Author Topic: Possible little firewall problem over shares in VPN \\10.9.0.1\shares  (Read 1282 times)

ATT1

  • Zen Warrior
  • ***
  • Posts: 120
  • Karma: +0/-0
    • View Profile
Hello,
I installed a Zentyal 4.1 long time ago and it still works and no I _don't_ want to upgrade under any circumstances; however I have to fix a tiny problem.
When being in the internal 192.168.x.x network I can reach the Zentyal shares fine using \\server01\shares on Windows-7 clients.
HOWEVER, the same machine has a 10.8.0.100 VPN-ip-adress, and trying to reach that from a VPN-connected Windows-Client won't work.

I assume it is the firewall, because:

Starting Nmap 6.40 ( http://nmap.org ) at 2019-01-28 15:25 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000040s latency).
Other addresses for localhost (not scanned): 127.0.0.1
rDNS record for 127.0.0.1: localhost.localdomain
Not shown: 975 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
25/tcp    open  smtp
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
110/tcp   open  pop3
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
143/tcp   open  imap
389/tcp   open  ldap
443/tcp   open  https
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
465/tcp   open  smtps
587/tcp   open  submission
636/tcp   open  ldapssl
993/tcp   open  imaps
995/tcp   open  pop3s
1024/tcp  open  kdm
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
3306/tcp  open  mysql
5000/tcp  open  upnp
8443/tcp  open  https-alt
20000/tcp open  dnp

Nmap done: 1 IP address (1 host up) scanned in 1.68 seconds
root@srv01:~# nmap 10.9.0.101

Starting Nmap 6.40 ( http://nmap.org ) at 2019-01-28 15:26 CET
Nmap scan report for 10.9.0.101
Host is up (0.000023s latency).
Not shown: 987 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
25/tcp    open  smtp
53/tcp    open  domain
80/tcp    open  http
110/tcp   open  pop3
143/tcp   open  imap
443/tcp   open  https
465/tcp   open  smtps
587/tcp   open  submission
993/tcp   open  imaps
995/tcp   open  pop3s
8443/tcp  open  https-alt
20000/tcp open  dnp

Nmap done: 1 IP address (1 host up) scanned in 2.48 seconds

So you can see that the firewall won't allow (?) port 135 and port 139 on the VPN-IP.

How can I fix that? Any advice appreciated.


ATT1

  • Zen Warrior
  • ***
  • Posts: 120
  • Karma: +0/-0
    • View Profile
Re: Possible little firewall problem over shares in VPN \\10.9.0.1\shares
« Reply #1 on: January 31, 2019, 12:41:47 pm »
I can 100% confirm the same bug on Zentyal-6, latest development version : The firewall does not forward some ports to the VPN-IP (10.9.0.1 for example).
NMAP shows different results for "localhost" and for "VPN-IP".
These ports are filtered when using the VPN-IP:
88, 135, 139, 389, 445, 464, 636, 953.... WHY ????   :-[ :-[ :-[ :-[

I want to get \\vpn-server\shares to work for any windows client having any VPN-IP !!   :'( :'( :'(

Edit: Addendum: Even when I totally switched off the firewall, the strange behaviour remained that some ports are not open when nmap'-checking the VPN-IP (10.9.0.101) of the Zentyal server. An Nmap-check of the local eth0-ip adress of the Zentyal server (192.168.0.100) reveals that all necessary ports are open...............
I have read all sort of VPN- and samba docs/forums/hints but I am still not getting this issue fixed.  Any help greatly appreciated.


« Last Edit: January 31, 2019, 05:53:16 pm by ATT1 »

ATT1

  • Zen Warrior
  • ***
  • Posts: 120
  • Karma: +0/-0
    • View Profile
Re: Possible little firewall problem over shares in VPN \\10.9.0.1\shares
« Reply #2 on: January 31, 2019, 06:46:32 pm »
I just found it myself.

In /etc/samba/smb.conf you need the option :

bind interfaces only=no   !!!!

Then it works.

So you first do "service samba-ad-dc stop" , edit the file, start the service again, and presto it worked..........