Spudstah
asked on
File Sharing through VPN
Goal: Opening ports for File, printer, device sharing on a VPN with multiple
subnets.
I am trying to work through a vpn. The vpn tunnel [router controlled] is
established and functioning. I can access the printers & scanners with my
computer that are on the other computer. Teamview runs fine through
the tunnel.
PROBLEM: Windows explorer can't access the drives/folders/files
through the tunnel. (Win7 to Win7, also Win7 to XP)
If I turn OFF the Firewall on the other computer then I can go through, so
I am assuming I have a firewall issue. All the computers have firewall port
exceptions for tcp/udp on ports 137, 138, 139, 445, 1023. I have tried the
exceptions for "all" computers and "customized" to my computer IP. The
results are the same
( Firewalll up = Win-Explorer blind, Firewall down = Win-Explorer happy )
When Win-explorer can not see the other computer it offers to run the
Network Diagnostics which shows;
Windows Network Diagnostics
Problems found
file and print sharing resource (xxx.xxx.xxx.xxx) is online but isn't Detected
responding to connection attempts
The remote computer isn't responding to connections on port 445, possibly due
to firewall or security policy settings, or because it might be temporarily
unavailable. Windows couldn't find any problems with the firewall on your
computer.
Conclusion: I think I need a small tweak somewhere but I'm not sure where.
subnets.
I am trying to work through a vpn. The vpn tunnel [router controlled] is
established and functioning. I can access the printers & scanners with my
computer that are on the other computer. Teamview runs fine through
the tunnel.
PROBLEM: Windows explorer can't access the drives/folders/files
through the tunnel. (Win7 to Win7, also Win7 to XP)
If I turn OFF the Firewall on the other computer then I can go through, so
I am assuming I have a firewall issue. All the computers have firewall port
exceptions for tcp/udp on ports 137, 138, 139, 445, 1023. I have tried the
exceptions for "all" computers and "customized" to my computer IP. The
results are the same
( Firewalll up = Win-Explorer blind, Firewall down = Win-Explorer happy )
When Win-explorer can not see the other computer it offers to run the
Network Diagnostics which shows;
Windows Network Diagnostics
Problems found
file and print sharing resource (xxx.xxx.xxx.xxx) is online but isn't Detected
responding to connection attempts
The remote computer isn't responding to connections on port 445, possibly due
to firewall or security policy settings, or because it might be temporarily
unavailable. Windows couldn't find any problems with the firewall on your
computer.
Conclusion: I think I need a small tweak somewhere but I'm not sure where.
ASKER
Sorry I don't understand
"First, is the return path routed in the internet gateway?"
"First, is the return path routed in the internet gateway?"
OK. Sorry if too quick.
When a packet leaves one site, it hits the VPN device at the other end and, since it's destined for an address on that remote LAN, it's dumped onto the wire there and gets to the destination address.
Then, when the target device responds, it generally sends the packet, destined for the originating LAN device, to its local gateway because the remote LAN isn't in its own subnet.
The local gateway is usually the internet gateway / firewall /router, etc.
So, that device needs a route that says something like this:
Assume remote LAN subnet is 192.168.2.0/24
Assume local LAN subnet is 192.168.1.0/24
Assume local LAN gateay is 192.168.1.1
So packets destined from anywhere on the local LAN for 192.168.2.xxx will be sent to the gateway because they aren't in 192.168.1.0/24 subnet. The gateway is the default address in situations like this.
Assume the local VPN device is 192.168.1.2 (not the gateway).
So, the gateway needs to forward those packets to the VPN device with a route that's been added.
If the gateway *is* the VPN device then this should not be an issue because the gateway device will know to put the packets into the tunnel.
When a packet leaves one site, it hits the VPN device at the other end and, since it's destined for an address on that remote LAN, it's dumped onto the wire there and gets to the destination address.
Then, when the target device responds, it generally sends the packet, destined for the originating LAN device, to its local gateway because the remote LAN isn't in its own subnet.
The local gateway is usually the internet gateway / firewall /router, etc.
