I''ve configured OpenVPN on working Shorewall LAN server/Router. There is no problem to get services from this except samba. Shorewall/OpenVPN Server - A eth0 192.168.0.1 eth1 INETAdress tun0 192.168.100.1 services auth, smtp, cups samba configured to work on tun device Client (from other NAT) with Windows XP and OpenVPN client - B tun0 192.168.100.2 It can connect to auth, smtp oraz cups but not to samba. My config: interfaces #ZONE INTERFACE BROADCAST OPTIONS road tun+ net eth1 detect tcpflags,norfc1918,routefilter,nosmurfs,logmartians,blacklist loc eth0 detect dhcp,tcpflags,detectnets,nosmurfs,maclist,blacklist policy #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST road loc ACCEPT road net ACCEPT road $FW ACCEPT #debug loc net ACCEPT info # If you want open access to the Internet from your Firewall # remove the comment from the following line. $FW net ACCEPT net all DROP info #debug # THE FOLLOWING POLICY MUST BE LAST all all REJECT info tunnels #TYPE ZONE GATEWAY GATEWAY # ZONE openvpnserver:4000 net 0.0.0.0/0 zones #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 road ipv4 Is it possible to use samba service from A on B? Rob ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Rob Wroblewski wrote:> I''ve configured OpenVPN on working Shorewall LAN server/Router. > > There is no problem to get services from this except samba. >> My config:In the future, please follow the problem reporting procedure detailed at http://www.shorewall.net/support.htm#Guidelines> > Is it possible to use samba service from A on B? >Yes. However, your loc->road policy is REJECT (the all->all default). You at least need to allow SMB in that direction (see http://www.shorewall.net/samba.htm). I suspect that that you haven''t configured any type of Windows name service either. This is a requirement any time that you want to use Windows networking in a routed environment. Probably the easiest solution is to run Samba as a WINs server and configure all of your Windows clients to use it (if you use DHCP, you can configure it to propagate this setting to Windows clients). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
2007/11/20, Tom Eastep <teastep@shorewall.net>:> However, your loc->road policy is REJECT (the all->all default).Done. Now looks like: #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST road loc ACCEPT road net ACCEPT road $FW ACCEPT $FW road ACCEPT loc road ACCEPT #debug loc net ACCEPT info # If you want open access to the Internet from your Firewall # remove the comment from the following line. $FW net ACCEPT net all DROP info #debug # THE FOLLOWING POLICY MUST BE LAST all all REJECT info> You at > least need to allow SMB in that direction (see > http://www.shorewall.net/samba.htm).In rules I have: #SAMBA ACCEPT $FW loc udp 137,138,139 ACCEPT $FW loc tcp 137,138,139,445 ACCEPT $FW loc udp 1024: 137 ACCEPT loc $FW udp 137,138,139 ACCEPT loc $FW tcp 137,138,139,445 ACCEPT loc $FW udp 1024: 137 #SAMBAvia openvpn ACCEPT $FW road udp 137,138,139 ACCEPT $FW road tcp 137,138,139,445 ACCEPT $FW road udp 1024: 137 ACCEPT road $FW udp 137,138,139 ACCEPT road $FW tcp 137,138,139,445 ACCEPT road $FW udp 1024: 137 (samba works on $FW OK)> I suspect that that you haven''t configured any type of Windows name service > either. This is a requirement any time that you want to use Windows > networking in a routed environment. Probably the easiest solution is to run > Samba as a WINs server and configure all of your Windows clients to use it > (if you use DHCP, you can configure it to propagate this setting to Windows > clients).wins support = yes In samba.conf. Still can not connect via openvpn. Regards Rob ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Rob Wroblewski wrote:> 2007/11/20, Tom Eastep <teastep@shorewall.net>:> Done. Now looks like: >...> wins support = yes > In samba.conf. > > Still can not connect via openvpn.I asked you politely to follow the guidelines for reporting the details of your problem and you ignored my request. So there''s not much I can tell you other than I doubt that the problem has anything to do with Shorewall now. You can prove that to yourself by issuing a "shorewall clear" and see if you can connect then. If so, then follow the guidelines and re-report the problem. If you can''t connect then the problem has nothing to do with Shorewall and everything to do with your Wins configuration. In addition to setting Wins support = yes in Samba, the other system(s) involved must be configured to use that Wins server. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote:> You can prove that to yourself by issuing a "shorewall > clear" and see if you can connect then.After the test, be sure to "shorewall start". -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/