ShellfireBox LAN - Can't read rest of network

Hier bekommt Ihr Antworten auf Eure Fragen zum VPN-Hosting von Shellfire

Moderatoren: Florian, Matze, Max, Lui

peterk
Beiträge: 2
Registriert: 12 Sep 2015 17:27

ShellfireBox LAN - Can't read rest of network

Beitragvon peterk » 12 Sep 2015 17:55

Hi there,

I'm hoping this is just a setup issue but when I plug my laptop or NAS device into the LAN port of the Shellfire Box, I can no longer see or browse to files on that laptop or NAS device from the rest of the network.

Basically, I just want one device to connect via the Shellfire box - and I need it to connect via the LAN port on the Shellfire box - all my other devices are connected to the main router via LAN cables.

On this device, I want all communication with the internet to go through the Shellfire box but just for this one device, however I also need to be able to read the content of the device with my normal local area network router, which the Shellfire box is also plugged into via its WAN port. See if this diagram makes sense...


Code: Alles auswählen


|---Shellfire Box---------Computer 1 with VPN requirement
|
| |---Computer 2
| |
| | |---Computer 3
| | |
| | | |---Computer 4
| | | |
|-|-|-|---Router (All computers need to be available on the Local Area Network)




I hope this makes sense. Can anybody help?

Florian
Site Admin
Beiträge: 465
Registriert: 29 Jun 2003 17:53

Beitragvon Florian » 03 Okt 2015 11:27

Hi Peter,

we are aware of this issue - actually we thought we had fixed it during the initial development, however that has not worked.

The woraround for now is, to disable the vpn using the web interface http://sf.box

Let me know if this works for you.

- Florian

peterk
Beiträge: 2
Registriert: 12 Sep 2015 17:27

Beitragvon peterk » 04 Okt 2015 11:02

Hi Florian,

Thanks for your reply. Unfortunately, I need the VPN up and running or it's not worth plugging the box in, so your workaround may allow LAN functions to work normally but so would not having the box plugged in at all.

Hopefully you can fix the issue soon so that I can actually use you're amazing tech. :D

Cheers
Pete

Florian
Site Admin
Beiträge: 465
Registriert: 29 Jun 2003 17:53

Beitragvon Florian » 06 Okt 2015 10:38

Will keep you posted about the update :)

DerSkuggan
Beiträge: 2
Registriert: 08 Nov 2015 19:30

Beitragvon DerSkuggan » 08 Nov 2015 19:43

Hi Peter,

I have a very similar network here. Why not connect the router with the ShellfireBox and add an extra router to the network?

+--- new Router --- ShellfireBox --- Internet Router with modem from provider
|
| Your LAN with all PCs

Other option might be a second network card in the PC which requires the VPN. This works fine for me here.

sandals
Beiträge: 3
Registriert: 23 Dez 2015 11:32

Beitragvon sandals » 23 Dez 2015 11:39

Hi PeterK

You can get around this issue by placing both the LAN and WAN interfaces of the shellfire box on the same subnet, it can loop in and out the same router if you don't have another switch. There is no risk of a layer2 loop as the Shellfire box interfaces are Layer3 This way you have 2 default gateways on your LAN segment, the shellfire box, and your internet router.

Disable the DHCP service on the shellfire box and statically assign IP addresses to the machines that require the VPN service. The default gateways for these machines must point to the shellfire LAN address.

All other machines still receive their IP addresses from your internet router and continue as normal. This way the traffic between all the machines on your network happens at Layer2 (switched) and not routed through shellfire VPN box unnecessarily.

I have created a simple diagram to illustrate how I have done this.

http://imgur.com/BIyMcwY

Florian
Site Admin
Beiträge: 465
Registriert: 29 Jun 2003 17:53

Beitragvon Florian » 25 Dez 2015 09:25

Hi,

please let me clarify a few things here:

1) Normally, when the vpn connection is active, all IP addresses that are defined local: https://en.wikipedia.org/wiki/Private_network
are exempted from the routes of the vpn connection.

