  • *
  • 2,795
Re: access from external av server to clients in different locations
« Reply #10 on: June 02, 2020, 03:42:00 PM »
Quote
Actually I believe attaching a properly configured router/switch to each SMEs internal network might be the only way using "add network". Sadly, since this would mean having to get and configure more than two dozens routers for locations SMEs

Absolutely not. You just need to understand your networking and how SME 'Local Networks' work. SME is perfectly capable of doing this without the need for more equipment which will just confuse things.

Local networks are for when you are trying to route from one local network to another local network via 'somewhere'.

It isn't well documented because there are a huge amount of possibilities and it isn't easy to document them all, though I would agree it could have a basic example. You have two different examples here already.


So you want to make 192.168.1.0 visible to 192.168.2.0 and vice versa

192.168.1.0 <-> 10.0.1.1 <- This could be via a local network, Internet or whatever -> 10.0.2.1 <-> 192.168.2.0


Local network - as per Mikes comment on routing

On 10.0.1.1 we need to tell it where to find the other networks.

Lan 192.168.2.0 << this is the Lan we want to access
Subnet mask 255.255.255.0 << This is the subnet mask of the Lan you want to access
Router 10.0.2.1 (effectively via this gateway - it has to know where 192.168.2.0 is)

Lan 192.168.3.0 << this is the Lan we want to access
Subnet mask 255.255.255.0 << This is the subnet mask of the Lan you want to access
Router 10.0.3.1 (effectively via this gateway - it has to know where 192.168.3.0 is)


On 10.0.2.1 we need to tell it where to find the other networks.

Lan 192.168.1.0 << this is the Lan we want to access
Subnet mask 255.255.255.0 << This is the subnet mask of the Lan you want to access
Router 10.0.1.1 (effectively via this gateway - it has to know where 192.168.1.0 is)

Lan 192.168.3.0 << this is the Lan we want to access
Subnet mask 255.255.255.0 << This is the subnet mask of the Lan you want to access
Router 10.0.3.1 (effectively via this gateway - it has to know where 192.168.3.0 is)


On 10.0.3.1 we need to tell it where to find the other networks.

Lan 192.168.1.0 << this is the Lan we want to access
Subnet mask 255.255.255.0 << This is the subnet mask of the Lan you want to access
Router 10.0.1.1 (effectively via this gateway - it has to know where 192.168.1.0 is)

Lan 192.168.2.0 << this is the Lan we want to access
Subnet mask 255.255.255.0 << This is the subnet mask of the Lan you want to access
Router 10.0.2.1 (effectively via this gateway - it has to know where 192.168.2.0 is)

Access to the AV server - if we do this as a local lan then it is required on all 3 SMEs. It does not have a 'local network' behind it. So we can add it like this:

Lan 10.1.3.50
Subnet mask 255.255.255.255
Router 10.0.3.50

(The AV server may require reverse routes to all 3 local networks.)

However, as Mike said, this is probably not necessary as you can create routes on your Router & Firewall [LAN 10.1.x.x] for this.

So any machines on the 192.168.x.x looking for the AV server query their own gateway, that then queries the main gateway that then tells it where the AV server is.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: access from external av server to clients in different locations
« Reply #11 on: June 05, 2020, 08:25:14 AM »
Hello,

still odd: entering external address as router under add network ist plain rejected.

I get: "Error: Cannot access Router Address from internal Network. Network not created."
(german: "FEHLER: Auf die Router-Adresse kann nicht vom internen Netz zugegriffen werden. Netzwerk wurde nicht erstellt.")

Telling SME3 (WAN 10.1.3.1, LAN 192.168.3.1) to use the PDQdeploy machine by add network
10.1.3.99 / 255.255.255.255 / 10.1.3.99 fails.
Same with adding a SME with their local network (192.168.x.x) in the same external 10.1.x.x is rejected.

The machines externally can ping (and literally see) each other.

