Axisinc636 Posted November 9, 2008 Report Share Posted November 9, 2008 (edited) I got the connection established through my DynDNS and retrieves a IP from my server but I cant view my windows shares. I'm almost positive its a shorewall config issue or routing issue in general, i use webmin to configure my shorewall. How do i go about allowing traffic from my server through to the local network. my server is not my firewall it is behind my firewall. Using Mandriva 2008.1 PPTP VPN See my network topology http://axisinc636.dontexist.net/NetworkLayout.htm Ang give me a hand please Edited November 10, 2008 by Axisinc636 Quote Link to comment Share on other sites More sharing options...
Axisinc636 Posted November 12, 2008 Author Report Share Posted November 12, 2008 Since this seems like this thread is going nowhere, Should I ask if there is anyone that has gotten windows network browsing (or at least able to map network drives to the vpn server and/or a local LAN PC to the VPN Server) to work over PPTP VPN using windows xp as a client and mandriva as the PPTP VPN Server, but in my type of network configuration where the mandriva box is just another node on my LAN not as my main firewall/router? Is it my network config making this connection difficult? Would making my mandriva server my DMZ on my router solve half the problem? please give me some insight as to how i need to make changes to make this work....I really dont want to use winblows wannabea VPN to solve this. Any help or direction in providing a solution is greatly appreciated. Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted November 13, 2008 Report Share Posted November 13, 2008 What IP gets assigned when you connect? What firewall rules do you have configured? If nothing for the VPN, then the firewall is the problem. Try disabling the firewall temporarily, and then test if you can gain access to the shares. If so, then it's definitely the firewall that's the problem. However, you don't necessarily have to disable the firewall to find this out. Simply, if you don't have a rule that shows for the source IP of your remotely connected VPN machine, then you won't get access to anything. The destination address could be the whole internal subnet or even just the Mandriva machine's single IP. How you do the destination stuff is up to you depending on how many machines you have and how many rules you want to create. Putting the Mandriva machine in the DMZ is OK providing that you have firewall rules for this zone also. Opening up the whole machine without any rules would be a bad idea, and so wouldn't recommend putting it in the DMZ. Anyway, I doubt putting it here would solve the problem if you don't have firewall rules for the VPN to allow the traffic - which is what I think your problem is. Quote Link to comment Share on other sites More sharing options...
Axisinc636 Posted November 14, 2008 Author Report Share Posted November 14, 2008 (edited) The server IP is 192.168.1.2 client ip range is 192.168.50-60 i can only see myself in net neiborhood if i ping axislap i get reply from 192.168.1.100 (i think this is cache from when i was testing with xp's version of a vpn server) i can ping 192.168.1.50 and get a reply as well i cant ping 192.168.1.2 which ports are required 1723 and 47 or the samba ports 137-139 as well? updated ping log from axislap when connected VPN to axisserver C:\Documents and Settings\Joe Mershon>ping 192.168.1.50 Pinging 192.168.1.50 with 32 bytes of data: Reply from 192.168.1.50: bytes=32 time<1ms TTL=64 Reply from 192.168.1.50: bytes=32 time<1ms TTL=64 Ping statistics for 192.168.1.50: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms Control-C ^C C:\Documents and Settings\Joe Mershon>ping axislap Pinging axislap [192.168.5.112] with 32 bytes of data: Reply from 192.168.5.112: bytes=32 time<1ms TTL=64 Reply from 192.168.5.112: bytes=32 time<1ms TTL=64 Reply from 192.168.5.112: bytes=32 time<1ms TTL=64 Reply from 192.168.5.112: bytes=32 time<1ms TTL=64 Edited November 14, 2008 by Axisinc636 Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted November 14, 2008 Report Share Posted November 14, 2008 OK, I don't know what axislap is. Is that the Mandriva machine? If you want ports to access samba it will be 137-139 and possibly even 445 as well if I remember correctly. On the Mandriva machine, you can do a: netstat -tunlp to see all listening ports, and we can then use this particular list based on the process for the listening port to open up the ones you need to gain access to. Quote Link to comment Share on other sites More sharing options...
