EFW Support

Support => VPN Support => Topic started by: dammit on Friday 12 March 2010, 12:05:28 am



Title: Can't access server from outside (internet-red)
Post by: dammit on Friday 12 March 2010, 12:05:28 am
Hello,

I need to set up a OpenVPN server on Endian, but i'm having a problem: from the internet (IE: outside of my corporate LAN and firewall) i can't even ping my company's IP or hostname (it's like the server doesn't respond to any requests from outside).

Aside from that, everything is working fine. All computers on LAN are able to access the red internet connection, from inside I can ping any IP, etc.

How do I solve this? My company really needs a VPN server.

EDIT: forgot to say, endian's running on a esxi server


Title: Re: Can't access server from outside (internet-red)
Post by: dammit on Saturday 13 March 2010, 01:39:20 am
I just used this to test my openVPN port (1194) and it says it's blocked:  dyndns.com/support/tools/openport.html

also tried port 80, 443 (http and https are working fine for all users accessing the internet from our lan) and it's saying they're all blocked.
I've already tried disabling all firewall and proxy options in endian, but it didn't work as well...


Title: Re: Can't access server from outside (internet-red)
Post by: mzainal on Saturday 13 March 2010, 04:11:40 am
Hi,

Can you show your network diagram so we can assist you.


Title: Re: Can't access server from outside (internet-red)
Post by: dammit on Saturday 13 March 2010, 05:08:22 am
My network is something like in the attachment.

We have one physical server, with esxi installed, and two virtual servers:
-File-server: only has access to the physical ethernet port which connects to the LAN
-Firewall: one virtual NIC is configured for the WAN connection (the one that the ADSL modem is connected) and the other configured for the LAN ethernet port (the same as the file-server)

The file-server is on green zone, not on DMZ, as I only want PC's on the lan to be able to connect to it.


Title: Re: Can't access server from outside (internet-red)
Post by: mrkroket on Tuesday 16 March 2010, 05:01:40 pm
Ping reply from RED, open port 80?
What do you expect from a hardened Firewall?

By default efw doesn't reply to any communication from the outside.

If you want that EFW reply to some ports from outside, you must create rules to do so.
The exception are the VPN servers, EFW will create the appropiate rules automatically.
About OpenVPN, dont do a port scan. Just try to connect with an OpenVPN Client to test if it works. If something fails, check the logs.
To ping reply I think you must create a rule on Firewall->System Access.

Some questions are not about EFW, are about any firewall in the world. Recheck your needs, it's very different that your computers can use ports 80 & 443 (outgoing HTTP requests), rather than someone on internet can use your ports 80 & 443 (incoming HTTP requests). Are you trying to open a web server to the internet? Create the correct rules on Port Forwarding (i.e., forward incoming request from port 80 & 443 to the appropiate internal server).


Title: Re: Can't access server from outside (internet-red)
Post by: dammit on Wednesday 17 March 2010, 12:15:54 am
Ping reply from RED, open port 80?
What do you expect from a hardened Firewall?

By default efw doesn't reply to any communication from the outside.

If you want that EFW reply to some ports from outside, you must create rules to do so.
The exception are the VPN servers, EFW will create the appropiate rules automatically.
About OpenVPN, dont do a port scan. Just try to connect with an OpenVPN Client to test if it works. If something fails, check the logs.
To ping reply I think you must create a rule on Firewall->System Access.

Some questions are not about EFW, are about any firewall in the world. Recheck your needs, it's very different that your computers can use ports 80 & 443 (outgoing HTTP requests), rather than someone on internet can use your ports 80 & 443 (incoming HTTP requests). Are you trying to open a web server to the internet? Create the correct rules on Port Forwarding (i.e., forward incoming request from port 80 & 443 to the appropiate internal server).

I was having problems even when trying to connect to the OpenVPN port...It looked like Endian didn't create the rules needed.
Now I added the port to System Access, and it's able to communicate.
However, i'm getting this error on the client when trying to connect to the VPN:

"Tue Mar 16 10:13:00 2010 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Mar 16 10:13:00 2010 TLS Error: TLS handshake failed
Tue Mar 16 10:13:00 2010 TCP/UDP: Closing socket
Tue Mar 16 10:13:00 2010 SIGUSR1[soft,tls-error] received, process restarting"


Title: Re: Can't access server from outside (internet-red)
Post by: mrkroket on Wednesday 17 March 2010, 04:21:12 am
Can you write down there your OpenVPN client config (just remove the IP)?