In the field router exclusively IPs matching to SMEs internal range (192......) are accepted (as you see I only use 192.x.x.x and 10.x.x.x and therefore did not test other IP ranges).

Irritatingly the third field of Add Network in german is translated to "Router description" (instead of router address).

I cannot add IPs in the range of the SMEs own external interface like 10.1.x.x).
So neither another SME nor the Service Servers can be added (AV, Deployment, Printer User Manager, NAS Check).

Next try seems to use hardware to each internal network as a bypass will be trying if the parameters in the input mask are in false order and I can make this work by filling in reversed order.


The third octett differs from location to location. For testing I stay in location 3.

Internet
         |
Router & Firewall [LAN 10.1.x.x]
         |__
        /\    \
       /  \    \
      /    \    \
     /      \    \__Location3 (where the service servers are found)
    /        \       |--antivirus server [10.1.3.50 and more]
   /          \      |--deployment server[10.1.3.51]
  |            \     |--SME 9.2 Test server [WAN IP 10.1.3.99]
  |             |    |                  [LAN 192.168.99.1]
  |             |    |--SME3   [WAN IP 10.1.3.1]
  |             |            [LAN 192.168.3.x]
  |             |
  |             Location2
  |             SME2 [WAN IP 10.1.2.1]
  |                  [LAN 192.168.2.x]
  Location1
  SME1 [WAN IP 10.1.1.1]
  [LAN 192.168.1.x]

Offline ReetP

  • *
  • 2,795
Re: access from external av server to clients in different locations
« Reply #12 on: June 05, 2020, 09:47:39 AM »
Don't do it with hardware. It will just complicate things and become an xy problem.

http://xyproblem.info/

Solve the issue.

I'll look a bit more later.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 2,795
Re: access from external av server to clients in different locations
« Reply #13 on: June 05, 2020, 02:18:08 PM »
still odd: entering external address as router under add network ist plain rejected.

I get: "Error: Cannot access Router Address from internal Network. Network not created."
(german: "FEHLER: Auf die Router-Adresse kann nicht vom internen Netz zugegriffen werden. Netzwerk wurde nicht erstellt.")

OK, it is telling you that your local network does not know how to find the router address.

Quote
Telling SME3 (WAN 10.1.3.1, LAN 192.168.3.1) to use the PDQdeploy machine by add network
10.1.3.99 / 255.255.255.255 / 10.1.3.99 fails.
Same with adding a SME with their local network (192.168.x.x) in the same external 10.1.x.x is rejected.

Yes I can see that now. Mea culpa. Too many things spinning in my head.  :oops: :oops:

Quote
The machines externally can ping (and literally see) each other.

Yup you would expect that.

Quote
In the field router exclusively IPs matching to SMEs internal range (192......) are accepted (as you see I only use 192.x.x.x and 10.x.x.x and therefore did not test other IP ranges).

Yes that figures. See below.

Quote
Irritatingly the third field of Add Network in german is translated to "Router description" (instead of router address).

You can modify this in Pootle. Please ask and we can give you details on how to do that.....

Quote
I cannot add IPs in the range of the SMEs own external interface like 10.1.x.x).
So neither another SME nor the Service Servers can be added (AV, Deployment, Printer User Manager, NAS Check).

Actually my bad I think.

Quote
Next try seems to use hardware to each internal network as a bypass will be trying if the parameters in the input mask are in false order and I can make this work by filling in reversed order.

Please don't - it will probably cure nothing and just make it a lot worse.

Quote
Internet
         |
Router & Firewall [LAN 10.1.x.x]
         |


Your map keeps changing slightly....


OK,

Network address - is the remote network
Subnet mask is the mask for the remote network
Router "should be the IP address of the router on your local network via which the additional network is reached"

Location1
  SME1 [WAN IP 10.1.1.1]
  [LAN 192.168.1.x] << Is the local server IP 192.168.1.1 ?? I presume so.

