SAMBA over OpenVPN working partially

iampowerslave

I'm on Win7 and the SAMBA hosts are just plain ol' Windows 7 computers with Shares.

OpenVPN settings are default, how do I dump them in plain text for an easy view instead of pasting the whole WebGUI config as an image?

Firewall rules are default too

WAN says
PASS | IPv4 UDP | * |  * | WAN address | 1194 (OpenVPN) | * | none | (empty schedule) | OpenVPN FromWAN wizard

LAN has no rules that affect that (is mosty plain)

And in NAT Outbound I have disabled the default rules

WAN | 192.34.34.0/24 | * | * | 500 | WAN address | * | YES | Auto created rule for ISAKMP - LAN to WAN
WAN | 192.34.34.0/24 | * | * |  *  | WAN address | * | YES | Auto created rule for ISAKMP - LAN to WAN
WAN | 10.0.0.0/24 | * | * | 500 | WAN address | * | YES | Auto created rule for ISAKMP - OpenVPN server to WAN
WAN | 10.0.0.0/24 | * | * |  *  | WAN address | * | YES | Auto created rule for ISAKMP - OpenVPN server to WAN

The same rules are enabled for

127.0.0.0/8 and 192.168.1.0/24 (OPT1, WIFI-DMZ)

doktornotor

Have you disabled the Windows Firewall before testing?

Derelict

Firewall rules are default too

WAN says

What does OpenVPN say - on both sides.

iampowerslave

Windows Firewall are all disabled.

Derelict and divsys. Please direct me to a "how to" on how to dump what you want. I'm new to pfsense and freebsd. I have made extreme efforts to deal with some stuff but it will take me another light year to get what you are asking for. OpenVPN on the client side easily shows the log, but how do I pick up the log on the server side?

How do I dump the OpenVPN config to show it to you?

Thanks for following up.

(PS: Please remember the same OpenVPN config works on Android)

divsys

The easiest way for me to post anything from a pfSense configuration (Server or Client) is to bring it up in my browser and then take a screenshot, save the shot to a file and attach the file to your message (Click on "Attachments and other options" at the bottom of the "Post reply" screen).

That way we can see what you see when you work through pfSense and /or the logs.

My instincts still say this is probably a Windows and not a pfSense problem.
Usually by the time I can ping and/or VNC, SSH across the tunnel, I can ignore the OpenVPN setup as operational and troubleshoot the various devices in the setup.
For me OpenVPN mostly just works with little fanfare.

Eg.


iampowerslave

This is the client text on OpenVPN

Mon Jun 01 13:33:54 2015 OpenVPN 2.3.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Mar 19 2015
Mon Jun 01 13:33:54 2015 library versions: OpenSSL 1.0.1m 19 Mar 2015, LZO 2.08
Mon Jun 01 13:34:02 2015 Control Channel Authentication: using '<mykey>' as a OpenVPN static key file
Mon Jun 01 13:34:02 2015 UDPv4 link local (bound): [undef]
Mon Jun 01 13:34:02 2015 UDPv4 link remote: [AF_INET]<myserverip>:1194
Mon Jun 01 13:34:02 2015 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Mon Jun 01 13:34:05 2015 [<mycertificate>] Peer Connection Initiated with [AF_INET]<myserverip>:1194
Mon Jun 01 13:34:07 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Jun 01 13:34:07 2015 open_tun, tt->ipv6=0
Mon Jun 01 13:34:07 2015 TAP-WIN32 device [Local Area Connection 2] opened: \.\Global{92CE4D7B-0919-4F17-A03C-A81F063F41FC}.tap
Mon Jun 01 13:34:07 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.0.6/255.255.255.252 on interface {92CE4D7B-0919-4F17-A03C-A81F063F41FC} [DHCP-serv: 10.0.0.5, lease-time: 31536000]
Mon Jun 01 13:34:07 2015 Successful ARP Flush on interface [26] {92CE4D7B-0919-4F17-A03C-A81F063F41FC}
Mon Jun 01 13:34:12 2015 Initialization Sequence Completed

Attached is the OpenVPN config.

</myserverip></mycertificate></myserverip></mykey>

divsys

That looks like what I'd expect to see in general.

You blacked out the "IPv4 Local Networks" entry, normally this should be the internal LAN subnet.  What are you using for your LAN Addresses?
As long as this is in the private address range (it'd better be!) it's internal to your network and no one can access it, there's no need to black out that info.