Title: Re: Can't access server from outside (internet-red)
Post by: dammit on Wednesday 17 March 2010, 04:30:06 am
Sure, here it is:

client
dev tap
proto udp
nobind
persist-key
persist-tun
auth-user-pass
resolv-retry infinite
ca cacert.cer
verb 3
comp-lzo

#Specify the IP address of the VPN server
remote ***.***.***.*** 1194


Title: Re: Can't access server from outside (internet-red)
Post by: mrkroket on Thursday 18 March 2010, 04:00:54 am
Seems fine to me.
Check these steps:

1- On your client just check that the file cacert.cer is the one you downloaded from your endian firewall.
2- Check that your OpenVPN server is enabled: VPN->OpenVPN Server->Enabled. Also check that IP pool falls inside your GREEN subnet
3- On VPN->OpenVPN Server->Advanced check that port is 1194, and protocol is UDP. Authentication type must be PSK (username/password)
4- On Firewall->VPN Traffic, create a rule to allow any traffic, and enabled logging.
5- On Firewall->System Access, create a rule to allow ping from outside: Source Interface: RED, Protocol: ICMP, Ports: 8 and 30. Do not create a System Access rule for OpenVPN (1194). It should be created automatically!!!.
6- Try to ping your EFW firewall from outside (RED), it should reply correctly. If not, your problem isn't OpenVPN settings but ethernet one.
6- Now go to Logs->Live Logs and show the logs from OpenVPN
7- Try to connect and check the server logs for any problem.

If it doesn't work please put the OpenVPN logs here. Just remove the sensistive info (Public IP's)


Title: Re: Can't access server from outside (internet-red)
Post by: dammit on Friday 19 March 2010, 12:04:24 am
Thank you, mrkroket!
It's working now!


Title: Re: Can't access server from outside (internet-red)
Post by: mrkroket on Friday 19 March 2010, 07:18:33 am
If you don't need ping reply from RED, you can remove the rule created in 5. The less open ports to the internet, the better.


Title: Re: Can't access server from outside (internet-red)
Post by: dammit on Monday 22 March 2010, 10:01:01 am
Now another problem arised: from my home pc (running windows 7), i'm connecting to openvpn normally, but i can't see the pcs behind endian on the lan. Trying pinging them gets me this:

Pinging 192.168.100.101 with 32 bytes of data:
Reply from 192.168.100.72: Destination host unreachable.
Request timed out.
Request timed out.
Request timed out.

where 192.168.100.72 is the IP assigned to my TAP connection, and 192.168.100.101 is one of the lan's computers...


Title: Re: Can't access server from outside (internet-red)
Post by: martec on Tuesday 23 March 2010, 03:02:30 am
Hi,

take a look in VPN --> Open VPN server --> [Tab] Advanced

the option:

  • block dhcp reply from tunnel (more or less... my english it'orrible...)
    don't block traffic between clients

or control if in your test you had add some "wrong" rule ...


Title: Re: Can't access server from outside (internet-red)
Post by: dammit on Friday 26 March 2010, 12:22:56 am
I checked both...still nothing...
made a rule on VPN firewall to allow all ports, to all connections.
Also made a rule for source nat, allowing any vpn user to acess green.
Still no good...

I'm able to connect to the openvpn server (endian) only. Every other pc on the lan is innacessible...


Title: Re: Can't access server from outside (internet-red)
Post by: dammit on Tuesday 30 March 2010, 03:15:01 am
I just discovered that if I assign ip, mask and gateway on the client tap device, I'm able to access some of the LAN services (seems like it's not getting the correct gateway ip by itself). However, i'm still not able to access a file-server, for example (the list of pc's doesn't show ip, and even if I type a machine IP, it doesn't respond.


