Network Resource Access Across Subnets


Recommended Posts

Hello all.

 

I have been trying to setup access to my network resources, shares and printers, when I am running VPN connection. I have been posting on the PFSense forums, I am using OpenVPN on PFSense, and have been told that it is isnt a OpenVPN or PFSense issue.

 

I have been told that it is a Windows problem related to network discovery across subnets.

 

I am after some advice about where I should be looking for information about being able to access my resources whilst VPNd.

 

I am running Unraid Ver 10.1.1.40.

 

How do I make resources, shares particularly, available to the client I am connecting via a VPN?

Link to comment

I am running Unraid Ver 10.1.1.40.

 

Dude, you've got a seriously early pre-alpha release of unRAID running there... v10.x? I just got updated to what I thought was the latest v6.2.1. I'm really behind the times!

 

:)

 

Sorry, I couldn't resist. I'm assuming that's the version of PFSense or OpenVPN?

Link to comment

After I VPN into my router I can connect fine however when I type enter my unRaid IP address (\\10.1.1.40) into File explorer I get a Windows security popup asking for my network credentials. However in red is written "Access is denied". I am presuming this is something at the unRaid end of the connection.

 

As previously mentioned people on the PFSense forums indicated this may be an issue with network discovery across subnets.

 

My home LAN subnet is 10.1.0.0/255.255.0.0

 

My VPN tunnel network is 172.22.203.0/24

 

My network shares are on 10.1.1.40

 

How do I make my unRaid shares on 10.1.1.40 accessible to my VPN clients on 172.22.203.0?

Link to comment

I have been able to get network discovery to work across networks. Not only name resolution but also windows browsing.

 

I'm not using pfSense -- Sophos but should be similar

 

Sophos sets up the site to site VPN

 

On one end I have a Linux VM running in unRaid that acts as a WINS server. On the other end I have an old computer running Linux that does acts as the local master.

 

I needed to add a rule to Sophos's firewall to allow NetBIOS traffic between these two machines.

 

I also added a Masquerading rule at each end from the remote network to the local network.

 

All the computers have the same workgroup.

 

Works perfectly.

 

Currently I'm testing using unRaid to act as the WINS server. So far I have name resolution but no browsing -- that can sometimes take time but if I don't have browsing by tonight I'll revert back to my original setup.

Link to comment

I have my local network as 192.168.1.x I made my OpenVPN hand out 192.168.2.x and haven't had any issues with unRAID access.

 

I had similar, my LAN was 10.1.1.X and my tunnel network was 10.1.2.x, however people on the PFSense forums said that this was a bad idea. That the tunnel network needed to be significantly different.

Link to comment

I have been able to get network discovery to work across networks. Not only name resolution but also windows browsing.

 

I'm not using pfSense -- Sophos but should be similar

 

Sophos sets up the site to site VPN

 

On one end I have a Linux VM running in unRaid that acts as a WINS server. On the other end I have an old computer running Linux that does acts as the local master.

 

I needed to add a rule to Sophos's firewall to allow NetBIOS traffic between these two machines.

 

I also added a Masquerading rule at each end from the remote network to the local network.

 

All the computers have the same workgroup.

 

Works perfectly.

 

Currently I'm testing using unRaid to act as the WINS server. So far I have name resolution but no browsing -- that can sometimes take time but if I don't have browsing by tonight I'll revert back to my original setup.

 

How do you get UnRaid to act as a WINS server?

 

Its quite ironic, one of the reasons I came to unRaid was that people said it was easy to configure. Getting shares accessible over the VPN connection has been an ongoing problem for 10 months now and I am no closer to having it work that I was before I started.

Link to comment

You can configure unRaid's SAMBA settings using Samba extra configuration (Go to Settings --> SMB and you'll see a huge text box).

 

I'm actually in the process of moving WINS off unRaid and back to the the machines that were running it before. Using two unRaid machines I was able setup WINS to get cross-subnet name resolution but no browsing. I don't know if I did something wrong or not but I don't think I did. I've spent a couple of hours on it and since name resolution works I have to assume everything is setup correctly but browsing doesn't work and it was working before using a VM and an old Linux computer so I'm going back to that. 

Link to comment

You can configure unRaid's SAMBA settings using Samba extra configuration (Go to Settings --> SMB and you'll see a huge text box).

 

I'm actually in the process of moving WINS off unRaid and back to the the machines that were running it before. Using two unRaid machines I was able setup WINS to get cross-subnet name resolution but no browsing. I don't know if I did something wrong or not but I don't think I did. I've spent a couple of hours on it and since name resolution works I have to assume everything is setup correctly but browsing doesn't work and it was working before using a VM and an old Linux computer so I'm going back to that.

