VPN and Network Shares

[turnerm]

I'm having trouble getting my VPN connection setup in such a way that I can see my network shares. I'm successfully getting connected to the VPN but I just cannot see any network shares or network computers. I also cannot connect to network locations that I have already mapped.

I've got a MS Surface running Windows RT. On this machine I've mapped several shared network folders. While on my LAN I can access these flawlessly. I've setup a VPN connection and can successfully connect (I've proven this by checking my IP address and by also logging onto my Router using it's internal IP address while connected to the VPN remotely). But once I'm connected I get an error message while trying to use a mapped network location.

I've tried to setup the VPN one of two ways.

1 - No port forwarding
2 - Setting up port forwarding to a computer on my LAN and then configuring an incoming connection on that computer and allowing file/printer sharing on that incoming connection. When done this way I KNOW that I'm connected because I can see it in my network adapters.

But in either scenario I still cannot utilize my network shares which is the whole reason I'm trying to setup a VPN in the first place.

So what do I need to do to make this happen? I'd like it to work just as my work laptop works while using the VPN that they've setup. Once I connect I can access everything just as if I were in the office.

Any help is greatly appreciated!

 

[RMerlin]

You need to either ensure that the VPN IP range is in the same subnet as the LAN IP (by default it won't be), or have the PPTP client force all traffic to use the remote gateway as the default route. The former is what I would recommend.

 

[turnerm]

You need to either ensure that the VPN IP range is in the same subnet as the LAN IP (by default it won't be), or have the PPTP client force all traffic to use the remote gateway as the default route. The former is what I would recommend.

OK. So bear with me (I'm new to this) if my DHCP Server range is from 192.168.1.2 to 192.168.1.254 what exactly do I need to set my VPN range to in order to make this work?

 

[Pericynthion]

If you're using that range you can't - at least not without doing some funky subnet masking. Its easiest to truncate the primary range.

A quick and easy config would be to change the LAN DHCP server to issue 192.168.1.2 -> 192.168.1.240 as your primary range, and then configure 192.168.1.241 -> 192.168.1.250 as the VPN DHCP client range. That way they are all on the same subnet and you'll get connectivity between devices on both sides.


That assuming of course you have 240+ possible LAN clients (you may have a big house / office or a lot of iPhones, iPads etc) - otherwise I would normally recommend creating a smaller blocks up front on paper before you commit to a config;

maybe use 192.168.1.100 -> 1.200 - use for DHCP on the LAN
and use 192.168.1.2 -> 1.99 for static or infrastructure things (switches, printers, etc)
and use 192.168.1.201 -> 1.254 for VPN clients (although you can only use 10 in this PPTP config)

That way when you look at the addresses in the DHCP lease list, or you are troubleshooting a connection its easy to see which ones are coming in from where, and keeps common things (like printers or NAS servers easy to remember).

These are only suggested pools that I use, so you may want to increase or decrease the ranges depending on how many devices you want to use or what makes most sense to you in terms of identification.

 

[turnerm]

If you're using that range you can't - at least not without doing some funky subnet masking. Its easiest to truncate the primary range.

A quick and easy config would be to change the LAN DHCP server to issue 192.168.1.2 -> 192.168.1.240 as your primary range, and then configure 192.168.1.241 -> 192.168.1.250 as the VPN DHCP client range. That way they are all on the same subnet and you'll get connectivity between devices on both sides.


That assuming of course you have 240+ possible LAN clients (you may have a big house / office or a lot of iPhones, iPads etc) - otherwise I would normally recommend creating a smaller blocks up front on paper before you commit to a config;

maybe use 192.168.1.100 -> 1.200 - use for DHCP on the LAN
and use 192.168.1.2 -> 1.99 for static or infrastructure things (switches, printers, etc)
and use 192.168.1.201 -> 1.254 for VPN clients (although you can only use 10 in this PPTP config)

That way when you look at the addresses in the DHCP lease list, or you are troubleshooting a connection its easy to see which ones are coming in from where, and keeps common things (like printers or NAS servers easy to remember).

These are only suggested pools that I use, so you may want to increase or decrease the ranges depending on how many devices you want to use or what makes most sense to you in terms of identification.

Very helpful. Thank you for the information! So can I assume then that 254 clients is the maximum allowed on a network (or subnet?). So I've currently got all that allotted to the LAN and then I'm using a different subnet for the VPN?

I'll make the changes and see what happens. I'll report back.

Thanks again for all your help!

 

[Pericynthion]

Yes - your assumption is correct.

Using standard Class C subnet masks (255.255.255.0) you have;

192.168.1.0 (this is the 'network address - not used by a device)
192.168.1.255 (this is the 'broadcast address - not used by a device)

everything else is up for grabs (1.1 through 1.254)

192.168.1.1 is the router by default, so 1.2 through 1.254 is usable by hosts - and they all share the same broadcast domain (which is what the network shares you are looking for are advertised over)

 

[turnerm]

Yes - your assumption is correct.

Using standard Class C subnet masks (255.255.255.0) you have;

192.168.1.0 (this is the 'network address - not used by a device)
192.168.1.255 (this is the 'broadcast address - not used by a device)

everything else is up for grabs (1.1 through 1.254)

192.168.1.1 is the router by default, so 1.2 through 1.254 is usable by hosts - and they all share the same broadcast domain (which is what the network shares you are looking for are advertised over)

Excellent. Thanks very much for the education! I think I have this working now. I did a VPN connection into my network using my iPhone and then did a ping throughout my subnet and it found every device that was showing in my client list on the router. This means that the VPN connection is certainly seeing the other machines on the network so I should be able to use the shares now.

