Configuring VPN win7 clients with pfsense
-
Hi…i could ping only linux machines (from my house) but i could't see them (i mean : start logo,computer,network,here there is no any device a printer a server...etc,only my machine .)
and (from my office) i could ping that machine on my network (my house) from only linux machines
and please take a look below :
from my house,the output of the route print command :
Interface List 25...00 ff 49 eb 71 95 ......TAP-Win32 Adapter V9 23...00 ff a6 3a 86 34 ......Anchorfree HSS VPN Adapter 10...00 1e 90 c6 30 64 ......VIA Rhine II Compatible Fast Ethernet Adapter 1...........................Software Loopback Interface 1 21...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface 26...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3 14...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter #4 11...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter 12...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter #2 13...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter #3 15...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter #5 24...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter 16...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter #6 20...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #5 =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.6 20 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.1.0 255.255.255.0 192.168.200.5 192.168.200.6 30 192.168.10.0 255.255.255.0 On-link 192.168.10.6 276 192.168.10.6 255.255.255.255 On-link 192.168.10.6 276 192.168.10.255 255.255.255.255 On-link 192.168.10.6 276 192.168.200.1 255.255.255.255 192.168.200.5 192.168.200.6 30 192.168.200.4 255.255.255.252 On-link 192.168.200.6 286 192.168.200.6 255.255.255.255 On-link 192.168.200.6 286 192.168.200.7 255.255.255.255 On-link 192.168.200.6 286 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.10.6 276 224.0.0.0 240.0.0.0 On-link 192.168.200.6 286 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.10.6 276 255.255.255.255 255.255.255.255 On-link 192.168.200.6 286 =========================================================================== Persistent Routes: None IPv6 Route Table =========================================================================== Active Routes: If Metric Network Destination Gateway 21 58 ::/0 On-link 1 306 ::1/128 On-link 21 58 2001::/32 On-link 21 306 2001:0:9d38:6ab8:8:296d:3f57:f5f9/128 On-link 10 276 fe80::/64 On-link 25 286 fe80::/64 On-link 21 306 fe80::/64 On-link 21 306 fe80::8:296d:3f57:f5f9/128 On-link 10 276 fe80::1c4a:a172:f43c:76d0/128 On-link 25 286 fe80::f4a3:af91:392b:4309/128 On-link 1 306 ff00::/8 On-link 21 306 ff00::/8 On-link 10 276 ff00::/8 On-link 25 286 ff00::/8 On-link =========================================================================== Persistent Routes: Nonethe output of the tracert command (also from my house):
Tracing route to RAAFAT-780 [192.168.1.30] over a maximum of 30 hops: 1 54 ms 55 ms 54 ms 192.168.200.1 2 56 ms 56 ms 54 ms RAAFAT-780 [192.168.1.30] Trace complete.Please note my machine (my house) could know the name of my (linux) machine (my office) RAAFAT-780
finally,the log of openVPN:
Fri Feb 22 15:07:05 2013 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul 1 2011 Fri Feb 22 15:07:12 2013 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page). Fri Feb 22 15:07:12 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Fri Feb 22 15:07:12 2013 Control Channel Authentication: using 'pfsense-udp-1195-internal-ca-tls.key' as a OpenVPN static key file Fri Feb 22 15:07:12 2013 LZO compression initialized Fri Feb 22 15:07:12 2013 UDPv4 link local (bound): [undef]:1194 Fri Feb 22 15:07:12 2013 UDPv4 link remote: 37.x.x.x:1195 Fri Feb 22 15:07:12 2013 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Fri Feb 22 15:07:14 2013 [internal-ca] Peer Connection Initiated with 37.x.x.x:1195 Fri Feb 22 15:07:16 2013 TAP-WIN32 device [Local Area Connection 4] opened: \\.\Global\{49EB7195-A813-4005-B4D6-943F98EA8734}.tap Fri Feb 22 15:07:16 2013 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.200.6/255.255.255.252 on interface {49EB7195-A813-4005-B4D6-943F98EA8734} [DHCP-serv: 192.168.200.5, lease-time: 31536000] Fri Feb 22 15:07:16 2013 Successful ARP Flush on interface [25] {49EB7195-A813-4005-B4D6-943F98EA8734} Fri Feb 22 15:07:21 2013 Initialization Sequence Completedthank you .