If your server at Location one is set like this then the the IP address of the Router for your 'local network' is 192.168.1.1 because the server is in servergateway mode and is therefore routing traffic.

So if we set this:

Network Address 192.168.2.0
Subnet Mask 255.255.255.0
Router 192.168.1.1

Any traffic for the 192.168.2.x network from the 192.168.1.x network will get passed to 192.168.1.1

In turn that IP (192.168.1.1 - the server) should then pass it to the WAN side and then that should then know where other networks live.

As Mike correctly pointed out earlier that upstream gateway/router has to know where to find 192.168.2.x

Quote
Either way, both antivirus systems need to know that if they want to reach 192.168.1.x, they need to send their packets to 10.1.1.1, and if they want to reach 192.168.2.x the packets need to go to 10.1.1.2

That is where you need to look I think - the routing on the 10.x.x.x network

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Re: access from external av server to clients in different locations
« Reply #14 on: June 08, 2020, 01:16:32 AM »
Hello,

feels like being out of options - so I created a simplified new test setup.
I don't see a working way nor an alternative to get the PDQdeploy server to connect to clients of the SME server (creating more than 200 VPNs for each server like PDQdeploy to each of the real client machines doesen't count as a solution to me).

So the Windows 10 PDQ client behind SME can reach the PDQdeploy server by ping until I "add network" to SME 9.2:
  Network   10.0.0.71
  Mask 255.255.255.255
  Router  192.168.85.1
 
Thereafter neither the PDQ client (LAN 192.168.85.69) behind SME can ping PDQdeploy server (WAN 10.0.0.71), nor (this would be the goal) can the PDQ deploy server (WAN 10.0.0.71) ping the client behind SME 9.2.


   Internet
         |               ["real WAN" x.x.x.x]
     Router FritzBox 7590 [it's internal IP is the other machines WAN 10.0.0.1]
         |
        /\
       /  \
      /    \
     /      \
    /        \
   /          \
  |            \
  |             Windows 10 PDQdeploy (about-to-be a PDQdeploy and other services "server")
  |             [WAN IP 10.0.0.71]
  |         
  SME 9.2 server
  [WAN IP 10.0.0.5]
  [LAN 192.168.85.1]
  |
  Windows 10 PDQ Client
  [LAN 192.168.85.69]

Situation before add network (as mentioned above):

- Windows 10 PDQdeploy (WAN 10.0.0.71) can ping SME 9.2 server (WAN 10.0.0.5)
- Windows 10 PDQdeploy (WAN 10.0.0.71) can not ping - PDQ client (LAN 192.168.85.69)
- SME 9.2 server can ping PDQdeploy (WAN 10.0.0.71)
- SME 9.2 server can ping PDQ client (LAN 192.168.85.69)
- PDQ client (LAN 192.168.85.69) can ping PDQdeploy (WAN 10.0.0.71)

Change after add network:

- Windows 10 PDQdeploy (WAN 10.0.0.71) can ping SME 9.2 server (WAN 10.0.0.5)
- making this work is the goal: Windows 10 PDQdeploy (LAN 10.0.0.71) can not ping - PDQ client (WAN 192.168.85.69)
- other than expected now the PDQ client (LAN 192.168.85.69) can no more ping PDQdeploy (WAN 10.0.0.71) (opposite of goal)

By now I suppose if I tell the PDQdeploy server (Windows 10,WAN 10.0.0.71 ) via
Code: [Select]
route ADD 192.168.85.0 MASK 255.255.255.0 10.0.0.5
it should be able to find the way to the client(s) (LAN 192.168.85.x) behind the SME server (WAN 10.0.0.5).
This should do the routing?
I am aware this setting just sticks until the next reboot.

What am I missing?
 
I already tried using two SME servers enabling each others clients to be accessed, so the Windows 10 PDQdeploy should be behind another SME server? Alsough I already tried this as well.
« Last Edit: June 08, 2020, 08:49:57 AM by drestof »