Axisinc636 Posted November 14, 2008 Author Report Share Posted November 14, 2008 (edited) Look at the hyperlink in my first post, Axislap is my client (my mobile pc or VPN client) although at some time I may add more than one VPN client. Axisserver has a static IP of 192.168.1.2 with one network interface and is also a master browser WINS server for my network. Axismain is my main pc running XP that is a DHCP client to my router (recieves 192.168.1.100) and has my windows shares that I want to access through my VPN. I could care less about any other PC on my network for now. usually getting the first one working correctly is the hardest part. [root@AxisServer axis]# netstat -tunlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address Stat e PID/Program name tcp 0 0 0.0.0.0:2049 0.0.0.0:* LIST EN - tcp 0 0 0.0.0.0:2273 0.0.0.0:* LIST EN 3589/mysqlmanager tcp 0 0 0.0.0.0:51042 0.0.0.0:* LIST EN - tcp 0 0 0.0.0.0:45155 0.0.0.0:* LIST EN 4201/rpc.mountd tcp 0 0 0.0.0.0:901 0.0.0.0:* LIST EN 3378/xinetd tcp 0 0 0.0.0.0:139 0.0.0.0:* LIST EN 4876/smbd tcp 0 0 0.0.0.0:5900 0.0.0.0:* LIST EN 3378/xinetd tcp 0 0 0.0.0.0:111 0.0.0.0:* LIST EN 3343/portmap tcp 0 0 0.0.0.0:10000 0.0.0.0:* LIST EN 4998/perl tcp 0 0 0.0.0.0:80 0.0.0.0:* LIST EN 4936/httpd tcp 0 0 0.0.0.0:48272 0.0.0.0:* LIST EN 3395/rpc.statd tcp 0 0 0.0.0.0:6000 0.0.0.0:* LIST EN 3600/X tcp 0 0 0.0.0.0:631 0.0.0.0:* LIST EN 3594/cupsd tcp 0 0 127.0.0.1:25 0.0.0.0:* LIST EN 3915/master tcp 0 0 0.0.0.0:443 0.0.0.0:* LIST EN 4936/httpd tcp 0 0 0.0.0.0:1723 0.0.0.0:* LIST EN 3570/pptpd tcp 0 0 0.0.0.0:445 0.0.0.0:* LIST EN 4876/smbd tcp 0 0 0.0.0.0:7741 0.0.0.0:* LIST EN 4650/lisa tcp 0 0 :::6000 :::* LIST EN 3600/X tcp 0 0 :::22 :::* LIST EN 3453/sshd tcp 0 0 :::631 :::* LIST EN 3594/cupsd udp 0 0 0.0.0.0:2049 0.0.0.0:* - udp 0 0 0.0.0.0:52616 0.0.0.0:* 3536/avahi-daemon: udp 0 0 192.168.1.2:137 0.0.0.0:* 4886/nmbd udp 0 0 0.0.0.0:137 0.0.0.0:* 4886/nmbd udp 0 0 192.168.1.2:138 0.0.0.0:* 4886/nmbd udp 0 0 0.0.0.0:138 0.0.0.0:* 4886/nmbd udp 0 0 0.0.0.0:10000 0.0.0.0:* 4998/perl udp 0 0 0.0.0.0:7741 0.0.0.0:* 4650/lisa udp 0 0 0.0.0.0:49857 0.0.0.0:* 4201/rpc.mountd udp 0 0 0.0.0.0:36433 0.0.0.0:* - udp 0 0 0.0.0.0:36948 0.0.0.0:* 3395/rpc.statd udp 0 0 0.0.0.0:603 0.0.0.0:* 3395/rpc.statd udp 0 0 0.0.0.0:5353 0.0.0.0:* 3536/avahi-daemon: udp 0 0 0.0.0.0:111 0.0.0.0:* 3343/portmap udp 0 0 0.0.0.0:631 0.0.0.0:* 3594/cupsd udp 0 0 :::177 :::* 3465/kdm Edited November 14, 2008 by Axisinc636 Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted November 14, 2008 Report Share Posted November 14, 2008 Your ports to open in the firewall are as we mentioned, 137-139 and 445. Your link didn't show me anything so I can't see your network diagram. However, all I'm interested in knowing about are the machine that is trying to connect, the firewall and the destination machine being the server you are trying to connect to. If the firewall is between your client machine and the server, then it's clear how it looks. However, I expect, that your firewall is the problem. So, make a firewall rule that has your IP address for your client machine when it connects, the destination being the IP address of the server you want to connect to, and the ports that you want to access or alternatively, just allow all ports. Quote Link to comment Share on other sites More sharing options...