-
"but i could't see them "
And when do you think linux machines are going to show up in a windows browse list?? Are the running samba and participating in that nonsense?
If you can ping 1 machine on your work network from your vpn client, then you have access to the network - other machine not resolving or not answering ping is unlikely to have anything to do with the vpn connection.. More like firewall blocking it at the host or maybe its OFF? ;) As to resolving via host name only, your not pointing at pfsense for dns - so what does that IP your pointing to for dns run. Query it directly for hosts you want resolve? Do they resolve?
If you want boxes to show up in windows browse list across segments then your going to have to run wins! And even if on same network – it can take 45 minutes for a browselist to populate..
I would suggest you read up on how windows browselist work -- and again they have NOTHING to do with network access, file sharing or name resolution - NOTHING! Its a BS little list that is not real time, is not very stable and does not work across network segments, etc. etc..
https://www.microsoft.com/en-us/download/details.aspx?id=5590
Windows Computer Browsing for SOHO Networks with Microsoft Windowshttps://www.microsoft.com/en-us/download/details.aspx?id=21205
Troubleshooting Computer Browsing on SOHO Networks with Microsoft WindowsPfsense and openvpn have nothing to do with this - and your not pointing to pfsense for your name resolution for your vpn clients, so it has nothing to do with that.
You can ping a machine across your vpn connection - therefore your vpn is UP!! There is NO point to the browselist in the first place, use name resolution to resolve your computer names be it dns, wins or broadcast which is not going to work in your current setup. You don't know the names of the machines you need to access? Then what the hell your accessing the network in the first place for??
But sure if you want to get the browselist to work across segments then your going to have to run wins, and understand how it works. Good luck, its a pointless endeavor ;)
If you wanted the network browse list to work, you would have to create a bridged vpn where your road warrior got an IP on your lan and then browselist would work.. But it would most likely take at min 15 minutes to start to show anything, upwards of 45 minutes. I would assume your box thinks its the master browser for the segment it came up on, and whatever your workgroup name is.
Why do you think you need or even want a browselist? Now what you can do it query your work networks browse master for a list.
So for example using browstat, don't believe it will work on 7x64. You can do a browstat dumpnet and get your transports, one would be your vpn device, then you use that to query the browselist on your work network...
D:\Dropbox\tools>browstat dumpnet
List of transports currently bound to the browser
1 \Device\NetBT_Tcpip_{46B7FF42-B5F2-44F2-9EAE-1F0BAF7B4932}
2 \Device\NetBT_Tcpip_{791A8563-34BD-4681-A0F6-281494D295C8}You can see which one it would be by mac, so I have highlighted the mac portions
Ethernet adapter ovpn:
Connection-specific DNS Suffix . : local.lan
Description . . . . . . . . . . . : TAP-Win32 Adapter V9
Physical Address. . . . . . . . . : 00-FF-79-1A-85-63D:\Dropbox\tools>browstat view 2 \storage
Remoting NetServerEnum to \storage on transport \Device\NetBT_Tcpip_{791A8563-34BD-4681-A0F6-281494D295C8} with flags ffffffff
4 entries returned. 4 total. 4094 milliseconds\I5-W7 NT 06.01 (W,S,PQ,NT)
\KIM-PC NT 06.01 (W,S,NT)
\STORAGE NT 06.01 (W,S,NT,SS,PBR,BBR,MBR) My storage server
\W7X64-VM NT 06.01 (W,S,NT)Those are the 4 boxes on in my home network that are participating in the browselist. No its not listing my linux boxes, they don't have samba installed - no its not listing pfsense, etc. etc.
I know that \storage is my browse master, since I have setup my network that way. Not really a fan of the browselist, just don't see the point of it. But there is always a way to skin the cat.. Just not seeing why it matter if you can browse your remote network?
