hi all,
i´m getting crazy with this vpn thing. One day it works perfectly, the next day does not. One day is publishing some routes, the next day it is publishing some others. Apps work one day over the vpn, the next day they do not, and so on...
I don´t know why do the vpn server changes routes by itself, disabling communication between server apps and their clients. I don´t know either why sometimes i can see and ping every pc over the vpn and other times i can´t.
What are the default routes windows need to "understand"to know which packets must be sent over the vpn? What exact routes must be published by the vpn server? Why servers are pingable but no conection can be made?
versions are wingate 5.0.10 plus vpn, and vpn 1.0.10 cleints.
thanks a lot
routes and more routes
Moderator: Qbik Staff
7 posts
• Page 1 of 1
Routes
by wingater » Oct 24 03 12:34 am
Hello,
1.) generally: don't publish the NIC IP from your Internet connection.
2.) The default gateway should be the WinGate PC for all clients behind the WinGate PC. An other way - set routes manually (command: route add)
e.g. if you want to connect from 192.168.0.1 and you didn't set a default gateway type
WinGates IP is: 192.168.0.5 MASK 255.255.255.0
Route add 192.168.0.1 MASK 255.255.255.255 192.168.0.5
Settings in WinGate!
if you want to connect the whole network behind WinGate, you have to publish e.g. 192.168.0.0 MASK 255.255.255.0 that means your whole network.
if you only want to connect your WinGate PC, you have publish e.g. 192.168.0.0 MASK 255.255.255.255
Wich is your firewall configuration? What ports are opened?
Connection from Internet?
Connection to WinGate PC?
Connection to Internet?
regards
1.) generally: don't publish the NIC IP from your Internet connection.
2.) The default gateway should be the WinGate PC for all clients behind the WinGate PC. An other way - set routes manually (command: route add)
e.g. if you want to connect from 192.168.0.1 and you didn't set a default gateway type
WinGates IP is: 192.168.0.5 MASK 255.255.255.0
Route add 192.168.0.1 MASK 255.255.255.255 192.168.0.5
Settings in WinGate!
if you want to connect the whole network behind WinGate, you have to publish e.g. 192.168.0.0 MASK 255.255.255.0 that means your whole network.
if you only want to connect your WinGate PC, you have publish e.g. 192.168.0.0 MASK 255.255.255.255
Wich is your firewall configuration? What ports are opened?
Connection from Internet?
Connection to WinGate PC?
Connection to Internet?
regards
- wingater
- Posts: 14
- Joined: Oct 23 03 12:15 am
same happens to me
by chespir » Oct 24 03 3:46 am
thanks for answering, but the fact is that the behaviour of published routes by wingate is not the worst of my problems, but the correct functioning of some apps are. Anyway, i´ll try to explain the network tree i´ve got:
roadwarriors and home workers: will have any kind of connection was working, via tcp/ip with dsl, regular modems, cable..etc. No problem till last vpn standalone version (1.0.6)
Servers: wingate on a pc, as a firewall, router and vpn server. 172.10.10.0/24 between the pc and the dsl router (security zone). 192.168.10.0/24 for the lan, divided on two interfaces: 151 to serve www and ftp proxying and 2 to serve any other requests (mail and other softwares that need direct conections to internet).
Firewalling is easy here, internet-lan conections are allowed only through port 809. All other conections are forbidden, even from the lan to the internet or to the wingate pc, except for those allowed for a few services needed. Proxy takes care of the www and ftp.
The problem is that i can establish the vpn, see the other pcs, but services (Lotus Notes, SAP...) won´t even start. It looks like they don´t find the servers, even if i can actually ping them through the vpn.-
thanks in advance
roadwarriors and home workers: will have any kind of connection was working, via tcp/ip with dsl, regular modems, cable..etc. No problem till last vpn standalone version (1.0.6)
Servers: wingate on a pc, as a firewall, router and vpn server. 172.10.10.0/24 between the pc and the dsl router (security zone). 192.168.10.0/24 for the lan, divided on two interfaces: 151 to serve www and ftp proxying and 2 to serve any other requests (mail and other softwares that need direct conections to internet).