What do you have under Firewall->Rules for WAN, LAN, and OpenVPN?

iampowerslave

LAN is 192.34.34.0/24

Rules:

No floating rules

WAN:
BLOCK Block private networks
BLOCK Block bogon networks
PASS IPv4 UDP * * WAN address <port_number>* none <empty>OpenVPN FromWAN wizard

LAN
PASS * * * LAN Address 443 80 * * <empty>Anti-Lockout Rule
BLOCK IPv4+6* * * WIFI net * * none <empty>Block LAN to WIFI
BLOCK IPv4* Server * This Firewall * * none <empty>Block Server to Internet
PASS IPv4* LAN net * * * * none <empty>Default allow LAN to any rule

WIFI (OPT1)
BLOCK IPv4+6* * * LAN net * * none <empty>PASS IPv4+6* WIFI net * * * * none <empty>OpenVPN
PAS IPv4* * * * * * none <empty>OpenVPN FromWAN wizard

NAT:
WAN 127.0.0.0/8 * * 500 WAN address * YES Autocreated rule for ISAKMP - localhost to WAN
WAN 127.0.0.0/8 * * * WAN address * NO Autocreated rule - localhost to WAN
WAN 192.168.2.0/24 * * 500 WAN address * YES Autocreated rule for ISAKMP - OPT1 to WAN
WAN 192.168.2.0/24 * * * WAN address * NO Autocreated rule - OPT1 to WAN
LAN 10.0.0.0/24 * * * LAN address * NO

I guess that's about it.

It was OK when I did VPN with Kerio VPN (and a Kerio Control instead of pfSense)</empty></empty></empty></empty></empty></empty></empty></empty></port_number>

divsys

Ok, a couple of things:

LAN is 192.34.34.0/24

Really? your LAN address is assigned as a public address for "Converged Technology Group Inc." Do you work for them?
If not (and even if so) DO NOT USE A PUBLIC ADDRESS FOR YOUR INTERNAL LAN.  This won't end well, just ask around.

Most of your rules seem reasonable except for the ones that are (I hope) mistyped:

BLOCK IPv4* Server * This Firewall * * none <empty>Block Server to Internet</empty>

"Block IPv4 protocol from any address to the port alias "Server" destined for any address with a port alias "This Firewall" any gateway any queue no schedule"

I'm guessing this is meant to block traffic from some server on your LAN to the WAN, but what you wrote doesn't do that.

Can you just post the applicable screen shots and save us all the grief of dealing with typos?

The other thing that looks odd is the NAT line for LAN to 10.0.0.0/24.  Are you trying to forward OpenVPN traffic to LAN?  You shouldn't, that's not needed for a properly configured OpenVPN setup.

Again, without a proper post of all the rules, it's pretty hard to tell.

PS. Your previous screenshots worked just fine, I suggest you repeat that method for the WAN/LAN/WIFI/OpenVPN and NAT rules.

iampowerslave

Yes. The LAN is a legacy address. I'll change that.

The server to wan blocking rule is intentional and wasn't there before.

Even without that rule the samba does not work. It wasn't there when I started the thread.

The NAT line for 10.0.0.0/24 is a question from another post

My SIP does not work from OpenVPN if that rule is not there.

A change in the local address space to 10.34.34.0/24 instead of 192 would be correct?

iampowerslave

Well thanks for the help.

Changing the local IP address to 10.x.x.x made it work for the remote computer to get to the sambas behind the firewall through OpenVPN.

Strange was that Android could. It seems it changes how each host resolves and it seems  that my home windows host was resolving on its own to the real 192.34.34.x. While when I had Kerio the route was forced otherwise.

The SIP still does not work without a NAT rule though.

divsys

Glad you got it going.

10.34.34.0/24 is a great choice for the subnet.
I was going to wait till a little later to mention that 10.0.0.0/24 is technically correct for a tunnel subnet, but by best practices it's considered a poor choice.
192.168.0.0/24,192.168.1.0/24 and 10.0.0.0/24 are often "default" subnets that get (over)used and can lead to hidden problems later on (or now).
It helps to isolate out your problems using unique subnets, something like 10.43.0.0/24 for the OpenVPN tunnel would be a better choice.

I understand about stepping into "legacy" setups and trying to pick up the pieces.

When people ask questions on the Forum we invariably "ask for better/more information" not because we're trying to be picky or aggravating, but because we know that many (most) of the scenarios presented can be solved quite quickly with the right information.

It means that when you ask questions, you need to be prepared with a thick enough skin to handle the answer  ;)

As to the SIP issue, start another thread and we can handle that - but I bet one of the first responses will be for a screen shot of your firewall/NAT rules  :)

iampowerslave

I can (and will) change the OpenVPN address following your recommendation. But what is so bad about 10.0.0.0?

johnpoz

10.0.0.0/24 is first subnet and common to use.. Same with the 192.168.0 and 192.168.1  they are the most common ones used.  What does every soho router default too for its lan?  What does pfsense for example default to for its lan.

Using the common networks can lead to issues when your trying to vpn from a network that has the same local network that your trying to vpn too..

if your 10.0.0.0/24 on your vpn server side and you happen to be in a location that uses 10.0.0.0/8 kind of hard to route down the vpn when your interface is locally in that network.

I rarely ever had any problems since I mostly just vpn in from work to home, my man lan was 192.168.1.0/24 – but on the wifi network they were using this..  so I changed my home lan to be 192.168.9.0/24 which is less commonly used.. so I have .2 and .3 and .4 and .5 along with my .9 segment.. you don't see .2 and above all that often in the 192.168 space.

iampowerslave

Understood!!!

THANKS!