Title: Re: Can't access server from outside (internet-red)
Post by: koukobin on Sunday 04 April 2010, 04:00:51 am
Do you have the ips enabled? I had the same problem (i was able to ping all the systems, i was able to access web servers, but windows file sharing was not working).

Finally i had to disable some rules in the ips and everything was fine after that.

The strange thing was that the ips log was clear. IPS was blocking the file sharing but didn't log this action.

If your ips is enable try to disable it and try again.


Title: Re: Can't access server from outside (internet-red)
Post by: dammit on Wednesday 07 April 2010, 09:05:37 pm
it's already disabled...

i've looked at the logs:

Apr 6 14:50:43     local      OpenVPN 2.1_rc15 i586-pc-linux [SSL] [LZO2] [EPOLL] built on Aug 11 2009
Apr 6 14:50:43    local    NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Apr 6 14:50:43    local    NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 6 14:50:43    local    NOTE: --script-security method='system' is deprecated due to the fact that passed parameters will be subject to shell expansion
Apr 6 14:50:43    local    WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
Apr 6 14:50:43    local    TUN/TAP device tap0 opened
Apr 6 14:50:43    local    GID set to openvpn
Apr 6 14:50:43    local    UID set to openvpn
Apr 6 14:50:43    local    UDPv4 link local (bound): [undef]:1194
Apr 6 14:50:43    local    UDPv4 link remote: [undef]
Apr 6 14:50:43    local    Initialization Sequence Completed
Apr 6 14:50:59    local    event_wait : Interrupted system call (code=4)
Apr 6 14:50:59    local    OpenVPN CLIENT LIST
Apr 6 14:50:59    local    Updated,Tue Apr 6 14:50:59 2010
Apr 6 14:50:59    local    Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
Apr 6 14:50:59    local    ROUTING TABLE
Apr 6 14:50:59    local    Virtual Address,Common Name,Real Address,Last Ref
Apr 6 14:50:59    local    GLOBAL STATS
Apr 6 14:50:59    local    Max bcast/mcast queue length,0
Apr 6 14:50:59    local    END

only thing wrong that I found is that in bold, although I couldn't find anything about it...


Title: Re: Can't access server from outside (internet-red)
Post by: mrkroket on Sunday 11 April 2010, 03:43:39 am
The basic steps on testing an OpenVPN connection:

1- Check the server is running
2- On Server: Check that VPN Firewall is correctly setup.
3- Check if client connects. With OpenVPN Client on Windows you'll see a green icon on taskbar.
4- On Client: Check that your TUN/TAP interface has a correct IP from your EFW Green Network.
5- On Client: Traceroute to EFW Firewall. As it seems you are able to get that.
6- On Server: Check that you are pushing your networks. It's on VPN->OpenVPN Server->Push these networks: 192.168.100.0/24. Restart.
7- On Client: Try a Traceroute to another pc on GREEN. It should reach it on one step, if on tracert appears more than one jump, the traffic probably isn't going inside the VPN tunnel. Post the results of tracert 192.168.100.101 here. Ping is useful, but very broad. Tracert gives you better info about what's going on with your traffic.


Title: Re: Can't access server from outside (internet-red)
Post by: dammit on Tuesday 13 April 2010, 01:04:43 pm
i did that...results are:

tracert to endian (192.168.100.3)
Code:
Tracing route to 192.168.100.3 over a maximum of 30 hops

  1    71 ms    73 ms    73 ms  192.168.100.3

Trace complete.

tracert to one lan pc (192.168.100.102)
Code:
Tracing route to 192.168.100.102 over a maximum of 30 hops

  1  My-PC [192.168.100.160]  reports: Destination host unreachable.

Trace complete.
the ip 192.168.100.160 is the ip assigned by endian to the tap client...



ipconfig from client:
Code:
Windows IP Configuration

   Host Name . . . . . . . . . . . . : PC
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TAP-Win32 Adapter V8
   Physical Address. . . . . . . . . : 00-FF-E8-D7-A2-5D
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::a567:185c:d8f4:d48d%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.100.160(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : monday, 12 april 2010 23:47:
57
   Lease Expires . . . . . . . . . . : tuesday, 12 april 2011 23:47:58