-
But why i can't ping any windows machine ? (only linux machine)
-
Also i can't ping my printers , only linux machines .
-
Do you printers have a gateway set? Most likely not would be my bet. The windows 7 firewall by default blocks ping would be my bet as well. Kind of hard to answer a ping that is from a different network without a gateway.
If you can ping 1 box on your network, then clearly your vpn is up. What settings to you have on your windows firewall. Can you ping your windows 7 boxes from other machine on the local network? If so check that their firewalls allow ping from networks other than the local one.
-
Do you printers have a gateway set? Most likely not would be my bet. The windows 7 firewall by default blocks ping would be my bet as well. Kind of hard to answer a ping that is from a different network without a gateway.
If you can ping 1 box on your network, then clearly your vpn is up. What settings to you have on your windows firewall. Can you ping your windows 7 boxes from other machine on the local network? If so check that their firewalls allow ping from networks other than the local one.
Look my machines firewall is disable but there is a kaspersky program.
Yes i can ping windows machines from other .
-
Well check it for firewall – what part do you not understand that your tunnel is up.. Why would pfsense allow traffic from linux boxes but not windows boxes?
So if you can ping 1 box inside your network, and others don't respond - then its something on those machines.
-
Well check it for firewall – what part do you not understand that your tunnel is up.. Why would pfsense allow traffic from linux boxes but not windows boxes?
So if you can ping 1 box inside your network, and others don't respond - then its something on those machines.
Yes i know my vpn is up , but how can i solve that problem with windows machines ?
until now nothing happened with windows machines
Also i disabled windows's firewall , but also no luck .
-
Set their firewalls to allow whatever traffic you want to use from your tunnel network.
Disable whatever firewall your running on those boxes.
-
Set their firewalls to allow whatever traffic you want to use from your tunnel network.
Disable whatever firewall your running on those boxes.
i will remove kaspersky…is that helpful ?
-
I don't know - is it, is that is what is firewalling your traffic?
I am not sure why the thread is still open? You have verified your tunnel is working.. So now your issue is with clients, that has nothing to do with pfsense.
-
I don't know - is it, is that is what is firewalling your traffic?
I am not sure why the thread is still open? You have verified your tunnel is working.. So now your issue is with clients, that has nothing to do with pfsense.
Look man this is the last step of my story…don't tell me to close this thread right ?i'm still looking for a solution for my problem your solution is not complete...
thank you .
-
I can not help you without info!! Did you uninstall your firewall software on the client? Did you configure said software to allow for the traffic you want to allow icmp, file sharing from IPs other than your local network?
Do these clients use pfsense as their gateway?
You clearly have a working vpn tunnel if you can access linux boxes behind your pfsense.. So my point is this is no longer a VPN issue but a client configuration issue.. This board is more for helping users with pfsense related issues - your issue is client related.
While I don't mind helping you, not much I can do further. Do I need to step you through verification that the packets are getting to your client via sniffing the traffic?
Tell you what – if you provide me vpn access to your network and login to pfsense box. And then out of bound access to a windows client I will fix the problem for you. Teamviewer works nice as an out of band solution. I will document what was the issue and show you the fix, etc. That would be must faster than us going round and round in this thread, not getting anywhere. If there is some other issue at play, I should be able to identify the problem within a few minutes.
But since you can access linux based boxes on that side of the tunnel - it really really points to a problem on the client box on your pfsense side of the network.
-
Set their firewalls to allow whatever traffic you want to use from your tunnel network.
Disable whatever firewall your running on those boxes.
That's the end of my story
-
So your fully working and functional now, even to your window boxes, which I take it were running firewalls blocking the traffic you wanted to allow.
So you get your browselist working, or live without that MS nonsense ;)
-
So your fully working and functional now, even to your window boxes, which I take it were running firewalls blocking the traffic you wanted to allow.
So you get your browselist working, or live without that MS nonsense ;)
As you said (without that MS nonsense)…thank you man your a hero .
