Topic: Remote Access from WAN

[ronaldson40]

I would like to know if this sort of a setup is possible....

I have a USR 9108  router which is also a gateway

http://www.usr-emea.com/products/p-broadband-product.asp?prod=bb-9108&loc=unkg



and my computers are connected this way


SME is one of the clients of the USR and is in server mode.

I am using No-Ip.com services which helps me by reporting my WAN Ip.

Presently when I enter my WAN IP in the IE, I get the USRs login page.
I am able to login and configure the settings of my USR. I am also able to SSH and telnet to the USR.

What I want to do is I want to be able to access the server manager of SME server and possibly SSH to the SME from any computer in the world...i.e from WAN....

My LAN Ip addresses are of the range 192.168.1.x/255.255.255.0
and 192.168.1.1 is my USR address.

The SME has an ip 192.168.1.2.

How should I proceed so that I am able to access the SME server from WAN since I travel a lot...

I am aware of something called Port Forwarding which is achieved through Virtual Server concept in USRs.

How should I proceed if possible?

[Stefano]

How should I proceed if possible?

reading user's manual of your router.. I'm sure you'll find everything you are looking for

Ciao

Stefano

[imcintyre]

I have a similar set up and do this all the time. A solution is to set up VPN access through your router, VPN into your network and then connect. There may be other solutions but I am not an expert.

I am not certain if this is the most secure method either but I think any exposing of your server or network has issues. You might want to give this some thought.

I don't know anything about us robotics routers so I can't advise you on "how to", but as previously noted it is probably in the manual.

[ronaldson40]

I tried it by setting up a virtual server in USR

Server       IP ADDRESS         External Port      Internal Port
SME           192.168.1.2          1022                         22
I soft booted the USR and went to Putty entered my WAN IP and port as 1022... I even tried switching on the DMZ to 192.168.1.2
However no luck..

I checked if my port was open.... I verified using the Shields-up page
https://www.grc.com/x/ne.dll?bh0bkyd2

It reported that the port was open.

[imcintyre]

<~~ not an expert but, a reminder that telnet is not secure, you want to disable telnet at least from the outside world.

comment re vpn deleted

Ronaldson; never mind my comments re vpn, I see that the device supports vpn passthrough not offering vpn

[OzMoosis]

I tried it by setting up a virtual server in USR

Server       IP ADDRESS         External Port      Internal Port
SME           192.168.1.2          1022                         22
I soft booted the USR and went to Putty entered my WAN IP and port as 1022... I even tried switching on the DMZ to 192.168.1.2
However no luck..

I checked if my port was open.... I verified using the Shields-up page
https://www.grc.com/x/ne.dll?bh0bkyd2

It reported that the port was open.

It looks to me like you're using the correct method for forwarding the ports. Are you testing the access to your server-manager / SSH from inside your own LAN? Maybe that's why you're having problems. I know that I can't access my S-M from inside my own LAN either if I use my WAN IP-address.

Also, (silly question, maybe...) have you configured your SME-server to allow remote secure-shell access from the internet?

Oz

[ronaldson40]

Yes..

[Brave Dave]

That isn't how I would do it;

Set the Server to Server-Gateway, connect the router to the public network card, allow PPTP connections and pass the pptp port through to the public side of the server

then just vpn in

This is the standard setup, you are asking advice for setup that is against the design principals

[ronaldson40]

Do I need to install anything on the sme for vpn?

How should I do the vpn part? I will be using xp laptop to access sme from WAN?

[Brave Dave]

You probably should start here - the PPTP part
http://wiki.contribs.org/SME_Server:Documentation:Administration_Manual:Chapter11

[ronaldson40]

Thanks for your reply...