Firewalling is easy here, internet-lan conections are allowed only through port 809. All other conections are forbidden, even from the lan to the internet or to the wingate pc, except for those allowed for a few services needed. Proxy takes care of the www and ftp.
The problem is that i can establish the vpn, see the other pcs, but services (Lotus Notes, SAP...) won´t even start. It looks like they don´t find the servers, even if i can actually ping them through the vpn.-
thanks in advance
- chespir
- Posts: 24
- Joined: Oct 13 03 11:24 pm
by labull » Oct 24 03 6:39 am
Test opening the firewall for all connections from the LAN to the Internet.
I've found this is necessary for traffic to be able to return from the LAN computer to the Remote computer.
Let us know how it goes.
Larry
I've found this is necessary for traffic to be able to return from the LAN computer to the Remote computer.
Let us know how it goes.
Larry
- labull
- WinGate Guru
- Posts: 710
- Joined: Sep 06 03 1:03 am
- Location: Washington, DC - USA
ok
by chespir » Oct 24 03 7:26 pm
hi all,
i "allowed" the traffic Lan-Internet and it works, as espected. The problem is to check wich ports do your apps use in "answer". What i mean, is for example, why does the authentication answer from a server over the vpn go through the firewall and not through the vpn established, to meet it´s destination. There must be some bad route somewhere...
If you open all your traffic Lan-Internet, you are going to miss, for example, the virus activity in your Lan, and many more things. When i started using a firewall few months ago for my 150 users, that was a funny thing to see.
Again, excuse my english.
thanks all
i "allowed" the traffic Lan-Internet and it works, as espected. The problem is to check wich ports do your apps use in "answer". What i mean, is for example, why does the authentication answer from a server over the vpn go through the firewall and not through the vpn established, to meet it´s destination. There must be some bad route somewhere...
If you open all your traffic Lan-Internet, you are going to miss, for example, the virus activity in your Lan, and many more things. When i started using a firewall few months ago for my 150 users, that was a funny thing to see.
Again, excuse my english.
thanks all
- chespir
- Posts: 24
- Joined: Oct 13 03 11:24 pm
by adrien » Oct 25 03 1:03 am
OK, looks like we need to reorder when we check firewall rules vs when we check if a packet is bound for the VPN.
At the moment, we check the firewall rules first. Since we don't NAT across the VPN, then the packets coming in are oK, but going back out would be blocked if you have LAN->Internet disabled in the firewall.
You should be able to see these as hits in the firewall tab - problem is it is more than just a matter of opening up some ports as well, since the ports you need to open are the source ports of the client software on the other side of the VPN, and this will change all the time.
You could try opening ports 1024 - 4096... this will get most, yet still block much of your normal outbound NAT traffic as you probably wish.
Adrien
At the moment, we check the firewall rules first. Since we don't NAT across the VPN, then the packets coming in are oK, but going back out would be blocked if you have LAN->Internet disabled in the firewall.
You should be able to see these as hits in the firewall tab - problem is it is more than just a matter of opening up some ports as well, since the ports you need to open are the source ports of the client software on the other side of the VPN, and this will change all the time.
You could try opening ports 1024 - 4096... this will get most, yet still block much of your normal outbound NAT traffic as you probably wish.
Adrien
- adrien
- Qbik Staff
- Posts: 5441
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
opening ports
by chespir » Oct 29 03 8:51 am
hi adrien,
i will try what you say, and probably will work too. As i see the matter is the different ports that server apps use to "go back" to their client. In the other hand is that i may miss a lot of lan-internet non wanted requests. I will try and post the results for future users.
thx again,
chespir
i will try what you say, and probably will work too. As i see the matter is the different ports that server apps use to "go back" to their client. In the other hand is that i may miss a lot of lan-internet non wanted requests. I will try and post the results for future users.
thx again,
chespir
- chespir
- Posts: 24
- Joined: Oct 13 03 11:24 pm
7 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 20 guests