2) So if you are connected to the Shellfire Box, and the Shellfire Box is connected to vpn and you are trying to reach a local ip address like 192.168.... this will work out of the box without any issues

3) What might not work is local dns resolution like http://fritz.box or http:/synolo.gy http://you-nas-here because these lookups are controlled from your main router which we pro actively hide from your connection to avoid dns leaks.

Sandals: Thanks very much for the solution proposed - I believe it will work very well but it is something that is very hard to configure for many non tech savvy folks.

I also have a question regarding your diagram - in my case, I personally do not have an extra switch beside my router - will I still need that extra switch? In my opinion it is not needed, is it?


Thanks,
Florian
Florian Gattung
Shellfire Gattung & Behr GbR

sandals
Beiträge: 3
Registriert: 23 Dez 2015 11:32

Beitragvon sandals » 25 Dez 2015 20:59

Hi Florian,

Thanks for clarifying those points. From Peter's post it seemed that the shellfire box was not forwarding any traffic to the network while connected to the VPN. I think Peter would be OK if he tried to access his devices via the IP address and not the hostname in that case or another work around would be to create local hostfile entries. I didn't even try as I configured the network like I described as soon as I received the box after reading this post.

In my case that would still not work properly as I need some of my devices on the same LAN segment to discover each other. For example I have a Amazon Fire TV and use an application on my phone as the remote control, if my phone is on a different subnet to the Fire TV I am unable to control it. I have installed a shortcut to the shellfire box web interface on my phone so I can access it like a webapp. Works great for easily changing VPN servers without having my phone going through the VPN.

I am sure it also helps saving processing resource if you are not using the shellfire box to route between LAN segments when you don't need to. Also the shellfire box has 100mb interfaces so can have 1Gbps between devices if you keep them communicating at Layer2 if you have a 1G switch/router of course.

Yes it will definitely work fine if you only have a internet router with no switch. The LAN and WAN interfaces of the shellfire box can connect to the router as well as any other wired or wireless devices. Keep them all on the same subnet and all will work fine. Statically assign IPs and point the gateways to the Shellfire LAN IP if they need VPN access.

This works great for me and very happy with this solution so far. My friend is now also buying a shellfire box after seeing my setup.

Thank you shellfire team!
Sandals

sandals
Beiträge: 3
Registriert: 23 Dez 2015 11:32

Beitragvon sandals » 25 Dez 2015 22:52

I just had another thought and I can't see how it would work out the box as you stated.

Say for example we plug a machine directly into the shellfire LAN port or connect any device to the built in wireless of the Shellfire box then have the WAN plugged into the network like how the box is intended to be used.

You say that the shellfire box will not tunnel private ranges and forward them to the network. The box may do this but the problem here is the return traffic from the devices on the network. When they are communicating back to the devices behind the the shellfire box they will need a route to get there. Either a static route configured on each machine pointing to the WAN of the shellfire box, or their default gateway (typically the internet router) will need a route to route the traffic back.

If the Shellfire box is doing NAT for traffic it is not tunneling, then it will work but only flow one direction

PC1 -> LAN-Shellfirebox-WAN -> Network -> PC2 - Connections initiated from the LAN side of the shellfire box to devices on the WAN side will work

PC2 -> Network -> WAN-Shellfirebox-LAN -> PC1 - Connections initiated from the WAN side of the shellfire box to devices on the LAN side will not work

Sandals

Florian
Site Admin
Beiträge: 465
Registriert: 29 Jun 2003 17:53

Beitragvon Florian » 27 Dez 2015 21:32

Sandals,

your findings are spot on and definitely worthwhile inspecting for advanced users.

The whole deal with setting up static ip addresses, assigning static routes for devices in a home network is something many normal users are easily overwhelmed with, so for folks who are not so advanced in their tech skills, we will simply continue recomending to "just change the wifi to the one of your router" - but again, for more sophisticated setups combined with the techiness, your advice will work out great!

Many thanks,
Florian
Florian Gattung

Shellfire Gattung & Behr GbR


Zurück zu „Virtual Private Network (VPN)“

Wer ist online?

Mitglieder in diesem Forum: 0 Mitglieder und 1 Gast