In the Manual, it has been said that use the SME instead of your router.
This is my PC config
3.2 Dual Core
1GB RAM
2 NIC
1 DLINK PCI MODEM
1320 GB HDD

=======
So should I use DMZ on the USR to the SME for this? or should I connect the ISP telephone line connected to the USR ADSL to the fax modem??
My ISP uses PPPoA

[socate]

I think you SME is define as a standalone server and not as a gateway, so I think you will have only one NIC with local IP 192.168.1.2. So, if you want to access your WEB UI from internet forward necessary ports (443, 80, 81) to 192.168.1.2 and access from Internet with https://your_public_ip/server-manager

or, you can redirect some ports (for example port 12345) to 443 to "complicate" the access!

[ronaldson40]

I tried this... not workin....

I put a fwd rule i.e port 80,81,443 to 192.168.1.2. This gave me a msg saying that the router 80 has been moved to 8080, restarted my router, and checked the Shields up site, said the port 80 was open...

so I used http://myWANIP/server-manager

I am getting IE cannot find the page...

What I am thinking is to connect my CPU directly to the ISP line and removing the USR which I have seen on other boards has a lot of complaints regd its rigid firewall and stuff...

If SME server handled my router's activities I would have fine-grained control, plus I could run a fax server also.

I have heard of something called smoothwall, but it allows you to use your comp only for firewalling, nothin else can be run. SME is better that way... u cud have a firewall, a webserver, fax server,etc....

Is there a HOW-to to convert a CPU to a router... I could implement the same thing using the SME.

Initially I used to use a Linksys router WAG54Gv2 which easily allowed me to setup these services.. USR is a failure at this....

[socate]

I tried this... not workin....


so I used http://myWANIP/server-manager

Try https and not http

[bpivk]

I tried this... not workin....


so I used http://myWANIP/server-manager

Try https and not http

It won't make a difference. And wan doesn't work if you're on the same line with SME. You'll have to test wan access from a different internet line.

[ronaldson40]

bpivk you were right.....

I can remote SSH and get my html page in Primary>html ibay....
when i enter http://wanip:11280/

I am using port 11280 for the port 80 forward.

However I tried http://wanip:11280/server-manager/
and even http://wanip:11280/server-manager/

I could not open the server-manager

[ronaldson40]

Hi I tried using pptpd, set max connections to 10.
Set up a vpn connection in Windows xp
Whenever I connect I am gettting this error

Code: [Select]

Error:691 - Username/PAssword invalid

Here is the log of the SME

Code: [Select]


Jul  6 17:22:21 datahub pptpd[21598]: GRE: read(fd=6,buffer=804ebe0,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
Jul  6 17:22:21 datahub pptpd[21598]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
Jul  6 17:22:21 datahub pptpd[21598]: CTRL: Reaping child PPP[21599]
Jul  6 17:22:21 datahub pptpd[21598]: CTRL: Client 86.96.88.60 control connection finished
Jul  6 17:22:40 datahub pptpd[21632]: CTRL: Client 86.96.88.60 control connection started
Jul  6 17:22:40 datahub pptpd[21632]: CTRL: Starting call (launching pppd, opening GRE)
Jul  6 17:22:40 datahub pppd[21633]: Plugin radius.so loaded.
Jul  6 17:22:40 datahub pppd[21633]: RADIUS plugin initialized.
Jul  6 17:22:40 datahub pppd[21633]: pppd 2.4.4 started by root, uid 0
Jul  6 17:22:40 datahub kernel: divert: not allocating divert_blk for non-ethernet device ppp0
Jul  6 17:22:40 datahub pppd[21633]: Using interface ppp0
Jul  6 17:22:40 datahub pppd[21633]: Connect: ppp0 <--> /dev/pts/1
Jul  6 17:22:40 datahub pptpd[21632]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
Jul  6 17:22:50 datahub pppd[21633]: Peer root failed CHAP authentication
Jul  6 17:22:51 datahub pppd[21633]: Connection terminated.
Jul  6 17:22:51 datahub kernel: divert: no divert_blk to free, ppp0 not ethernet
Jul  6 17:22:51 datahub pppd[21633]: Exit


[Stefano]

bpivk you were right.....

