Koozali.org: home of the SME Server
Legacy Forums => General Discussion (Legacy) => Topic started by: afranc on September 21, 2005, 11:34:55 PM
-
Hi
I'm blocked on configuring my router to access the e-smith server via VPN.
My configuration is
Server E-smith : 192.168.0.100 (internal)
USR9003 (ADSL router): 192.168.1.1 (internal)
USR9003 (ADSL router): reserved public ip (external)
USR9003 (ADSL router): connection using RFC1483 routed, NAT on, DHCP off
In order to configure server and client I followed the instruction provided from Randall Perry (http://domain-logic.com/support/secure_tunnel.htm).
For the USR9003, on http://www.homepagez.com/usr9003/pptp.htm I found a possible configuration, but doesn't work maybe because my DSL connection is RFC1483 routed (the proposed configuration is regarding of PPPoE) or I couldn't turn on DHCP as request in WAN setup chapter.
So I tried again with the router following the tech-greeks instruction (http://www.tech-geeks.org/geeklog/article.php?story=20040223114208788&query=vpn), but does't work.
I'm new to e-smith / router problems. Someone could help me??
Where I'm wrong?
thanks in advance
-
Problem: Your server is not on the same internal subnet as your router. The router is on the 192.168.0.x subnet and the server is on 192.168.1.x - this does not work. You need them to be on the same subnet to communicate.
A VPN passthrough router is only really for accessing someone else's VPN from the router's internal network. It's not meant for accessing a VPN server from the internet. An easy fix is to put the server on the DMZ, which directs all inbound traffic to the server. A better fix is basically to use the server as intended and make it the gateway itself. It would actually replace the router. Setting this up is quite easy and requires two network cards, but can easily be done. If the USR router is used for wireless access to the network, that can also continue, but the router would go into AP mode and only be connected via the LAN port to the internal network. I have a USR router that I use as an access point for my home network in this manner.[/code]
-
RobRoye,
thanks for your help. I understood a part of my problem:
The NAT configuration of the router was pointing on internal lan card (192.168.0.100), in effect my e-smith server have 2 card, the second one connected to the router(192.168.1.2). Replacing the ip in the NAT config, now I do a step ahead! Thanks
Launching the VPN connection from the client I saw the Verification of user name and password, but the error 619 "The specified port is not connected". Where is the problem?
Could be the router firewall? Its configuration is:
Precedence Interface Direction Src IP Addr/Netmask Dest IP Addr/Netmask Src Port Dest Port Protocol Tcp Flags FW Action
10000 atm1 Any 0.0.0.0/32 0.0.0.0/32 0 80 TCP None Allow
30001 atm1 In 0.0.0.0/32 external public ip/32 0 0 ICMP None Allow
30000 eth1 In 192.168.1.0/24 0.0.0.0/32 0 0 ANY None Allow
29000 Any Any 0.0.0.0/32 0.0.0.0/32 0 67 UDP None Allow
29000 Any Any 0.0.0.0/32 0.0.0.0/32 520 520 UDP None Allow
5000 atm1 Any 0.0.0.0/32 0.0.0.0/32 0 1723 TCP None Allow
5000 atm1 Any 0.0.0.0/32 0.0.0.0/32 0 0 GRE None Allow
5000 entries are related to VPN port.
Thanks a lot in advance!
-
What works best is to place the VPN server on the DMZ. This will insure that any needed port is available for that server. There are so many ports and protocols used for a VPN that this is the easiest way by far. Using SME Server, it also is pretty safe as it is designed to be exposed like that.
-
Ok
in which way I could do that: "place the VPN server on the DMZ"?
Really I don't how to configure the router and the SME server to work as DMZ.
Could you gimme some hits?
Thanks
-
A US Robotics router has a tab for Access along the top, and then a button (under the big graphic) that says DMZ. Set that address to the IP of your SME and make sure to click the Enabled option. Click Apply and after a reset (which it does automatically) you're all set.
