Allow Urbackup to "see" systems on different subnets

We are currently using UrBackup as a solution for backing up computers outside of our network due to the increased telework situation. As things sort of return to normalcy, we have users entering our offices and their laptops are being onboarded to a secure local network space. Is it possible for UrBackup server to see clients on a different subnet as the server is on an infrastructure network space. We cannot allow clients onto the infrastructure space and naturally want to keep a server off the client network space.

I understand the server sends a broadcast looking for clients and we need to get that broadcast to traverse subnets and open the port for backup traffic. I understand the clients could continue to use the web method, but that can be so terribly slow.

1 Like

Unfortunately, broadcast messages aren’t routable.
Internet mode actually seems to work quite well if the traffic is only local though, at least I can’t say I noticed much difference when I shifted wireless to a different subnet & put wireless clients on internet mode.

1 Like

It can see the systems on the other network. It just won’t automatically invite them to perform a backup.

I backup servers in one of my customer environments over a VPN, using only the internal addresses, where some of the servers being backed up are on a remote subnet from the server.

Depending on how many clients you’re managing, you might be able to add the server key to the clients manually…

-ASB

Could the server have a range scanning feature added where it scans for new clients every hour or something to solve this? Sort of an extension to the current manual hostname/IP hints, but automated for a whole subnet.

OK, I am curious how you have it working over the VPN?

My server is in a DMZ, I have manually added a client on the internal network to the server and installed the appropriate client. I have opened the firewall ports 35621-35623 inbound to the server from the internal network. Do these ports need to have bidirectional traffic from the server to the internal network as the client does not report in to the server.

Each of the offices has a site to site (IPSec) VPN tunnel setup between them, and are running on separate subnets. All ports are open up between the offices. Each office has a backup server that is backing up a data server on its subnet, and one on a remote subnet.

As an example:
BACKUPSVR_A1, 10.10.1.100
DATASVR_A1, 10.10.1.101

BACKUPSVR_B1, 10.10.2.100
DATASVR_B1, 10.10.2.101

The A servers can see each other without issue, and the B servers can see each other without help.

Because each data server is getting backed up to both backup servers, I needed to manually add the backup server key to the data server, as per: UrBackup - Server administration manual

See the info on server_ident.key

Hello,

I am following up on this, as I am also interested in being able to backup clients that are on different subnetwork then the urbackup server. I have attempted to add the server_ident.key to the urbackup folder on my client pc, but it still does seem to be able to find the urbackup server, just showing IDLE status. On the other hand, the urbackup server is showing the client online under the discovery hints section, but when I try to initiate a backup, it fails.

Any assistance is appreciated.

Hi,

Apologies, am being slightly lazy in not responding directly to any particular message (been on the voddie, but still compos mentis) and want to drag this back to the fundamentals…

From what has been said in the initial explanation, backups are/were working when the computers were outside of the network…right…?

Based on this working with “outside in” basics, then the simple/st solution is to have loopback set up and use the public DNS entry to route the traffic…so, for example, if the UrBackup host is accessible using a DNS record of UrBackup.company.net [and presuming you don’t use company.net internally] you can use the public DNS resolution to point to the main site’s WAN link, and enable the loopback so that clients within the infrastructure can be routed to the server…

This will work regardless of whether the remote site has a VPN to the main site, or if the machine is actually remote, as the traffic will egress the site’s firewall (even if at the main site) and be routed to the main site’s connection…then the existing firewall and NAT rules for outside-in routing will punt the traffic to the server…

As long as the loopback is configured correctly on the main site’s firewall, this will “just work” and you will wonder why it seemed to be full of the confustication…

Let me know if I’ve missed anything, or if you want/need any clarification…

Can you please clarify what you mean by this statement? What were the exact steps you used to perform this?

Was this based on the info in the admin guide?

https://www.urbackup.org/administration_manual.html#x1-230004.3

Correct, I followed the steps in guide:
“If you want to manually add a server to ’server_idents.txt’ you need to remove the preceding ’#I’ and ’#’ at the end of the contents of ’server_ident.key’. After installation the ’server_idents.txt’ does not exist and the client core process accepts(and adds) the first server it sees (with the public key of the server). After that no other servers with different credentials are accepted and you need to add their credentials either manually, or via clicking on the popup box, once the client has detected the new server. This prevents others from accessing files you want to be backed up in public places.”

I ran a pcap on both of the vlans and I am not seeing the urbackup server sending any udp discovery packets to the specified clients hints on the urbackup server.

I was able to get this resolved. There were two things that I found needed to be done for my clients to communicate to the urbackup server located on a different vlan of my home network.

  1. First, is set up the discovery hints in the web gui.
  2. The second, on the urbackup client settings, under the internet tab I had to add the urbackup server ip address for the Internet Server Name/IP (did not have to enable backup via internet, so not sure why this helps, but only way I got it running).

Thank you @BrainWaveCC for your help.

1 Like

You’re very welcome, @AM1

And thanks for following up with the resolution.

1 Like