Vista client: can ping, can connect web admin, but can't access SMB shares
I managed on a V2.0.1 pfSense to enable OpenVPN server by going through the wizard. I can ping my local network (e.g. 192.168.0.100) and also connect remotely to the pfSense Admin Interface - but there is no way to e.g. access network shares on my SMB server under 192.168.0.100 (connection timeout). I tried up and down with local routing, playing around with the NetBIOS settings on server side, with client DNS and without but nothing led to success.
My server settings are:
<openvpn><openvpn-server><vpnid>1</vpnid> <mode>server_tls_user</mode> <authmode>Local Database</authmode> <protocol>UDP</protocol> <dev_mode>tun</dev_mode> <ipaddr></ipaddr> <interface>wan</interface> <local_port>1194</local_port> <custom_options><tls>XXXXXXXX</tls> <caref>XXXXXXXXX</caref> <certref>XXXXXXXXXX</certref> <dh_length>1024</dh_length> <cert_depth>1</cert_depth> <crypto>AES-128-CBC</crypto> <engine>none</engine> <tunnel_network>192.168.200.0/24</tunnel_network> <remote_network><local_network>192.168.0.0/24</local_network> <maxclients>3</maxclients> <compression>yes</compression> <passtos></passtos> <dynamic_ip>yes</dynamic_ip> <pool_enable>yes</pool_enable> <netbios_enable>yes</netbios_enable> <netbios_ntype>0</netbios_ntype></remote_network></custom_options></openvpn-server></openvpn>
I also tried several Open VPN clients on my Vista Notebook, whereas finally V2.3-alpha remains. No matter, with all of them I managed to connect to my pfSense (started as Administrator), ping the local network, access pfSense Admin etc., but have no access to shared drives.
My client settings:
dev tun persist-tun persist-key proto udp cipher AES-128-CBC tls-client client route-method exe route-delay 2 remote some.domain 1194 tls-remote The server auth-user-pass pkcs12 myvpn-udp-1194.p12 tls-auth myvpn-udp-1194-tls.key 1 comp-lzo
What is my mistake?
Many thanks in advance for any hint.
STUPID ME!! ::)
One desperate smoke later i remember to have white listed my file server for connections from the 192.168.0.0 subnet only.
Unless any of you guys could advice me how to mask incoming connections from 192.168.200.6 (client IP) to 192.168.0.0 subnet my problem is solved once I could physically get grab of the file server to extend the white list…
you might be able to NAT the subnet to the other subnet, altho i'd suggest changing the whitelist
You're going to have to allow access from the real subnet. With most services you can NAT and get away with it, but NAT of any type breaks SMB.
Thanks for answering guys.
The issue is, that the whitelist is stored on the fileserver and I need to get hold of it physically to make a change. As this will take another week and I desperately need some files I would like to get temporary remote access to change the whitelist.
When NATing from OpenVPN to LAN subnet, the fileserver obvisualy recognizes that request comes from a NOT LAN subnet address and therefore, due to the whitelist rule, denies access. Thats why my final question whether it is possible to use pfSense to mask my OpenVPN client address to a LAN address to mock the fileserver.
Thanks & regards
Finally I found an answer for my issue in following article, that explains how to setup OpenVPN in bridged mode:
Unfortunately it is not possible to do that remotely as the new configuration kicks off my current client connection. But that's a different issue.