Can VPN into my server from 3g, but not WiFi

[jmchargue]

Just as the post says, I have a VPN set up on my RT-N66U wireless router, and DDNS through dyn.com. I can access my router home page from public wifi, but my Freenas (on .250) times out. However, when I connect to my VPN through 3g, I can access Freenas just fine. I have these ports forwarded:



Let me know if you need anymore info, and thanks for taking a look.

 

[jmchargue]

I've been giving this everything I've got the last few days. Reading wikipedia articles on NAT and VPNs, checked out a book from the library on networking. Still feel like I'm pretty far from solving this on my own. Any help would be appreciated.

 

[pirateghost]

Well, for starters, VPN puts you on the 'local network', so obviously your FreeNAS webgui would be accessible that way. That's pretty much how its supposed to work.

Secondly, unless you have a business connection, a lot of ISP's will not allow you to host anything on port 80, so they typically block anything being hosted on port 80. This is easy to get around by forwarding a DIFFERENT port on the outside to port 80 on the inside
EXAMPLE:
http://yourdyndnsname.org:8080 forwards to port 80 on your FreeNAS box

In this example, you would just set the forward and everything should work.

You have it right with the VPN though, as you shouldnt really be exposing your NAS to the outside world. VPN > any port forwarding for services.

Suggestion: ONLY USE THE VPN to connect.

 

[jmchargue]

Went ahead and forwarded 8080 on outside, to 80 on inside. Still could not connect (tried separately: typing 192.168.1.250:8080 into safari, changing my vpn settings so the server was myserver.com:8080, and 192.168.1.250 in safari plain).

Figured maybe /that/ outgoing port was blocked. I feel like I've been fumbling around in the dark, but I tried this:

Downloaded nmap and ran a scan to detect open outbound ports, found that 3394 was open, so I set up a forward for that to .250:80. I then tried previous steps to no avail.

Still stuck. Not at home now, and I'd really like to access my work documents :/

 

[pirateghost]

3394 is the Microsoft RDP port....NEVER leave that open.
With the way that NAT works, anything from INSIDE your network initiating a connection will be an open outgoing port. that doesnt do anything for you in this case.

are you trying to connect to your PUBLIC ip from within the network?

if server 192.168.1.250 is serving http on port 80, thats internal. when you are internal on the network, you dont need to specify port

if you have a PORT FORWARD of 8080 on the outside, going to port 80 on server 192.168.1.250, then when you are OUTSIDE the actual network (NOT trying to access your public IP from inside the LAN) you would just punch in your public ip/domain name and append port 8080 to it.

http://myfakedomain.com:8080

if you have things set up correctly, it will just take that request and redirect you to port 80 on the internal server.

i dont think you quite get a grasp on networking here. this isnt an issue with FreeNAS, but an issue with your networking.

I am trying to understand something. You say you have a VPN set up on your router. How do you use the VPN? Is it OPENVPN, PPTP, or IPSEC?

Honestly, you should NOT be forwarding your FREENAS GUI to the outside world, you are asking to have your entire NAS trashed.
Based on what info you have provided so far, suffice it to say, you probably shouldnt be forwarding anything to the outside world, and instead be using VPN, otherwise you are asking for trouble. If you dont understand NAT, Firewalls, Port Forwarding and basic security, you shouldnt put your NAS out in the public.

 

[gpsguy]

btw, 3389 is the default RDP port

3394 is the Microsoft RDP port....NEVER leave that open.

 

[pirateghost]

btw, 3389 is the default RDP port

oh yeah, my bad....thanks for that catch

 

[jmchargue]

are you trying to connect to your PUBLIC ip from within the network?

I'm trying to set up a WAN so I can map my Freenas server as a local folder when I'm on public WiFi.

if you have a PORT FORWARD of 8080 on the outside, going to port 80 on server 192.168.1.250, then when you are OUTSIDE the actual network (NOT trying to access your public IP from inside the LAN) you would just punch in your public ip/domain name and append port 8080 to it.

