Can ping LAN hosts from VPN client, but cannot SMB browse?
-
I followed this guide to set up OpenVPN. Now, I can connect from the client and can ping our DNS servers and various LAN hosts. However, I cannot resolve hosts by DNS name, and I cannot access them via Windows Network share (\server\share).
I noticed the OpenVPN adapter does not assign a default gateway. Am I doing something wrong?
-
Well from that guide, your not handing out any dns - so how would your vpn clients be able to resolve anything?
And you have netbios mode set to none - so not going to broadcast, if for example you were in bridge mode? And you have netbios not even enabled.
So for example I am currently connected to my home network via openvpn roadwarrior setup. and I can resolve my fqdn of my hosts.
And know you wouldn't have default gateway on the vpn interface - here is mine
Ethernet adapter ovpn:
Connection-specific DNS Suffix . : local.lan
Description . . . . . . . . . . . : TAP-Win32 Adapter V9
Physical Address. . . . . . . . . : 00-FF-79-1A-85-63
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.0.200.6
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 10.0.200.5
DNS Servers . . . . . . . . . . . : 192.168.1.253
Lease Obtained. . . . . . . . . . : Tuesday, July 17, 2012 1:56:01 PM
Lease Expires . . . . . . . . . . : Wednesday, July 17, 2013 1:56:01 PMD:>ping i5-w7.local.lan
Pinging i5-w7.local.lan [192.168.1.100] with 32 bytes of data:
Reply from 192.168.1.100: bytes=32 time=147ms TTL=127And I can view it via \hostname once I auth for example
D:>net view \i5-w7
System error 5 has occurred.Access is denied.
D:>net use \i5-w7\ipc$ /u:budman
The password or user name is invalid for \i5-w7\ipc$.Enter the password for 'budman' to connect to 'i5-w7':
The command completed successfully.D:>net view \i5-w7
Shared resources at \i5-w7Share name Type Used as Comment
–----------------------------------------------------------------------------
Deskjet6500 Print HP Deskjet 6500 Series
test Disk
The command completed successfully.here is what I see different in my openvpn config.
-
Hi Johnpoz, thanks for the very helpful reply.
Using your suggestions, I made the following changes:
- Added our DNS servers to the configuration (in the PFSense GUI)
- Enabled NetBIOS support, h-node
This seemed to partially solve the problem. I can now ping LAN hosts by their hostnames. However, I still cannot browse to any SMB/Samba shares, and a few select hosts will not resolve.
C:\> ping BigServer Pinging BigServer.internal [172.16.1.5] with 32 bytes of data: Reply from 172.16.1.5: bytes=32 time=11ms TTL=63 Reply from 172.16.1.5: bytes=32 time=13ms TTL=63 Ping statistics for 172.16.1.5: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 11ms, Maximum = 13ms, Average = 12ms Control-C C:\> net use \\BigServer\images System error 67 has occurred. The network name cannot be found.What am I missing here? The firewall is turned off on both BigServer and the Windows 7 client. Here is a screenshot of the config page:
-
This is just a self-answer in case anyone Google's this and has the same issue.
I can now access everything normally. It turns out one of our Linux servers had a rule in the /etc/samba/smb.conf file that was blocking access from the VPN subnet (172.16.3.x). After I added the exception everything started working fine.
Thanks again for your help.
-
Great - just so you know, does not have to be h-node, you could set that to meet your resolution needs. H is just hybrid will check wins first if one set, then broadcast.
If you don't have any plans for wins, etc then you could just set it to B-node for broadcast only, etc.