 

Yes it is. Enable samba is set to 'Yes(workgroup)'. Workgroup setting Local Master is set to 'Yes'.

 

I can ping all the local clients from my VPN client by IP Address but not by name.

Link to comment

Is your local DNS server included as a DHCP Push Option in your VPN setup?

 

I don't know what you mean sorry.

 

My IPv4 tunnel network is set to 172.22.203.0/24.

 

DNS Server is set to my local LAN DNS (10.1.1.1)

 

Enable NetBIOS over TCP/IP is enabled.

 

Node type set to 'b-node' (broadcasts)

 

I have not enabled 'Provide a WINS server list to clients' as I don't know what to enter into the WINS Server 1 field.

 

I don't have any custom options set, I don't know what to enter here either.

 

 

Link to comment

My understanding is that Broadcasts won't be sent over a VPN.

 

This is my setup.

 

192.168.2.0/24  Office

 

10.1.1.0/24 Home

 

I have a computer at each location running Sophos which establish a site to site VPN using IPsec

 

I then have a masquerading rule for from the remote network to the local interface at each end.

 

This alone gets you to being able to access any computer on either subnet using IP

 

To get name resolution (and hopefully browsing) you need to then use WINS.

 

At the office I have a Ubuntu server VM that I use for the internal web server so I designated it the WINS server for both networks.

 

At home I set a Ubuntu computer to act as local master.

 

These two machines then replicate and broadcast their computers to each other.

 

The DHCP server at each end pushes out the WINS server and set the node type to H

 

The last step is to allow NetBIOS traffic though your firewall. You just need to make a rule allowing the WINS server and the Local Master to pass NetBIOS back and forth and you're done.

Link to comment

My understanding is that Broadcasts won't be sent over a VPN.

 

This is my setup.

 

192.168.2.0/24  Office

 

10.1.1.0/24 Home

 

I have a computer at each location running Sophos which establish a site to site VPN using IPsec

 

I then have a masquerading rule for from the remote network to the local interface at each end.

 

This alone gets you to being able to access any computer on either subnet using IP

 

To get name resolution (and hopefully browsing) you need to then use WINS.

 

At the office I have a Ubuntu server VM that I use for the internal web server so I designated it the WINS server for both networks.

 

At home I set a Ubuntu computer to act as local master.

 

These two machines then replicate and broadcast their computers to each other.

 

The DHCP server at each end pushes out the WINS server and set the node type to H

 

The last step is to allow NetBIOS traffic though your firewall. You just need to make a rule allowing the WINS server and the Local Master to pass NetBIOS back and forth and you're done.

 

Ok. I am using OpenVPN to my connection. The OpenVPN server is on PFSense at home and my travelling laptop of using the OpenVPN client.

 

I don't know what Sophos is, presuming a VPN server/client setup.

 

I have a Firewall rule setup on my PFsense box allowing all OpenVPN traffic to pass. I am presuming it is working as I can ping local IP addresses over the VPN. I am not sure what else I need to do to actually map SMB shares.

 

I don't have 'WINS server enable' set to provide WINS server list to clients. If I enable it it asks for a WINS Server. I don't know if I have one and if I do where I get that information from.

 

 

Link to comment

Sophos is just a PFSense alternative.

 

Ok so I misunderstood. I thought you had a site to site VPN that was on 24/7 and you were trying to browse across subnets. You're situation is quite different.

 

I've setup my laptop to access the network remotely but that was all automatic and I've never tested if name resolution works.

Link to comment

Sophos is just a PFSense alternative.

 

Ok so I misunderstood. I thought you had a site to site VPN that was on 24/7 and you were trying to browse across subnets. You're situation is quite different.

 

I've setup my laptop to access the network remotely but that was all automatic and I've never tested if name resolution works.

 

Well I thought I was browsing across subnets. My LAN is 10.1.1.1/255.255.0.0 and my VPN Tunnel network is 172.22.203.0/24. The peps on the PFSense forums were saying that I am trying to browse across subnets.

 

To be honest I am not really concerned with getting my config to work, I just want any config to work!! I am the only one using the system, I just want to be able to access network shares when I am not at home. I am surprised that know one knows how to get it to work.

Link to comment

Sophos is just a PFSense alternative.

 

Ok so I misunderstood. I thought you had a site to site VPN that was on 24/7 and you were trying to browse across subnets. You're situation is quite different.

 

I've setup my laptop to access the network remotely but that was all automatic and I've never tested if name resolution works.

 

Well I thought I was browsing across subnets. My LAN is 10.1.1.1/255.255.0.0 and my VPN Tunnel network is 172.22.203.0/24. The peps on the PFSense forums were saying that I am trying to browse across subnets.