   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 192.168.100.0
   DHCPv6 IAID . . . . . . . . . . . : 402718696
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-0D-FD-70-00-1E-8C-77-F0-D4

   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Atheros L1 Gigabit Ethernet 10/100/1000Ba
se-T Controller
   Physical Address. . . . . . . . . : 00-1E-8C-77-F0-D4
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::b96d:df92:cacc:3ae7%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.182(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : monday, 12 april 2010 23:36:
25
   Lease Expires . . . . . . . . . . : monday, 19 april 2010 23:36:
25
   Default Gateway . . . . . . . . . : 192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.1
   DHCPv6 IAID . . . . . . . . . . . : 234888844
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-0D-FD-70-00-1E-8C-77-F0-D4

   DNS Servers . . . . . . . . . . . : 200.204.0.10
                                       192.168.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{B2AFE3A9-E0E3-46E9-BDD2-CA0E6423F648}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:8d5:24e1:36f2:58a1(Prefe
rred)
   Link-local IPv6 Address . . . . . : fe80::8d5:24e1:36f2:58a1%12(Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{E8D7A25D-9E50-4200-BAD5-6F51AAB215B7}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes


Log from client:
Code:
Mon Apr 12 23:47:47 2010 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
Mon Apr 12 23:47:55 2010 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Mon Apr 12 23:47:55 2010 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mon Apr 12 23:47:55 2010 LZO compression initialized
Mon Apr 12 23:47:55 2010 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Apr 12 23:47:55 2010 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Mon Apr 12 23:47:55 2010 Local Options hash (VER=V4): 'd79ca330'
Mon Apr 12 23:47:55 2010 Expected Remote Options hash (VER=V4): 'f7df56b8'
Mon Apr 12 23:47:55 2010 UDPv4 link local: [undef]
Mon Apr 12 23:47:55 2010 UDPv4 link remote: ***.**.204.225:1194
Mon Apr 12 23:47:55 2010 TLS: Initial packet from ***.**.204.225:1194, sid=2205ae16 b111ef91
Mon Apr 12 23:47:56 2010 VERIFY OK: depth=1, /C=IT/O=efw/CN=efw_CA
Mon Apr 12 23:47:56 2010 VERIFY OK: depth=0, /C=IT/O=efw/CN=127.0.0.1
Mon Apr 12 23:47:56 2010 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Apr 12 23:47:56 2010 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 12 23:47:56 2010 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Apr 12 23:47:56 2010 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 12 23:47:56 2010 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Apr 12 23:47:56 2010 [127.0.0.1] Peer Connection Initiated with  ***.**.204.225:1194
Mon Apr 12 23:47:57 2010 SENT CONTROL [127.0.0.1]: 'PUSH_REQUEST' (status=1)
Mon Apr 12 23:47:57 2010 PUSH: Received control message: 'PUSH_REPLY,ifconfig 192.168.100.160 255.255.255.0,route 192.168.100.0 255.255.255.0,ping-restart 30,ping 8,route-gateway 192.168.100.3,route 192.168.100.0 255.255.255.0,route-gateway 192.168.100.3'
Mon Apr 12 23:47:57 2010 OPTIONS IMPORT: timers and/or timeouts modified
Mon Apr 12 23:47:57 2010 OPTIONS IMPORT: --ifconfig/up options modified
Mon Apr 12 23:47:57 2010 OPTIONS IMPORT: route options modified
Mon Apr 12 23:47:57 2010 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{E8D7A25D-9E50-4200-BAD5-6F51AAB215B7}.tap
Mon Apr 12 23:47:57 2010 TAP-Win32 Driver Version 8.4
Mon Apr 12 23:47:57 2010 TAP-Win32 MTU=1500
Mon Apr 12 23:47:57 2010 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.100.160/255.255.255.0 on interface {E8D7A25D-9E50-4200-BAD5-6F51AAB215B7} [DHCP-serv: 192.168.100.0, lease-time: 31536000]
Mon Apr 12 23:47:57 2010 Successful ARP Flush on interface [13] {E8D7A25D-9E50-4200-BAD5-6F51AAB215B7}
Mon Apr 12 23:47:59 2010 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Mon Apr 12 23:47:59 2010 route ADD 192.168.100.0 MASK 255.255.255.0 192.168.100.3
 OK!
Mon Apr 12 23:47:59 2010 route ADD 192.168.100.0 MASK 255.255.255.0 192.168.100.3
The route addition failed: The object already exists.
Mon Apr 12 23:47:59 2010 Initialization Sequence Completed

