Having trouble accessing NAS through VPN server

azdeltawye

@the-other
I’m on travel for the week so I’ll post the firewall rules when I get home.

As for my internet, I have Comcast Xfinity with a publicly routeable address. Comcast offers ipv6 support but I only have ipv4 enabled. I use a DDNS service for remote access because my IP changes from time to time..
I cannot ping my IP when I am remote. I don’t recall if I have a ICMP block rule on my WAN. I’ll check that as well when I get home.

Thanks for the suggestions.

azdeltawye

@pwood999
No static routes are in place, just the default settings in pfsense.

the other

@azdeltawye yeah, but can you ping your dyndns address? That should also give you your actual public IP...can you ping that one?

azdeltawye

@the-other
No, I cannot ping my ddns url. It resolves my WAN IP but times out on the ping attempt.

SteveITS

@azdeltawye do you have a firewall rule on WAN allowing ICMP?

azdeltawye

@SteveITS
I do not have a rule to pass ICMP traffic in the WAN interface.

I’ll have to wait until I get home before I add a rule. Editing firewall rules via remote iPhone connection is sketchy at best…

azdeltawye

@SteveITS
OK, added an Echo Request rule on the WAN to allow ICMP traffic. I can now ping my IP directly and the DDNS URL. However, I still cannot access the NAS with File Explorer.

Here are my WAN pass rules:

azdeltawye

@the-other
Here are all the active OpenVPN interface rules:

The VPN Servers Alias is this:

Gertjan

@azdeltawye

What is your pfSense LAN IP, and network ?
Like 192.168.1.1 and 255.255.255.0 or /24 ?

Your NAS IP, network, gateway and DNS ?
Like 192.168.1.x, 255.255.255.0/24 or /24, 192.168.1.1 (gateway !) and 192.168.1.1 (DNS) ?

azdeltawye

@Gertjan
My pfSense IP is 192.168.125.1 on a /24 network
My NAS IP is 192.168.200.4 on a /24 network, the GW and DNS are 192.168.200.1
My OpenVPN server tunnel networks are 10.0.10.0/24 & 10.0.20.0/24

Like I mentioned in the first post in this thread, this used to work. I think it was around 2 years ago, I could access my NAS via the File Explorer app on my iPhone while logged into my OpenVPN server over a remote connection. So I'm not sure exactly when it broke. Since then, there have been several iOS updates, FE app updates, DSM updates and OpenVPN updates. My pfSense configuration, for the most part, has not changed.

BTW, I disabled the allow ping rule on my WAN after getting spammed by ping bots...

Gertjan

@azdeltawye

Your NAS will send reply traffic to its gateway : 192.168.200.1
Or, it local network segment gataway is 192.168.125.1/24
Afaik, this can't work.

See it like this : traffic arrives from the "10.0.10.0/24 or 10.0.20.0/24" network and s to go the the 192.168.125.1/24 network to reach the NAS.
Only 192.168.200.0/24 is known to pfSense .... that's like the post office receiving a letter mentioning a road that doesn't exist in its city.

azdeltawye

@Gertjan
I hear what you're saying but I don't think that is correct in this situation. I thought PfSense automatically adds VLAN subnets to its routing table when the VLANs are created. And since I have the 'allow all' rule on my VPN server interface, I can ping and access all my VLAN gateways, including the 200 VLAN gateway which is where the NAS lives, when I tunnel into my VPN server.

Anecdotally, I have a security camera NVR on my 175 VLAN (192.168.175.0/24) which I have no problem accessing when I tunnel into my VPN server from a remote location. No special entries in the routing table to allow this connection, it just works.

And like I mentioned before, this did actually work some years ago. I was able to access the NAS with the FE application from my iOS device over the VPN. Something changed, other than my pfSense configuration that is preventing access now...

Gertjan

@azdeltawye said in Having trouble accessing NAS through VPN server:

I thought PfSense automatically adds VLAN subnets

Where did VLANs come from ?
So you do have a 192.168.200.1/24 interface ? (LAN, or VLAN doesn't matter, as long as it is set up correctly).

VLAN need a setup on the pfSense side, and on the smart 'VLAN capable side' switch side.

azdeltawye

@Gertjan said in Having trouble accessing NAS through VPN server:

Where did VLANs come from ?

huh??
I configured them when I designed the network years ago... You can see the different interfaces of my network from the screenshot on post #16. Here is a summary of how the network segments are defined:

Yes, all the layer 2 switches and APs are capable of VLAN tagging...

So when I log into my VPN server with my iPhone from a remote location, I am able to ping random devices on every VLAN listed above in my network. However, I cannot ping the Synology NAS (192.168.200.4). But, I am able to ping my backup 'NAS' (192.168.200.5). My backup 'NAS' is just an old Asus RT-AC86 router with a Samba SSD plugged into the USB port. I cannot access either NAS from the File Explorer app on my iphone.

Now when I am at home and my iPhone is on the 200 VLAN network, I can ping and access both NAS devices with the File Explorer app.

Gertjan

@azdeltawye said in Having trouble accessing NAS through VPN server:

huh??

Don't worry. I thought you had a single pfSense LAN, 192.168.125.0/24 and a NAS using 192.168.200.4 on that LAN.
That will fail of course.
But solved now : you have more then one LAN ^^ Your NAS lives on the LAN called 'HOME' :

Check that :

has been set to /24.

Check that your OpenVPN interface firewall says :

Btw : You've two of them : 10.0.20.0/24 and 10.0.10.0/24.

About :

I would presume that your iPad would have a 10.0.10.0/24 or 10.0.20.0/24 IP when connected to the VPN, not this 10.208.190.248 IP (where did that came from ?)

azdeltawye

@Gertjan
Actually, the NAS's live on the USER .200 network.

Yes, it is a /24.

Yeah, I have the OpenVPN server subnets rule to allow all traffic.

What advanced settings do you have in your VPN interface rule? I see a gear symbol next to the pass check mark. Is that something that may help?

That private address assigned to my iPhone (10.208.190.248) is puzzling. It appears to be a Verizon thing. If I go to Starbucks and jump on their WiFi, or work, it shows the same address.. Just for kicks, I put that IP in the VPN interface rule shown above but that had no effect. My iPad does not have any of that since it has no SIM card.

Gertjan

@azdeltawye said in Having trouble accessing NAS through VPN server:

What advanced settings do you have in your VPN interface rule?

Just the "Allow IP options" set :

Probably not needed.

Btw : my OpenVPN interface firewall rule set is empty :

as I've created an "VPNS" for my OpenVPN server :

so it's has it's own dedicated interface with rule set :

This is also most probably a way of doing things, and not important.