I can remote SSH and get my html page in Primary>html ibay....
when i enter http://wanip:11280/

I am using port 11280 for the port 80 forward.

However I tried http://wanip:11280/server-manager/
and even http://wanip:11280/server-manager/

I could not open the server-manager

server-manager is not available from outside lan

you can always do a vpn or a ssh tunnel

HTH

Ciao

Stefano

[bpivk]

Did you forward/open port 443 on your router? Can you try a different port (eg.112443) Does shields up show the port as open?

[ronaldson40]

YES port 12443 is open
This is what shields up reports
Initially I tried this
http://WANIP:12443
http://WANIP:12443/server-manager

Got Blank pages in IE in both cases
Then I tried this
https://WANIP:12443/server-manager
I get an accept  certificate. I click yes.
I get the following in IE

Code: [Select]



 You are not authorized to view this page
You might not have permission to view this directory or page using the credentials you supplied.

--------------------------------------------------------------------------------

If you believe you should be able to view this directory or page, please try to contact the Web site by using any e-mail address or phone number that may be listed on the WANIP:12443 home page.

You can click  Search to look for information on the Internet.




HTTP Error 403 - Forbidden
Internet Explorer  




Do I have to add something under Remote Access>Remote Management to get access?

[bpivk]

Do I have to add something under Remote Access>Remote Management to get access?

Run ipconfig on your computer (start/run/cmd and type ipconfig/all) and then enter your ip in remote management.

Or use any ip (1.1.1.1) and enter a 0.0.0.0 subnet but remember to delete this if you'll use this.

Then check if it works.

[ronaldson40]

ipconfig will just give me my LAN ip...
But when I remotely connect to the SME isn't it the Wan Ip that is taken into account....

Now my WANIP is dynamic... so i am using dynamic dns...

So what should I enter under remote management... the LAN ip of the remote computer or the WAN IP of the remote computer...

[bpivk]

ipconfig will just give me my LAN ip...

Yes that's why i said that you should enter ipconfig/all

Run ipconfig on your computer (start/run/cmd and type ipconfig/all)

You should enter wan ip.

[ronaldson40]

I get this from my friend's system

Code: [Select]


C:\Documents and Settings\Koshy>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : COMP
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Mixed
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Wireless Network Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Intel(R) PRO/Wireless 2200BG Network
 Connection
        Physical Address. . . . . . . . . : 00-11-13-2B-33-1A
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.1.101
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
        DNS Servers . . . . . . . . . . . : 192.168.1.1

[ronaldson40]

I will try this site for the WAN IP...
www.whatismyipaddress.com

I will enter it in the Remote Management but what about the subnet...should I leave that empty...?

[bpivk]

Sorry i forgot that you're using a router.  
www.ipchicken.com will tell you your ip.

[ronaldson40]

I am still getting the same...
You are not authorised to view this page...

I put  my WAN IP and
255.255.255.0 as the subnet

[mmccarn]

If you want to run server-manager from off-site, do this:

• download putty.exe from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html and save it in your windows directory (c:\windows)
• click 'start', 'run' and type in putty -L 443:127.0.0.1:443 WANIP
  
• browse to https://localhost/server-manager

Notes:
I personally save 'putty.exe' in my windows folder so that I can use 'start', 'run' as shown above to let me save my various putty command lines easily.  There are other ways to do this.

The "-L" must be an upper case L.  The specific command shown says "take any traffic received by my windows computer at port 443, and send it to "localhost" at the remote computer, port 443".

If your USR router is still configured as the end-point for remote ssh traffic, you would need to do this:

• click 'start', 'run' and type in putty -L 443:192.168.1.2:443 WANIP
  
• browse to https://localhost/server-manager

Notes:
- I assume you've already downloaded putty.
- Your USR modem is now forwarding traffic received by your remote workstation on port 443 to the host it sees at 192.168.1.2, port 443

If you happen to be running a web server on your windows workstation you may already be using port 443, in which case the commands above will fail. Do this:

• click 'start', 'run' and type in putty -L 2443:192.168.1.2:443 WANIP
  
• browse to https://localhost:2443/server-manager

[Brave Dave]

Once you have VPN'ed in

You access the internal IP of the Server - not the external - you are part of the internal network

1. Establish VPN
2. goto https://internalip/server-manager

[ronaldson40]

David

VPN is not working for me....
From my neighbour's house, I tried from his system which is a Windows XP client.