Axisinc636 Posted November 14, 2008 Author Report Share Posted November 14, 2008 You need to see these pages, then you could understand my situation. I made images of netlayout and put on my gallery, I can access it from any pc-anywhere you should be able as well. First one is my router config port restrictions (It has built in support for vpn). Second one is my network diagram. http://axisinc636.dontexist.net/gallery2/m...?g2_itemId=5670 http://axisinc636.dontexist.net/gallery2/m...?g2_itemId=5666 Shorewall configs #########From rules Action Source Destination Protocol Source ports Destination ports INCLUDE Zone rules.drakx Zone Any ACCEPT Zone net Firewall Any #rules.drakx ACCEPT net fw udp 137,138,139,445,1024:1100 - ACCEPT net fw tcp 80,443,22,137,138,139,445,1024:1100,5900,10000 #########net interfaces eth0 net Automatic None ppp+ vpn Automatic None #########vpn tunnels VPN Type Zone for interface Remote gateway Gateway zones Add GRE vpn ########default policy Source zone Destination zone Policy Syslog level Traffic limit Move Add Firewall net ACCEPT None None net Any DROP info None Any Any REJECT info None and whatever else you may need to know, please let me know Quote Link to comment Share on other sites More sharing options...
Axisinc636 Posted November 14, 2008 Author Report Share Posted November 14, 2008 Unfortunatly as you can see in my router config my forwarding list is full. Someday ill be confident that i understand shorewall enough to allow it to be my networks firewall,hopefully asap. but, axisserver is my only linux based test machine and my personal server so being able to master basic controlling in shorewall before i dmz axisserver is priority as i have security in mind as well. Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted November 14, 2008 Report Share Posted November 14, 2008 OK, when you're connected via your vpn, if your machine is running Linux, then make sure you have nmap installed and then use it as: nmap ip_address replacing ip_address with the address of the machine you are trying to connect to. If it's Windows, then install a freeware port scanner and use that to scan the ip address of the machine you want to connect to and see if the ports are open. I don't know your router, so unless it has the ability to create rules for your vpn connection, it sounds to me that all ports are probably already open if it gave you an internal ip address on the same ip range as your server. At least that's what it did for me on my firewall when I connected via PPTP. Although my new firewall has more features allowing me to block the ports. I don't know your router/firewall so check this too. The nmap/port scanner will show if ports are being blocked or not. Your port forwarding is usually only used for external access without VPN. Quote Link to comment Share on other sites More sharing options...
Axisinc636 Posted November 14, 2008 Author Report Share Posted November 14, 2008 (edited) its a linksys wrt54gs Ip tools from my main pc running xp puts out.... Address : 192.168.1.2 Name : AXISSERVER Ping .... Ok, Time : 0 Port 22 ... Ok ! Port 80 ... Ok ! Port 111 ... Ok ! Port 139 ... Ok ! Port 443 ... Ok ! Port 445 ... Ok ! Port 631 ... Ok ! Port 1723 ... Ok ! Port 2049 ... Ok ! Port 2049 ... Ok ! Port 6000 ... Ok ! Port 10000 ... Ok ! 12 (of 1491) open port(s) detected Edited November 14, 2008 by Axisinc636 Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted November 14, 2008 Report Share Posted November 14, 2008 OK, but I still don't know it - meaning I never used it and so I can't help you with how to configure your vpn. As I said, if you don't see anything for creating rules for VPN traffic, then it is allowing all traffic. Run the nmap/port scanner and check if you can see the ports are open when you are connected via vpn. Quote Link to comment Share on other sites More sharing options...
Axisinc636 Posted November 14, 2008 Author Report Share Posted November 14, 2008 I am connecting the tunnel from my laptop the client from multiple places (hotspots, free wireless) so restricting it to one ip isnt an option. let me ask you this how would i configure shorewall to allow vpn connections to IP's that are connected via ssh. because im usually connected via ssh to forward kde over vnc, in that case could i tunnel the vpn through the ssh connection. would that be reliable and expandable for now until i solve the shorewall issue Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted November 15, 2008 Report Share Posted November 15, 2008 You are creating the rules for the internal ip address, not the external ip address if you are creating rules for what vpn internal ip has access to what once it's connected. PPTP connections, from what I know, just give you access to the network, and as you just showed with your port scan, you can see the ports, so you must be able to access the machine. You may have to map a network drive by using the ip address rather than the name of the machine though as well as the share name. I highly doubt that you can tunnel VPN through SSH - that's not what it is designed for. Quote Link to comment Share on other sites More sharing options...
Axisinc636 Posted November 15, 2008 Author Report Share Posted November 15, 2008 (edited) that was a portscan of the server from within the servers local network not connected via vpn. i cant run this test now unless theres a way to test through a loopback, instead i will test this when i can remote in later and post results Edited November 15, 2008 by Axisinc636 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.