Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec, mobile client, windows file sharing WITH local firewall [Success]

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F Offline
      franken
      last edited by

      Hi,

      Had some big problem with the mobile vpn and windows file shareing to a local lan computer. The ping didn't work, and the file shareing didn't work ether. F*CK! How ever i could ping the mobile clients IPSec IP from the LAN, but not vice-versa. I could though connect to remote desktop from the mobile client to the LAN client.

      okey this is my setup and this is how i solved it with the local firewall on. You will learn some "netsh"-windows-command-promt-hacking too. :)

      How to setup the IPsec tunnel there are severeal of guides helping you. They work!  ;D

      I have a mobile client behind a nat, the IPSec IP is 172.16.1.1/24
      On my LAN the IP network is 192.168.100.0/24, the LAN PC is 192.168.100.99.
      I can ping from 192.168.100.99 => 172.16.1.1 but not vice-versa
      I can connect to SMB-share from 192.168.100.99 => 172.16.1.1 but not vice-versa
      I can connect to remote desktop from both sides…

      The problem are the windows firewall and even in a "private"-mode does not permit ping or smb-access from other then the subnet it is on. A solutions is ofcourse to turn of the windows firewall on the local PC, but i belive that is bad and a local firewall is best thing you could have. Remember lot of employees bring their usb 3G modems.

      netsh is a very good command to change you firewall rules if you don't have a windows server and Active Directory to mange your computer. I have not yet done a script command for this, to remote edit this from one pc. This is though not hard and i hope to complete this mini-guide/mini-howto with that in future.

      On the LAN PC, hit the "Windows"-button (between Ctrl and Alt), write netsh. DONT hit enter, right click and "Run as Administrator"!!
      then in the terminal window write "advfirewall firewall" Enter. Now hit right mousebutton on the window title bar and open properties; make sure the "QuickEdit Mode" is checked.

      Just copy the following lines one by one, and paste (you paste in cmd with left mouse button):
      set rule name="File and Printer Sharing (Echo Request - ICMPv4-In)" dir=in profile=private new RemoteIp=any
      set rule name=”File and Printer Sharing (LLMNR-UDP-In)” dir=in profile=private new RemoteIp=any
      set rule name=”File and Printer Sharing (NB-Datagram-In)” dir=in profile=private new RemoteIp=any
      set rule name=”File and Printer Sharing (NB-Name-In)” dir=in profile=private new RemoteIp=any
      set rule name=”File and Printer Sharing (NB-Session-In)” dir=in profile=private new RemoteIp=any
      set rule name=”File and Printer Sharing (SMB-In)” dir=in profile=private new RemoteIp=any
      set rule name=”File and Printer Sharing (Spooler Service - RPC)” dir=in profile=private new RemoteIp=any
      set rule name=”File and Printer Sharing (Spooler Service - RPC-EPMAP)” dir=in profile=private new RemoteIp=any

      If you like to tighten up your security a bit you could create new rules for the subnet you using as IPSec network.

      Good luck and God save the spelling errors  :)

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.