Cannot get to shared folders

dalicollins · Feb 9, 2023, 1:46 AM

I have been fighting with this for 2 days now. I am just not that familiar enough with VPN setups. Using PFsense Plus. Please help.
The goal is to use a remote Windows VPN Client to get to shared folders on a Windows server in the local subnet on PFsense.
The server with the shared folders is at 192.168.100.26. I can get to these folders from any other computer on the same subnet.
I setup an IPsec VPN following the Netgate tutorial. I can connect ok to the VPN on the remote computer, but I do not know how to get to the shared folders.
So to simplify, I just need to get to these shared folders from a remote computer connecting via a Windows VPN client.

SteveITS · Feb 9, 2023, 5:20 PM

@dalicollins Browse to \\192.168.100.26\share [edited because the forum escapes two slashes]

Did you set firewall rules?
https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-mobile-ikev2-eap-mschapv2.html#firewall-rules

Ensure the file server firewall is not blocking connections from outside its subnet.

dalicollins · Feb 9, 2023, 4:12 PM

Thanks for your reply. This forum does not allow me to send pics of my settings, but I did follow the link you posted as best I could. I am sure this is a rules issue.

viragomann · Feb 9, 2023, 4:19 PM

@dalicollins
I suspect, that the server blocks access from outside of its subnet.
You might have to configure its firewall properly to allow this access.

Allowing access from inside its own subnet, but blocking outside access is the default behavior of the Windows firewall.

dalicollins · Feb 9, 2023, 4:33 PM

Let me try the images again. Maybe this will work in Chrome.

SteveITS · Feb 9, 2023, 4:52 PM

@dalicollins The IPsec rule is matching traffic (1 KiB). Did you look at the Windows Server Firewall?

viragomann · Feb 9, 2023, 4:53 PM

@dalicollins
There is no need to pass GRE or ESP packets to the server if you run the IPSec server on pfSense itself.

Also the rule on LAN might be useless as I don't think, that your server need to access something included in the VPN port alias.
And stating a source port is wrong in most cases.

dalicollins · Feb 9, 2023, 5:04 PM

@viragomann
I disabled the ESP, GRE, and LAN rule. I can still connect, but not sure how to get access to the shares on IP 192.168.100.26. On another computer on the same subnet within Pfsense, if I use \192.168.100.26, I have full access to the shared folders. What URL would I use on the remote computer? If I use \10.3.3.1, which is the IP of the remote VPN, It opens, but nothing is there.

viragomann · Feb 9, 2023, 5:24 PM

@dalicollins
There are no WAN rules necessary for accessing the server. You only need to allow IPSec to pfSense WAN address there. But this is obviously working already.

For passing traffic from the vpn client to the server the rules on the IPSec tab are relevant.

Use \\<IP>\<share> for access it. Same as from local devices.

Did you state the local subnet or at least the servers IP in the IPSec settings?

Did you already configure the servers firewall? Or disable it for testing.

SteveITS · Feb 9, 2023, 5:19 PM

@dalicollins I see the forum is escaping the double slash but to be clear it is

slash-slash-servername_or_ip

(as I noted above ;) )

If you've allowed IPv4 * you should also be able to ping the server, if you've allowed ICMP from the remote IP on the server's firewall

dalicollins · Feb 9, 2023, 5:23 PM

@viragomann
The Windows server firewall is disabled. You can see in the above pic the IPsec Rules. Is that correct? Using \192.168.100.26 returns 'Windows cannot access \192.168.100.26'
Pinging that IP shows 'Request timed out
I greatly appreciate the help. Thank you.

viragomann · Feb 9, 2023, 5:25 PM

@steveits
Nice. Need to double each backslash.

dalicollins · Feb 9, 2023, 5:26 PM

@viragomann
I do double the backslash. The forum removes one in the post

viragomann · Feb 9, 2023, 5:28 PM

@dalicollins
I meant, I need to write them double to get one.

viragomann · Feb 9, 2023, 5:31 PM

@dalicollins
I forgot to ask one essential question: is pfSense the default gateway on the file server?

dalicollins · Feb 9, 2023, 5:32 PM

@viragomann
lol. I think I am really close. probably just missing a rule. Is the IPsec rule I show above correct?

viragomann · Feb 9, 2023, 5:34 PM

@dalicollins said in Cannot get to shared folders:

@viragomann
lol. I think I am really close. probably just missing a rule. Is the IPsec rule I show above correct?

Yes, it allows any protocol to the server. So access to the file share should be allowed.

You can restrict it later if you want.

dalicollins · Feb 9, 2023, 5:37 PM

@viragomann
Yes there is only one default gateway and everything on pfsense uses it. All other functions of pfsense work great. But you brought up an interesting question. The server has two NIC's each connected to a different pfsense firewall. But the other computers on the same firewall can get to the shared folders.

SteveITS · Feb 9, 2023, 5:36 PM

@dalicollins Your IPsec rule allows all traffic and is matching packets so should be fine.

[slash-slash-slash-text seems to work fine. It shows in the preview to the right while typing. ]

viragomann · Feb 9, 2023, 5:40 PM

@dalicollins said in Cannot get to shared folders:

Yes there is only one default gateway and everything on pfsense uses it.

The question was if the server uses the pfSense running the IPSec server as default gateway.

Run

route print

on the command line to show the default route.