 

To be honest I am not really concerned with getting my config to work, I just want any config to work!! I am the only one using the system, I just want to be able to access network shares when I am not at home. I am surprised that know one knows how to get it to work.

 

can't you access the share via \\server.ip\sharename ?

 

Link to comment

Sophos is just a PFSense alternative.

 

Ok so I misunderstood. I thought you had a site to site VPN that was on 24/7 and you were trying to browse across subnets. You're situation is quite different.

 

I've setup my laptop to access the network remotely but that was all automatic and I've never tested if name resolution works.

 

Well I thought I was browsing across subnets. My LAN is 10.1.1.1/255.255.0.0 and my VPN Tunnel network is 172.22.203.0/24. The peps on the PFSense forums were saying that I am trying to browse across subnets.

 

To be honest I am not really concerned with getting my config to work, I just want any config to work!! I am the only one using the system, I just want to be able to access network shares when I am not at home. I am surprised that know one knows how to get it to work.

 

can't you access the share via \\server.ip\sharename ?

 

No I cannot. I get a Windows Security popup on my laptop asking me to enter my credentials for 10.1.1.40 (my unRaid box).

 

Beneath the password field appears in red text 'Access is denied', that's even before I put my password in. If I put my password in and hit enter it just shows the same message.

 

I am presuming there is a setting somewhere on unRaid that is blocking access to the shares from a VPN connection.

 

I can ping the UnRaid box fine, same with the Router.

Link to comment

I am presuming there is a setting somewhere on unRaid that is blocking access to the shares from a VPN connection.

 

I don't think that is the case.

 

I maintain two unRAID systems on two different networks, I'll call them "home" and "remote".  The home server is running unRAID 6.3.0 rc1 and the remote one is on unRAID 6.2.1.  There is a router-based (Asus Merlin OpenVPN) site-to-site VPN connection between the home and remote locations.  I am able to access SMB shares on the remote server from Win 10 machines on my home network without any problems.

 

To test your use case, I went to Starbucks this morning and vpn'd to the remote router directly from my Win 10 laptop, and was still able to access SMB shares on the remote unRAID system.

 

So I'm not sure why it isn't working for you, but I really don't think unRAID is doing anything to block your VPN / other subnet connections.

 

 

A couple of other points:

  • I have had problems with name resolution in the past, so I manually added both unRAID systems to my Windows hosts and lmhosts files (in c:\windows\system32\drivers\etc) and that solved the problem.
  • My work laptop is part of a domain for work, and not my local workgroup.  This complicates authentication, but can be solved by going to the Windows Credential Manager and adding a "Windows Credential" for each unRAID server.

Hope it helps!

Link to comment

I have deleted the VPN server/client a number of times and set it back up however, I still have the same problem; unable to access SMB shares over the VPN. I also cannot see any computers on the network either.

 

I don't know what you mean by adding my unRaid system to Windows hosts either.

 

I will try and set up an Ubuntu VM tonight and see if I can connect that way. If it works then I will know that it is a Windows problem.

Link to comment

Just to check in pfSense under Services > VPN > Servers > *Your VPN Server* find the section called "IPv4 Local network(s)" make sure your normal network subnet is there. I'm not sure what the CIDR notation is for your particular setup. Also, make sure to provide the normal DNS server to the VPN client, typically it will be the Local Network's DNS server (that interface's IP).

Link to comment

Just to check in pfSense under Services > VPN > Servers > *Your VPN Server* find the section called "IPv4 Local network(s)" make sure your normal network subnet is there. I'm not sure what the CIDR notation is for your particular setup. Also, make sure to provide the normal DNS server to the VPN client, typically it will be the Local Network's DNS server (that interface's IP).

 

Hello there.

 

There is no; Services > VPN > Servers > *Your VPN Server*, I am presuming you mean; VPN > OpenVPN > Servers > *Your VPN Server*. If so there is also no section called "IPv4 Local network(s)".

 

My LAN DNS server is listed correctly.

Link to comment

Just to check in pfSense under Services > VPN > Servers > *Your VPN Server* find the section called "IPv4 Local network(s)" make sure your normal network subnet is there. I'm not sure what the CIDR notation is for your particular setup. Also, make sure to provide the normal DNS server to the VPN client, typically it will be the Local Network's DNS server (that interface's IP).

 

Hello there.

 

There is no; Services > VPN > Servers > *Your VPN Server*, I am presuming you mean; VPN > OpenVPN > Servers > *Your VPN Server*. If so there is also no section called "IPv4 Local network(s)".

 

My LAN DNS server is listed correctly.

 

What version of pfSense are you on? I pulled that from my 2.3.2 box, and you are correct about the Services bit... The "IPv4 Local Network(s)" is under "Tunnel Settings"

 

Edited for clarity and missing words.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.