VPN network behind different PROVIDER modems

Dear community,

I’m looking for suggestions for solving the following problem with a net-to-net VPN connection:

Two locations with a provider modem, each with a fixed external public IP,

Behind each of which is an IPFIRE (red) address at 192.168.xxx.yyy
green at 192.168.aaa.bbb

I’m only being assigned the 192.168 addresses (static/dynamic) from both modems and only a few settings are possible on the two provider modems. :unamused_face:

How do I establish a net-to-net connection with this configuration?

Can I somehow forward the two public IP addresses of the modems to IPFIRE (red) so that the two networks can see each other and be reached?

Hallo @shvll

Welcome to the IPFire community.

Your net to net vpn will not go directly between the two green subnets.

It will go from your green subnet on IPFire 1, through IPFire1, through provider A’s modem, through provider A to the internet, then to provider B, through provider B’s modem, through IPFire 2 and then to the green subnet on IPFire 2.

You need to change the green subnet you have on IPFire 1 or IPFire 2 as they need to be different subnets at the two ends of the net-to-net VPN tunnel.

To make the connection possible either you need to be able to put the Provider A and Provider B modems into bridge mode so they just pass everything directly through, including the public IP or you need to be able to access the setup menu of those Provider modems to turn on Port Forwarding on each of them. The simplest in this second case is to allow all ports and all IP’s to be forwarded. If the modem does not allow that then you will need to forward the appropriate port and IP/DDNS FQDN that is at the other end of the tunnel.

The simplest setup is if you can put each modem into Bridge mode. Alternatively if the modems are not cable modems but use Ethernet connection to the internet then you could also replace the modems with your IPFire machines. ie have each IPFire connect to the ISP provider at their end.

What modems have your Providers supplied you with.

1 Like

I’ve already used bridge mode at other locations, and it works perfectly with IPFIRE!

Unfortunately, bridge mode isn’t available at these locations.
One modem is a (TV) cable modem, the other is a 5G WEB Cube with a LAN connection.
Both devices, however, have a fixed IP address from the provider.
Green networks can be configured as desired.

No, this is not necessary. It’s called netmapping. I’ve done that for my first employer about 10 years ago for our solar farms that had all the same network structure. But we had a VPN gateway.

Interesting. New to me.

You could be of help to the poster if the subnets that are currently used have to stay as they are.

Would that mean declaring both (internal) IPs of the RED IPFIRE Computer-NIC as DMZ on each provider modem?

**
The simplest in this second case is to allow all ports and all IP’s to be forwarded.
**

Then in that case you need to be able to access the config system of those two modems to set up Port Forwarding on them.

If you can do that on the modems, then yes that is the simplest to do.

I will try it :upside_down_face:

1 Like

Sorry, no. I don’t work there for many years anymore. It was part of the old forum, so I think it’s lost. We used it with an insys vpn gateway service, but I guess any vpn gateway can do that.

So it was done via an external vpn gateway service.

Does that mean it can’t be done via two IPFire VPNs connected together in a N2N configuration?

I don’t know, but in theory it was an easy mechanism: you definde virtual networks for every station (those are virtual vpn networks) for exampe:

Station 1: green 172.24.0.0/24; ovpn 10.0.1.0/24
Station 2: green 172.24.0.0/24; ovpn 10.0.2.0/24

Station 1 wants to access Station 2 target 172.24.0.20 → you access 10.0.2.20. Station 2 gets the incoming connection and translates 10.0.2.20 to 172.24.0.20. It maps the net 10.0.2.0/24 to 127.24.0.0/24.

I think you don’t need a vpn gateway for this. We used to have it because of dual stack light and non-public ip addresses by the isp.

If the static IP is on a modem/router (such as supplied by Comcast), drop your ipfire box in a DMZ on the router. Site to Site and OpenVPN will both work.