I'll experiment more tonight. Thanks again for all the help - greatly appreciated!

 

[turnerm]

So I was able to connect and I could ping each of the devices on my network just fine but I still can't use my already established network shares that I had mapped previously.

I'm guessing this is because they are mapped using the computer name instead of the IP Address?? If so, will I be able to resolve it by simply replacing the computer name with the IP Address in my drive mappings?

 

[RMerlin]

Name resolution is always tricky over a VPN, especially PPTP. Try using the machine's IPs instead.

 

[Pericynthion]

As you say you can just create a static 'hosts' mapping if the addresses never change - one other thing to check is if you have 'Network Place (Samba) Support' enabled on the VPN server tab.
This enables the broadcast support on the VPN details page to 'both' - which creates more background traffic, and will be dependent upon the file sharing (windows, apple etc) , but may let you see the network advertisments.

If its 'off' I'd recommend trying it 'on' to see if it works in your setup - otherwise, create the static mappings / use IP address.

 

[RMHC]

Enabling Samba support on the VPN server causes the log to be flooded with entries about protocol such-and-such being "buggy."

Can RMerlin tell us if this is in any way harmful? Does it slow any of the router functions down?

 

[Pericynthion]

ahhh Thankyou RHMC!!! - you've just answered a question (I thought those errors were from the latest firmware, but of course I just remembered I enabled SAMBA support for my VPN).

I can tell you it makes reading the log a pain, but from what I can tell over the past 2 days, there's no adverse affect on the router operation itself.

I wonder if Rmerlin has some clever NVRAM hack to suppress the Samba log entries ;-)

p.s. (just did some testing - the log entries appear to be coming from the 'broadcast support setting' value(anything other than disabled). Its just that enabling the Samba support forces this value to 'both')

 

[turnerm]

ahhh Thankyou RHMC!!! - you've just answered a question (I thought those errors were from the latest firmware, but of course I just remembered I enabled SAMBA support for my VPN).

I can tell you it makes reading the log a pain, but from what I can tell over the past 2 days, there's no adverse affect on the router operation itself.

I wonder if Rmerlin has some clever NVRAM hack to suppress the Samba log entries ;-)

p.s. (just did some testing - the log entries appear to be coming from the 'broadcast support setting' value(anything other than disabled). Its just that enabling the Samba support forces this value to 'both')

Yea - I disabled that setting because of all the "buggy" log messages I was getting. I did a Google search on the message and found a post from Merlin saying that if you disable broadcast support that it will make the error messages go away.

But it sounds like you haven't noticed any adverse impact of having this turned on right? I'll try that first. If it doesn't work then I'll just remap all my shares via IP address instead of name and then set a fixed IP address for the computers that I'm trying to reach. By the way... how do you set a fixed IP in the ASUS firmware anyway? I was looking for that the other day and couldn't find it.

 

[turnerm]

Never mind - I found the fixed IP address assignment. I needed to do that anyway in order to be sure I could remote desktop into the right machines from outside the network.

 

[turnerm]

Woo hoo!! Success!! By enabling VPN to Client broadcast support and putting my VPN IP range on the same subnet as the rest of my network I can now use all my network shares through the VPN connection just as I can while on my home network! Computer name worked just fine - it wasn't necessary to use the IP address.

My only remaining question is whether the error (protocol 000 is buggy...) is anything to be concerned about. If so I can disable broadcast support and hopefully remapping my network shares with the IP Address instead of computer name will still work. In fact, I'll just experiment and try this out as it's not a big deal to remap my shares.


Thanks for everyone's help on this!

 

[RMerlin]

My only remaining question is whether the error (protocol 000 is buggy...) is anything to be concerned about. If so I can disable broadcast support and hopefully remapping my network shares with the IP Address instead of computer name will still work. In fact, I'll just experiment and try this out as it's not a big deal to remap my shares.

Ignore it. If I recall, newer versions of the kernel are either removing, or moving the loglevel to a higher level for this message.

 

[turnerm]

Ignore it. If I recall, newer versions of the kernel are either removing, or moving the loglevel to a higher level for this message.

That I can do!

 

[RMHC]

Ignore it. If I recall, newer versions of the kernel are either removing, or moving the loglevel to a higher level for this message.

Thanks, RMerlin. I had turned off broadcast support to stop the error messages out of fear that it would cause some other problem or slowdown.

As it's turned out, I don't really need broadcast support anyway, since there are only two machines I want to connect to via VPN anyway, and I have no problem using their static IP addresses. But it's good to know that it's a harmless issue.

 

[turnerm]

Guys... I think those "Buggy" errors are problematic after all. My network kept crashing while streaming media across it so I started trying to figure out what was going on... here's a copy of a post I did in another thread on the topic:

Enabling Network (samba) Place support in your VPN settings floods the router with error messages. This is a known issue and one that was thought to be harmless but its not.

When streaming media over your network it appears to overwhelm the router and it will reboot eventually.

I also noticed when enabling this that the very first log entry indicated it couldn't find a config file and it was decreasing the maximum allowed units down to 10 from 100. I have 23 devices on my network which could also make this a unique issue for me.

I repeated this issue 5 times. And also proved (5 times) that the router would remain stable while streaming as long as this option (Network Place Support) was disabled.

 

[turnerm]

Just one more follow-up. I was still able to successfully use my network shares over the VPN connection without Samba support enabled on the router simply by assigning the network computer housing the shares to a fixed IP address and then mapping my network shares by IP address instead of by computer name.

So I've turned off samba support and my network is stable as ever AND I can still use my network shares flawlessly over the VPN connection.