Did exactly this, plus a lot of experimental variations, always times out.

You say you have a VPN set up on your router. How do you use the VPN? Is it OPENVPN, PPTP, or IPSEC?

It is set up with PPTP, I connect through the native Mac networking interface.

you probably shouldn't be forwarding anything to the outside world, and instead be using VPN

This is what I thought I was doing... establishing a PPTP VPN on my Asus router, connecting to it with my computer from outside my LAN, then mapping .250(:8080) as a drive. Are you suggesting I set up a VPN through my FreeNAS box?

 

[gpsguy]

Whether public WiFi or 3g, the secure route would be to use a VPN connection.

That being said, your home server is on: 192.168.1.250. Do you know what the IP address you've been given on the public WiFi. If it's also in the 192.168.1.x - this could be part of the problem.

It also would be helpful to see a current screenshot of your current router configuration (like the original message).

You "Downloaded nmap and ran a scan to detect open outbound ports, found that 3394 was open". Did you run nmap from inside your network? Or, from outside? And, what was the target? If from inside, was it your FreeNAS server? Or, from the outside, your router?

I'm trying to set up a WAN so I can map my Freenas server as a local folder when I'm on public WiFi.

 

[pirateghost]

I'm trying to set up a WAN so I can map my Freenas server as a local folder when I'm on public WiFi.


Did exactly this, plus a lot of experimental variations, always times out.


It is set up with PPTP, I connect through the native Mac networking interface.


This is what I thought I was doing... establishing a PPTP VPN on my Asus router, connecting to it with my computer from outside my LAN, then mapping .250(:8080) as a drive. Are you suggesting I set up a VPN through my FreeNAS box?

You dont need to forward ANYTHING if you are connecting to VPN. Forwarding the ports puts the service on the public ip. If you are VPN'd into the network, there is zero need for any forwarding.

gpsguy may be onto something with the LAN subnet you are connecting from. You should check that out.

If using VPN, then you should remove all forwards to your FreeNAS.

 

[jmchargue]

Do you know what the IP address you've been given on the public WiFi. If it's also in the 192.168.1.x - this could be part of the problem.

If I get my IP from something like whatsmyip.com, it's not on 192.168.1.x, but when I enter 192.168.1.1 before connecting to the vpn, their router page asks me to log in, so that's definitely what they use for their LAN subnet.

It also would be helpful to see a current screenshot of your current router configuration (like the original message).

What page, or info do you want? There are a lot of pages...

You dont need to forward ANYTHING if you are connecting to VPN.

Alright, starting to grasp this a little more... cleared all my port forwards.

 

[pirateghost]

If I get my IP from something like whatsmyip.com, it's not on 192.168.1.x, but when I enter 192.168.1.1 before connecting to the vpn, their router page asks me to log in, so that's definitely what they use for their LAN subnet.

THIS is why you cant connect properly to it from their connection.

When you are connected to their network on the same subnet that you use on your network, the OS sees their network as being that subnet, and never forwards your requests across the VPN. VPN subnet overlap is annoying.

The best thing you can do is change your Home subnet to be something that will likely not be used by another network.
I am really bad, and use 1.1.1.0/24 on my internal network, and it is wrong
I have VLANs set up using:
192.168.2.0/24
192.168.6.0/24
192.168.10.0/24
and my VPN subnets (I have a few different VPN connections (SSL/openvpn, pptp, ipsec)
172.16.0.0/24
172.16.1.0/24
and 10.0.0.0

i would recommend you try something like 192.168.250.0/24, as that pretty much eliminates coming across any more networks on the same subnet...

 

[jmchargue]

Awesome, changed the default subnet to 128.64.32.1, updated all the IP setting in Freenas, and I can now VPN into my local network and mount a freenas folder locally.

Thanks for walking me through this, guys! :)