So, that device needs a route that says something like this:
Assume remote LAN subnet is 192.168.2.0/24
Assume local LAN subnet is 192.168.1.0/24
Assume local LAN gateay is 192.168.1.1
So packets destined from anywhere on the local LAN for 192.168.2.xxx will be sent to the gateway because they aren't in 192.168.1.0/24 subnet. The gateway is the default address in situations like this.
Assume the local VPN device is 192.168.1.2 (not the gateway).
So, the gateway needs to forward those packets to the VPN device with a route that's been added.
If the gateway *is* the VPN device then this should not be an issue because the gateway device will know to put the packets into the tunnel.
ASKER
Ok....you were throwing me with "internet gateway".
I am running Linksys routers at both ends. They are both vpn capable. The vpn tunnel is actually established by the routers. In the routers erom the tunnels definition is stored including "IPs" and tunnel security info as I suspect you are aware.
Since the tunnel is established and running and
1) I can access his printer through the tunnel.
2) I can access his scanner through the tunnel.
3) Teamview works a lan connection which means it is going through the tunnel
and not through the internet.
4) When I turn off his firewall, Win explorer can access his system.
I am under the impression (although I could be wrong) that the vpn tunnel is
ok and both ends know where to throw there data. Windows Firewall seems to be the source of the problem.
It's when his Windows Firewall is "on" that Win Explorer loses the ability to see his puter.
Note: The firewall is not stopping printer, scanner, or Teamview access.
I am running Linksys routers at both ends. They are both vpn capable. The vpn tunnel is actually established by the routers. In the routers erom the tunnels definition is stored including "IPs" and tunnel security info as I suspect you are aware.
Since the tunnel is established and running and
1) I can access his printer through the tunnel.
2) I can access his scanner through the tunnel.
3) Teamview works a lan connection which means it is going through the tunnel
and not through the internet.
4) When I turn off his firewall, Win explorer can access his system.
I am under the impression (although I could be wrong) that the vpn tunnel is
ok and both ends know where to throw there data. Windows Firewall seems to be the source of the problem.
It's when his Windows Firewall is "on" that Win Explorer loses the ability to see his puter.
Note: The firewall is not stopping printer, scanner, or Teamview access.
But you didn't mention the scope setting in the firewall for File and Printer Sharing. Have the scopes been expanded to include the other subnet?
ASKER
fmarshall,
When I look at the firewall exceptions settings in XP there's no problem --- everything seems simple and pretty well straight forward. Then there's Win7. Screen-after-screen, lots of nonsense, and I'm not finding any scope adjustment.
Can you steer me in the right direction?
Thanks
When I look at the firewall exceptions settings in XP there's no problem --- everything seems simple and pretty well straight forward. Then there's Win7. Screen-after-screen, lots of nonsense, and I'm not finding any scope adjustment.
Can you steer me in the right direction?
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'm hoping to be able to access the other system later today. I apologize for the delay.
ASKER
Good news......following the pdf you directed me to allowed me to get
the access I need for the most part.
Some questions please to clarify my understanding.....
if I used the address 192.168.1.199 it would refer to a specfic address/(computer).
if I used the address 192.168.1.0 would it refer to all addresses in 192.168.1.x ?
if I used the address 192.168.0.0 would it refet to all addresses attached to 192.168.x.x?
At this point I believe you've earned my thanks and the 500 points. I'll accept your
solution after you've had a chance to respond to this message.....
The reason I said "for the most part" is that I needed to connect to the files and
to a device [DVD drive]. While I can now access the files there is one type that
is not functioning. If I put an audio disk in my DVD drive I get a track list. Click on a
track and Windows Media plays it. If I put it in another computer on a different
LAN that I can VPN to, I can now see the track list. When I click on a track, Windows
Media Player opens but it doesn't connect with the other puter's music.
All I'm asking is a simple yes or no answer. If you think you might have a solution
for this I'll post it as another question so that you can get another 500 points.
In any case, many, many thanks.
the access I need for the most part.
