Notes on Service Tunnels
Advanced concepts including Operational CIDR ranges, and more
- Updated on Jun 01, 2023
- 7 minutes to read
-
Contributors
This article details a few advanced concepts related to securing service tunnels.
Interfaces and IP Address Management
When Banyan’s service tunnel capability is enabled, a dedicated private network is created for your organization. A new network interface is created on every device (that could be running either Banyan’s Client Components or Banyan’s Server Components) to enable network connectivity - this network interface is assigned an IP address from a pool of Tunnel CIDR ranges.
IP addresses are assigned to a device from 4 ranges:
| # | Range Name | Banyan Component | Network Interface | Purpose |
|---|---|---|---|---|
| 1 | access_tier_satellite |
Access Tier | wg1 |
Connector-Access Tier tunnels |
| 2 | satellite |
Connector | wg0 |
Connector-Access Tier tunnels |
| 3 | access_tier_enduser_device |
Access Tier | wg0 |
EndUser-Access Tier tunnels |
| 4 | enduser_device |
App | Windows - wg0, Linux - wg0, MacOS - utun11 |
EndUser-Access Tier tunnels |
Tunnel CIDR Ranges
By default, Banyan assigns IP address from CIDR ranges in the CG-NAT address space, so they will not interfere with other address spaces that could be available in a customer environment. To see the CIDR ranges used by Banyan, navigate to Settings > Network Settings > Service Tunnel. You will see the four CIDR ranges on this page, as follows:
| # | Range Name | CIDR Range | IPs | Total Addresses |
|---|---|---|---|---|
| 1 | access_tier_satellite |
100.120.0.0/16 |
100.120.0.0 - 100.120.255.255 | 65,536 |
| 2 | satellite |
100.100.0.0/16 |
100.100.0.0 - 100.100.255.255 | 65,536 |
| 3 | access_tier_enduser_device |
100.110.0.0/16 |
100.110.0.0 - 100.110.255.255 | 65,536 |
| 4 | enduser_device |
100.64.0.0/11 |
100.64.0.0 - 100.95.255.255 | 2,097,152 |
If your organization requires changes to these CIDR ranges, please contact support.
Network Address Translation (NAT)
Banyan utilizes Source Network Address Translation (SNAT) so the source IP address of traffic egressing a Banyan Server Component (Access Tier or Connector) will the host’s IP address. In some scenarios you may want the source IP address of the traffic to be the actual client’s IP address instead of the NAT-ed address.
Banyan provides the ability to disable SNAT for your environment. If you disable SNAT, you need to ensure that your private network is configured to route traffic correctly back to the client.
If your organization needs to disable SNAT, please contact support.
Can’t find what you’re looking for?
We’re happy to help. Contact our team.