log from endian:
Code:
Apr 12 23:41:31  local  ***.**.173.172:61205 Re-using SSL/TLS context
Apr 12 23:41:31 local ***.**.173.172:61205 LZO compression initialized
Apr 12 23:41:32 local ***.**.173.172:61205 [teste] Peer Connection Initiated with  ***.**.173.172:61205 (via  ***.**.204.225)
Apr 12 23:47:54 local ***.**.173.172:62059 Re-using SSL/TLS context
Apr 12 23:47:54 local ***.**.173.172:62059 LZO compression initialized
Apr 12 23:47:55 local ***.**.173.172:62059 [teste] Peer Connection Initiated with  ***.**.173.172:62059 (via  ***.**.204.225)


I noticed that on TAP client, the gateway is not assigned, so I tried to manually configure it rather than obtaining it from DHCP, but the results were:
Code:
Tracing route to 192.168.100.102 over a maximum of 30 h

  1    74 ms    71 ms    73 ms  192.168.100.3
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23     *        *        *     Request timed out.
 24     *        *        *     Request timed out.
 25     *        *        *     Request timed out.
 26     *        *        *     Request timed out.
 27     *        *        *     Request timed out.
 28     *        *        *     Request timed out.
 29     *        *        *     Request timed out.
 30     *        *        *     Request timed out.

Trace complete.


Title: Re: Can't access server from outside (internet-red)
Post by: dammit on Tuesday 13 April 2010, 01:20:02 pm
also there's a lot of pages like this on endian's firewall log:


Title: Re: Can't access server from outside (internet-red)
Post by: mrkroket on Wednesday 14 April 2010, 01:59:08 am
Good and bad news:

Good News: Your traffic is being routing OK, so your VPN in fact is OK
Bad News: You still can connect to your PC.

You don't need a Gateway on TAP interface, in fact is better not to have one, since subnet 192.168.100.0 is local to you.

Just to check:
1-Ensure both PC can reply to ping. Double check that isn't a Windows Firewall problem. It happens to me a  of times that problems relies on something totally different. Try to ping from your Endian Firewall console to 192.168.100.102. If that doesn't work, you have blocked the ping reply on the .102 PC. See http://www.sysprobs.com/enable-ping-reply-windows-7 (http://www.sysprobs.com/enable-ping-reply-windows-7) and on Control Panel->Firewall->Advanced->ICMP->Allow incoming echo request. Disable Windows Firewall on both machines.
2-Try the reverse ping/traceroute, from .102 to .160.
3- On your last log I don't see any ICMP traffic. On VPN Firewall disable all logs, and create a 1st position rules to accept and log traffic from protocol ICMP on both directions, first rule from Any VPN User to GREEN and second rule viceversa.


Title: Re: Can't access server from outside (internet-red)
Post by: dammit on Thursday 15 April 2010, 01:46:21 am
I just found the problem: promiscuous mode was rejected on the VMWare Vswitches! I allowed it and now VPN clients are able to see and access all LAN PCs.

Thanks for mkroket and everyone else who helped here in this topic!  ;D


Title: Re: Can't access server from outside (internet-red)
Post by: raneesh on Saturday 17 April 2010, 08:17:40 pm
which version of endian you are using?


Title: Re: Can't access server from outside (internet-red)
Post by: mrkroket on Saturday 24 April 2010, 04:02:52 pm
I just found the problem: promiscuous mode was rejected on the VMWare Vswitches! I allowed it and now VPN clients are able to see and access all LAN PCs.

Thanks for mkroket and everyone else who helped here in this topic!  ;D
Hmmm, you never mentioned you have a virtualization layer.
That complexes the whole thing adding another test points.

Well, whatever, grats to resolve by yourself.  :D