Can't access freenas over site to site vpn

[engenius]

I setup a freenas server last week and it has been working great on our local lan, but now we need to get it working for our remote offices. Unfortunately that is not working though. The remote offices are using ipsec vpn tunnels connecting our cisco router to the remote linksys routers. These tunnels have been in operation for years and work great with all of our windows machines (iis, ftp, exchange, windows file servers, active directory, etc) but not freenas. I am able to ping the freenas server by it's fqdn, netbios name and ip address from the remote offices. I am not able to open the webgui at all (it just times out after a few minutes). I can sometimes access the cifs share by name (\\freenas\) which shows me the list of individual shares, but anytime I try to open one of those shares, it just tries to load for a few minutes and then gives me the following error message:

\\freenas\users is not available. You might not have permission to use this network resource. The specified name is no longer available.

This only happens at the remote offices. The permissions are not an issue on the local lan. We are using Active Directory for authorization.

These are the only errors in the log that seem like they might be relevant:

Mar 26 17:18:24 fuji smbd[11703]: [2014/03/26 17:18:24.398465, 0, pid=11703, effective(1001, 31), real(0, 0), class=locking] ../source3/smbd/oplock.c:335(oplock_timeout_handler)
Mar 26 17:18:24 fuji smbd[11703]: Oplock break failed for file putty.exe -- replying anyway
Mar 26 17:32:27 fuji smbd[8542]: [2014/03/26 17:32:27.709721, 0, pid=8542, effective(0, 0), real(0, 0)] ../source3/smbd/server.c:556(smbd_accept_connection)
Mar 26 17:32:27 fuji smbd[8542]: accept: Software caused connection abort
Mar 26 19:09:47 fuji smbd[18328]: [2014/03/26 19:09:47.052176, 0, pid=18328, effective(21547, 20513), real(0, 0)] ../source3/smbd/notify_inotify.c:210(inotify_handler)
Mar 26 19:09:47 fuji smbd[18328]: No data on inotify fd?!

I don't know what other information I should provide but I will supply whatever is needed to solve the issue.

I really appreciate any help that you guys can provide. This has been driving me nuts.

 

[jgreco]

So it works locally but doesn't work from remote. That sounds very much like you've got some broken networking strategy, which isn't all that uncommon when there's a hodgepodge of ipsec and random router devices.

Since you've basically revealed nothing about your network, all I can really do is suggest that you talk to your WAN administrator about how it is all set up. If you're lucky, it will be a rational setup with a separate subnet for each remote site, and maybe all you need is to set up some static routing information. This probably isn't a FreeNAS issue.

 

[engenius]

That is correct. It works locally but not from the remote offices. I thought it was a network issue at first too, but every other machine works except for freenas. And I don't think it is a routing issue because I can ping freenas from the remote offices (by name and by IP address), which means that traffic is finding it's way to the server...

Here is some info about how our network is setup. The main office (where freenas is located) is using a Cisco SA540 and the range 10.3.35.0/24. The remote offices are using Linksys RV042 and the following IP ranges: 10.17.80.0/24, 10.17.82.0/24, 10.17.84.0/24, and 10.17.90.0/24. The Linksys routers are connected to the Cisco router using IPSec VPN Policies and the following settings:

Encryption Algorithm: 3DES
Integrity Algorithm: SHA-1

PFS Key Group: Enabled
DH Group 2 (1024 bit)
Enable Netbios? Yes

The Cisco router is 10.3.35.3 and I entered this as the default gateway in freenas (it wasn't able to see the remote computers at all before I added this). From the freenas shell, I can ping computers in the remote offices by name so I am pretty sure that freenas is using the correct DNS server and that it can access the remote computers...

Hopefully this is the kind of information you are looking for. Are there any tests you can think of that would help me determine if freenas is setup correctly as far as the remote offices are concerned?

 

[jgreco]

"Every other machine works" means ... what? That you have other fileservers at the main office that are successfully being mounted by machines at the remote offices?

 

[panz]

Are you trying to access FreeNAS' WebGUI via http or https?

 

[engenius]

@jgreco Every machine works means that I can ping all of them (servers and computers) and that the servers are functioning as they should (iis, ftp, exchange, windows file servers, active directory, etc). Yes, there are a couple machines that are functioning correctly as file servers but they are windows file servers.

@panz Just http. I have ssh enabled as well but that is not working from the remote offices either. They both just timeout after a few minutes.

 

[panz]

So, your firewall is blocking http.

 

[engenius]

I wish it were that simple. The real issue is that I can't access the cifs shares on freenas. The webgui is just a symptom. As is the fact that ssh is not working over the vpn tunnel either. All I am able to do remotely is ping it... Also, we are running an intranet iis server on the same network as freenas and we are able to access that over http from the remote offices. Correct me if I am wrong, but isn't the firewall bypassed when using vpn tunnels. The remote computers are supposed to be appear to be on the same network as the main office computers/servers...

 

[ser_rhaegar]

Correct me if I am wrong, but isn't the firewall bypassed when using vpn tunnels.

Unfortunately the answer is: It depends.

My VPN tunnels at home all have 'firewalls' on them preventing unsolicited inbound traffic. They're configured so I can support others but they cannot get into my network. There are a few inbound ports allowed such as TFTP (for transferring network images) and syslog (for logging to my Splunk server).

So it really depends on who set it up and how granular they wanted to get.

 

[panz]

I wish it were that simple. The real issue is that I can't access the cifs shares on freenas. The webgui is just a symptom. As is the fact that ssh is not working over the vpn tunnel either. All I am able to do remotely is ping it... Also, we are running an intranet iis server on the same network as freenas and we are able to access that over http from the remote offices. Correct me if I am wrong, but isn't the firewall bypassed when using vpn tunnels. The remote computers are supposed to be appear to be on the same network as the main office computers/servers...

Firewall and routing are sometimes extremely complex: maybe you have to allow the FreeNAS MAC address or something like that. If others machines are allowed (assuming they're on the same subnet as the FreeNAS server) and you can ping the NAS is obvious that your access control system is filtering that machine at an higher level.

 

[jgreco]

So far nothing points to this being a FreeNAS issue. Unless specifically configured otherwise, FreeNAS is fairly promiscuous and will happily chat with your remotes. You need to get in touch with your WAN net admin and determine what is blocking you.

 

[engenius]

I appreciate all the feedback but that is not the answer I was hoping for. My IT guy swears it is not a network issue. Can someone give me an idea of what I should have him check for? Obviously we need to make sure ports 80 (http), 22 (ssh) and 445 (smb) are open, but is there anything else we should be looking for?

 

[jgreco]

Think you said you had sshd running and that it didn't work. That's ideal since it's a bit noisier than httpd.

Run "tcpdump -n port 22" from the FreeNAS CLI. Go to one of the working machines, open a cmd prompt, and type "telnet <freenas-ip> 22". You should see a banner message in the telnet session, and on the FreeNAS side you should see some packets going back and forth.

Now try the same thing from one of your troublesome machines. If no packets arrive at the FreeNAS machine, then it cannot be questioned that this is a network issue on the inbound path. If you see the FreeNAS machine responding, but maybe repeating packets every several seconds, then it's a network issue on the outbound path.

 

[engenius]

I did just like you said and got the results that you described: freenas was repeating packets every few seconds. So it sounds like I need to work with our IT manager to diagnose network issues. I still don't understand why I can access our windows server over http but not freenas (they are both on the same subnet), but at least now I know where to start looking to correct this issue. Thanks for your help.