-
my router usb9003 don't have dmz option where you said. maybe because the configuration is under another command.
please could you tell me the right steps and path to configure the dmz on the router?
thanks a lot
-
http://www.homepagez.com/usr9003/index.html
-
The USR9003 has ALG (Advanced Level Gateway) which will open certain known ports as needed (pptp and ipsec as example) by itself.
The USR9003 does not have a DMZ
-
Can you give a little more info please. How is your server setup? Server/Gateway or server only. What vpn are you using- pptp on the server or openvpn. Have you created a static route in the router for the 0.100 subnet?
-
rmarshall
I give you more detailed info about the configuration of sme server:
Server Mode servergateway
Local IP address / subnet mask 192.168.0.100/255.255.255.0
External IP address / subnet mask 192.168.1.2/255.255.255.0 (connected to router)
Gateway 192.168.1.1 (that is the router)
Additional local networks 192.168.0.0/255.255.255.0
DHCP server enabled
DNS server 192.168.0.100
I'm using Vpn pptp on the server setted up as provided from Randall Perry (http://domain-logic.com/support/secure_tunnel.htm).
The router configuration is:
Precedence Interface Direction Src IP Addr/Netmask Dest IP Addr/Netmask Src Port Dest Port Protocol Tcp Flags FW Action
10000 atm1 Any 0.0.0.0/32 0.0.0.0/32 0 80 TCP None Allow
30001 atm1 In 0.0.0.0/32 external public ip/32 0 0 ICMP None Allow
30000 eth1 In 192.168.1.0/24 0.0.0.0/32 0 0 ANY None Allow
29000 Any Any 0.0.0.0/32 0.0.0.0/32 0 67 UDP None Allow
29000 Any Any 0.0.0.0/32 0.0.0.0/32 520 520 UDP None Allow
5000 atm1 Any 0.0.0.0/32 0.0.0.0/32 0 1723 TCP None Allow
5000 atm1 Any 0.0.0.0/32 0.0.0.0/32 0 0 GRE None Allow
5000 entries are related to VPN port.
Also I configured a NAT policy in order to connect external public ip to SME server on 192.168.1.2.
...
thanks in advance
-
As I see it you should only have to forward the vpn port (47 and 1723) needed from the router(192.168.1.1) to the server(192.168.1.2) and your vpn should work. Routing beyond the server should then be simple and a function of the server and not your router.
-
Maybe routing setup of the router could be enough to configure the vpn?
In fact I could configure:
Destination Network ID: 192.168.1.2 (SME server side of router)
Destination Subnet Mask: 255.255.255.0
Next Hop IP 82.90.11.40
And delete the other entries:
Network ID , Subnet , Mask Next Hop IP
0.0.0.0 , 0.0.0.0 , external public ip
external public ip , 255.255.255.0 , external public ip
192.168.1.0 , 255.255.255.0 , 192.168.1.1
What do u think?
-
I looked over the config on the homepagez link and other than the wan setup the nat and passthru setups look correct. That should allow you to connect out pptp to a server. You should also setup port forwarding on the router to pass the the ports directly from outside in to the server.
-
Hi
the config on the homepagez doesn't work!
Launching the VPN connection from the client I saw the Verification of user name and password, but the error 619 "The specified port is not connected"
what is it wrong?
help
-
Did you also setup port forwarding for 47 and 1723 per the port mapping page on homepagez.com. You have to get past the nat in the router and to the server and the passthru setup on that first page might not be enough to make it work. I use a Linksys instead of the USR but the setup is similar and the port forwarding is necessary.
-
Hi
port mapping as on homepagez.com isn't enought.
Infact sme server need port 1723 (TCP) and 47 (GRE), but protocol gre isn't available on the port mapping.
At the moment, launching the VPN connection from the client I saw the Verification of user name and password, but the error 619 "The specified port is not connected".
The same client (changing the ip of the server from external to internal) arrives to the sme server when inside the LAN, so the problem is the usr9003 router.
Somebody knows how pass through an usr9003 and connect via VPN a e-smith server?
Thanks a lot
-
If it does not have a DMZ, then replace the router with the SME box. It will route well and handle what needs done. If you need a wireless access point, use the USR for that. There are too many ports used by the server to try to forward them all. Use the machine as it was designed to be used.