On router, port forward ports 1723 and 47 to 192.168.1.2 (SME)
On SME, I got to remote access, change PPTP clients from 0 to 10.
Click save.

On the XP client, (different Internet line), I got to Network Connections, Create new connections, Connect to Network at my Workplace, Create VPN, enter the IP address and a connection is created.
I enter username as admin and then my password, Under settings select all the three options and then click connect. It connects and says verifying username and password, and then it disconnects giving me Error 691: Invalid Username, Password.....

My SME is 7.1.3

[Brave Dave]

I don't play with 47, just 1723

The 691 error - actually quite good, at least you are hitting the server

Have you updated your server

uname -a
Linux k 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux

Check
rpm -qa | grep "kmod-p"
kmod-ppp-smp-1.0.2-2.2.6.9_55.EL
kmod-ppp-1.0.2-2.2.6.9_55.EL

note that kernel modules match, I think it's smeupdates-testing to get the correct kernel modules

maybe the us-robotics router doesn't pass the VPN pass-through - lot of variables there, maybe you may need to configure it in bridge mode and put your pppoe setup directly into the sme box, not sure, Routre needs to pass GRE through

VPN seems to just work for me, I use netgear routers by choice, but have success with many others.

Just looking at your original post, 192.168.1.0/24 was your internal network

you should be using 2 network cards with a different network on inside and outside

say [wanip] [dmz net] [internal net]

say [wanip] [192.168.5.0/24] [192.168.1.0/24]

[ronaldson40]

uname -a
Linux k 2.6.9-55.EL #1 Wed May 2 13:52:16 EDT 2007 i686 i686 i386 GNU/Linux

Check
rpm -qa | grep "kmod-p"
kmod-ppp-smp-1.0.2-2.2.6.9_55.EL
kmod-ppp-1.0.2-2.2.6.9_55.EL

I am getting these

[root@datahub ~]# uname -a
Linux datahub 2.6.9-55.ELsmp #1 SMP Wed May 2 14:28:44 EDT 2007 i686 i686 i386 GNU/Linux

[root@datahub ~]# rpm -qa | grep "kmod-p"
kmod-ppp-smp-1.0.2-1.2.6.9_42.0.10.EL
kmod-ppp-1.0.2-1.2.6.9_42.0.10.EL

[ronaldson40]

One more thing I have this page on USR. Is it because of this I am not getting VPN?

Purchase Features
In order to enable the router to establish VPN connections, you need to purchase the VPN feature from U.S. Robotics.

 


If you’ve already purchased the VPN feature, please press the Unlock button so that the router can unlock it. The router will contact the U.S. Robotics Web site in order to confirm your purchase. Please note that the router does not send any personal information. The only information it sends is the MAC address of the device.



Back to the Status page

[Stefano]

On router, port forward ports 1723 and 47 to 192.168.1.2 (SME)

it is not port 47, it's protocol 47 GRE

HTH
Stefano

[ronaldson40]

So this protocol should be enabled on the router or the SME server?

[ronaldson40]

I tried changing the router to another one... tested the port forwards.... I am still getting this GRE error.... and Error 691

Will a SME update help or is it some problem of the modem...?