Some questions please to clarify my understanding.....
if I used the address 192.168.1.199 it would refer to a specfic address/(computer).
if I used the address 192.168.1.0 would it refer to all addresses in 192.168.1.x ?
if I used the address 192.168.0.0 would it refet to all addresses attached to 192.168.x.x?
At this point I believe you've earned my thanks and the 500 points. I'll accept your
solution after you've had a chance to respond to this message.....
The reason I said "for the most part" is that I needed to connect to the files and
to a device [DVD drive]. While I can now access the files there is one type that
is not functioning. If I put an audio disk in my DVD drive I get a track list. Click on a
track and Windows Media plays it. If I put it in another computer on a different
LAN that I can VPN to, I can now see the track list. When I click on a track, Windows
Media Player opens but it doesn't connect with the other puter's music.
All I'm asking is a simple yes or no answer. If you think you might have a solution
for this I'll post it as another question so that you can get another 500 points.
In any case, many, many thanks.
I'm not sure why it would work one way or another. No quick answer.
In the devices and firewalls you can state either a single address, a range of addresses, a subnet (which is a type of range):
Single addresses are usually like: 192.168.1.22 / 255.255.255.255 or /32
Address ranges might be: 192.168.1.22 - 192.168.1.29
Subnets might be: 192.168.1.0 / 255.255.255.0 or /24.
192.168.1.0 means "the network address is 192.168.1.0"
255.255.255.0 or /24 means "there are 8 address bits [32 - 24 = 8]
8 bits can represent 256 addresses.
The first address is the "network address" e.g. 192.168.1.0
The last address is the broadcast address e.g. 192.168.1.255
All the rest 192.168.1.1 - 192.168.1.254 are available for "hosts" i.e. devices.
192.168.0.0 means "the network address is 192.168.0.0"
BUT .. now it's the subnet mask that determines how many addresses:
So 255.255.0.0 or /16 means over 64,000 addresses.
and 255.255.255.0 as above means 254 usable addresses just like above.
So, it's not only the network address that tells you.
192.168.0.0 is common for both /24 and /16.
If you had 192.168.1.22 / 255.255.255.0 then you could use an IP calculator to find the network address of 192.168.1.0. But, without the subnet mask AND the address both, you can't do that.
In the devices and firewalls you can state either a single address, a range of addresses, a subnet (which is a type of range):
Single addresses are usually like: 192.168.1.22 / 255.255.255.255 or /32
Address ranges might be: 192.168.1.22 - 192.168.1.29
Subnets might be: 192.168.1.0 / 255.255.255.0 or /24.
192.168.1.0 means "the network address is 192.168.1.0"
255.255.255.0 or /24 means "there are 8 address bits [32 - 24 = 8]
8 bits can represent 256 addresses.
The first address is the "network address" e.g. 192.168.1.0
The last address is the broadcast address e.g. 192.168.1.255
All the rest 192.168.1.1 - 192.168.1.254 are available for "hosts" i.e. devices.
192.168.0.0 means "the network address is 192.168.0.0"
BUT .. now it's the subnet mask that determines how many addresses:
So 255.255.0.0 or /16 means over 64,000 addresses.
and 255.255.255.0 as above means 254 usable addresses just like above.
So, it's not only the network address that tells you.
192.168.0.0 is common for both /24 and /16.
If you had 192.168.1.22 / 255.255.255.0 then you could use an IP calculator to find the network address of 192.168.1.0. But, without the subnet mask AND the address both, you can't do that.
First, is the return path routed in the internet gateway? It needs to be unless you are going to add a route to the remote site to *each* computer.
Second, since the return path via the internet gateway is in the local LAN, is stateful packet inspection stopping the return packets? If so, turn it off.
Third, have you listed for File and Printer Sharing in the computer firewalls, the scope to include the other subnet(s).
e.g.
TCP 139 Scope: Custom List includes local and remote subnets.
TCP 445 Scope: Custom List includes local and remote subnets.
UDP 137 Scope: Custom List includes local and remote subnets.
UDP 138 Scope: Custom List includes local and remote subnets.