Notes on Service Tunnels

Advanced concepts including Operational CIDR ranges, and more

  • Updated on Jun 01, 2023
  • 7 minutes to read
  • Contributors

This article details a few advanced concepts related to securing service tunnels.

Interfaces and IP Address Management

When Banyan’s service tunnel capability is enabled, a dedicated private network is created for your organization. A new network interface is created on every device (that could be running either Banyan’s Client Components or Banyan’s Server Components) to enable network connectivity - this network interface is assigned an IP address from a pool of Tunnel CIDR ranges.

IP addresses are assigned to a device from 4 ranges:

# Range Name Banyan Component Network Interface Purpose
1 access_tier_satellite Access Tier wg1 Connector-Access Tier tunnels
2 satellite Connector wg0 Connector-Access Tier tunnels
3 access_tier_enduser_device Access Tier wg0 EndUser-Access Tier tunnels
4 enduser_device App Windows - wg0, Linux - wg0, MacOS - utun11 EndUser-Access Tier tunnels

Tunnel CIDR Ranges

By default, Banyan assigns IP address from CIDR ranges in the CG-NAT address space, so they will not interfere with other address spaces that could be available in a customer environment. To see the CIDR ranges used by Banyan, navigate to Settings > Network Settings > Service Tunnel. You will see the four CIDR ranges on this page, as follows:

# Range Name CIDR Range IPs Total Addresses
1 access_tier_satellite - 65,536
2 satellite - 65,536
3 access_tier_enduser_device - 65,536
4 enduser_device - 2,097,152

If your organization requires changes to these CIDR ranges, please contact support.

Network Address Translation (NAT)

Banyan utilizes Source Network Address Translation (SNAT) so the source IP address of traffic egressing a Banyan Server Component (Access Tier or Connector) will the host’s IP address. In some scenarios you may want the source IP address of the traffic to be the actual client’s IP address instead of the NAT-ed address.

Banyan provides the ability to disable SNAT for your environment. If you disable SNAT, you need to ensure that your private network is configured to route traffic correctly back to the client.

If your organization needs to disable SNAT, please contact support.

Can’t find what you’re looking for?

We’re happy to help. Contact our team.