[ronaldson40]

hi... i had not enabled vpn access to the users i.e why i was getting error 691 in windows xp

But now I am getting this error
"Error 734: The PPP link control protocol was terminated"
and this is my server log

Jul  9 16:47:08 datahub pptpd[7709]: CTRL: Starting call (launching pppd, opening GRE)
Jul  9 16:47:08 datahub pppd[7710]: Plugin radius.so loaded.
Jul  9 16:47:08 datahub pppd[7710]: RADIUS plugin initialized.
Jul  9 16:47:08 datahub pppd[7710]: pppd 2.4.4 started by root, uid 0
Jul  9 16:47:08 datahub kernel: divert: not allocating divert_blk for non-ethernet device ppp0
Jul  9 16:47:08 datahub pppd[7710]: Using interface ppp0
Jul  9 16:47:08 datahub pppd[7710]: Connect: ppp0 <--> /dev/pts/2
Jul  9 16:47:08 datahub pppd[7710]: MPPE required, but kernel has no support.
Jul  9 16:47:08 datahub pppd[7710]: Connection terminated.
Jul  9 16:47:08 datahub pppd[7710]: Connect time 0.0 minutes.
Jul  9 16:47:08 datahub pppd[7710]: Sent 0 bytes, received 0 bytes.
Jul  9 16:47:08 datahub pptpd[7709]: CTRL: Ignored a SET LINK INFO packet with real ACCMs!
Jul  9 16:47:08 datahub pptpd[7709]: CTRL: Reaping child PPP[7710]
Jul  9 16:47:08 datahub kernel: divert: no divert_blk to free, ppp0 not ethernet
Jul  9 16:47:08 datahub pppd[7710]: Exit.

I have also searched the forums and came across several posts on the same MPPE required issue.. But most of them refer to the bug tracker and there are no resolutions.
http://pptpclient.sourceforge.net/howto-diagnosis.phtml#mppe_rbkhns
I also refered the above site...but did not help...

Could you suggest any technique to solve it....

[ronaldson40]

Could you point me to some post or link where I can re-enable the MPPE support for the kernel....
I tried with a VMWARE image of SME 7.1 without the updates... I was able to estalish the Vpn connection...but since my production server is SME 7.1.3...i think the vpn support is broken...

[Stefano]

Could you point me to some post or link where I can re-enable the MPPE support for the kernel....
I tried with a VMWARE image of SME 7.1 without the updates... I was able to estalish the Vpn connection...but since my production server is SME 7.1.3...i think the vpn support is broken...

- boot with 'old' kernel (2.6.9-42.3  AFAIR)
- rpm -e --nodeps kernel-2.6.9-55 kernel-smp-2.6.9-55 (check rpms' name)
- disable CENTOS* repositories
- yum update: it should inslaa last sme kernel 2.6.9-42.10
- signal-event post-upgrade; signal-event reboot

it should work

HTH

ciao
Stefano

[Stefano]

Could you point me to some post or link where I can re-enable the MPPE support for the kernel....
I tried with a VMWARE image of SME 7.1 without the updates... I was able to estalish the Vpn connection...but since my production server is SME 7.1.3...i think the vpn support is broken...

- boot with 'old' kernel (2.6.9-42.3  AFAIR)
- rpm -e --nodeps kernel-2.6.9-55 kernel-smp-2.6.9-55 (check rpms' name)
- disable CENTOS* repositories
- yum update: it should inslaa last sme kernel 2.6.9-42.10
- signal-event post-upgrade; signal-event reboot

it should work

HTH

ciao
Stefano

[Stefano]

Could you point me to some post or link where I can re-enable the MPPE support for the kernel....
I tried with a VMWARE image of SME 7.1 without the updates... I was able to estalish the Vpn connection...but since my production server is SME 7.1.3...i think the vpn support is broken...

- boot with 'old' kernel (2.6.9-42.3  AFAIR)
- rpm -e --nodeps kernel-2.6.9-55 kernel-smp-2.6.9-55 (check rpms' name)
- disable CENTOS* repositories
- yum update: it should inslaa last sme kernel 2.6.9-42.10
- signal-event post-upgrade; signal-event reboot

it should work

HTH

ciao
Stefano

[ronaldson40]

Will this be fixed in the next update of SME?

Any how I am presently using the old SME 7.1 kernel installed on Vmware for VPN on my network till the issue is fixed in the next update....