Netgate m1n1wall

Author Topic: Vista client: can ping, can connect web admin, but can't access SMB shares  (Read 1124 times)

0 Members and 1 Guest are viewing this topic.

Offline droehn

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Hi there,

I managed on a V2.0.1 pfSense to enable OpenVPN server by going through the wizard. I can ping my local network (e.g. 192.168.0.100) and also connect remotely to the pfSense Admin Interface - but there is no way to e.g. access network shares on my SMB server under 192.168.0.100 (connection timeout). I tried up and down with local routing, playing around with the NetBIOS settings on server side, with client DNS and without but nothing led to success.

My server settings are:
Code: [Select]
<openvpn>
<openvpn-server>
<vpnid>1</vpnid>
<mode>server_tls_user</mode>
<authmode>Local Database</authmode>
<protocol>UDP</protocol>
<dev_mode>tun</dev_mode>
<ipaddr></ipaddr>
<interface>wan</interface>
<local_port>1194</local_port>
<description><![CDATA[Privater VPN]]></description>
<custom_options/>
<tls>XXXXXXXX</tls>
<caref>XXXXXXXXX</caref>
<crlref></crlref>
<certref>XXXXXXXXXX</certref>
<dh_length>1024</dh_length>
<cert_depth>1</cert_depth>
<strictusercn></strictusercn>
<crypto>AES-128-CBC</crypto>
<engine>none</engine>
<tunnel_network>192.168.200.0/24</tunnel_network>
<remote_network/>
<gwredir></gwredir>
<local_network>192.168.0.0/24</local_network>
<maxclients>3</maxclients>
<compression>yes</compression>
<passtos></passtos>
<client2client></client2client>
<dynamic_ip>yes</dynamic_ip>
<pool_enable>yes</pool_enable>
<netbios_enable>yes</netbios_enable>
<netbios_ntype>0</netbios_ntype>
<netbios_scope/>
</openvpn-server>
</openvpn>

I also tried several Open VPN clients on my Vista Notebook, whereas finally V2.3-alpha remains. No matter, with all of them I managed to connect to my pfSense (started as Administrator), ping the local network, access pfSense Admin etc., but have no access to shared drives.

My client settings:
Code: [Select]
dev tun
persist-tun
persist-key
proto udp
cipher AES-128-CBC
tls-client
client
route-method exe
route-delay 2
remote some.domain 1194
tls-remote The server
auth-user-pass
pkcs12 myvpn-udp-1194.p12
tls-auth myvpn-udp-1194-tls.key 1
comp-lzo

What is my mistake?
Many thanks in advance for any hint.

brgds
David
« Last Edit: April 10, 2012, 02:36:12 pm by droehn »

Offline droehn

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
STUPID ME!!  ::)

One desperate smoke later i remember to have white listed my file server for connections from the 192.168.0.0 subnet only.
Unless any of you guys could advice me how to mask incoming connections from 192.168.200.6 (client IP) to 192.168.0.0 subnet my problem is solved once I could physically get grab of the file server to extend the white list...

best regards
David

Offline heper

  • Hero Member
  • *****
  • Posts: 674
  • Karma: +0/-0
    • View Profile
you might be able to NAT the subnet to the other subnet, altho i'd suggest changing the whitelist

Offline cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6333
  • Karma: +0/-0
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
You're going to have to allow access from the real subnet. With most services you can NAT and get away with it, but NAT of any type breaks SMB.

Offline droehn

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Thanks for answering guys.

The issue is, that the whitelist is stored on the fileserver and I need to get hold of it physically to make a change. As this will take another week and I desperately need some files I would like to get temporary remote access to change the whitelist.

When NATing from OpenVPN to LAN subnet, the fileserver obvisualy recognizes that request comes from a NOT LAN subnet address and therefore, due to the whitelist rule, denies access. Thats why my final question whether it is possible to use pfSense to mask my OpenVPN client address to a LAN address to mock the fileserver.

Thanks & regards
David

Offline droehn

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Finally I found an answer for my issue in following article, that explains how to setup OpenVPN in bridged mode:

http://hardforum.com/showthread.php?t=1663797

Unfortunately it is not possible to do that remotely as the new configuration kicks off my current client connection. But that's a different issue.

brgds
David