VPN server issue with LAN and win 10 Firewall

[sfx2000]

I don't doubt that you are right but I tried creating 2 rules one for UDP and one for TCP with ports 139, 445 and it won't work.
the only way I can make it work is to create a rule only for TCP for all ports. UDP doesn't seem to make a difference weather i make a rule or not.

The rule should be 139/TCP, 445/TCP, 137/UDP, 138/UDP - just those four ports/transport protocols are needed for SMB transport and Network Discovery lookup

Allowed should be the local LAN subnet scope, and the OpenVPN scope as RMerlin pointed out.,

for example

allow from 192.168.1.0/24
allow from 10.8.0.0/24

An alternate approach would be to assign OpenVPN within the LAN subnet, but outside of the DHCP scope - e.g. DHCP range being 192.168.1.100-150, and then use 200-210 for the VPN range - I like OpenVPN's approach a bit better, as it usually will not conflict with the remote IP ranges if the remote network is using private ranges as well...

 

[yorgi]

The rule should be 139/TCP, 445/TCP, 137/UDP, 138/UDP - just those four ports/transport protocols are needed for SMB transport and Network Discovery lookup

Allowed should be the local LAN subnet scope, and the OpenVPN scope as RMerlin pointed out.,

for example

allow from 192.168.1.0/24
allow from 10.8.0.0/24

An alternate approach would be to assign OpenVPN within the LAN subnet, but outside of the DHCP scope - e.g. DHCP range being 192.168.1.100-150, and then use 200-210 for the VPN range - I like OpenVPN's approach a bit better, as it usually will not conflict with the remote IP ranges if the remote network is using private ranges as well...

This is from Microsoft
Microsoft file sharing SMB: User Datagram Protocol (UDP) ports from 135 through 139 and Transmission Control Protocol (TCP) ports from 135 through 139. Direct-hosted SMB traffic without a network basic input/output system (NetBIOS): port 445 (TCP and UPD).

I tried those rules but they still don't work. Only if I enable TCP rule for all ports does it work. Weather I put a UDP rule or not it doenst make a difference.
I find that very weird but thats what works.

There must be another port that is used when in a tunnel that Microsoft may find worth blocking.
At this point I don't know what to say except for the fact that I got it working with the TCP rule only but sacrificing a lot of ports.

 

[L&LD]

http://www.snbforums.com/threads/vpn-server-issue-with-lan-and-win-10-firewall.33558/#post-270250

I don't know if anyone saw the above (post 11 in this thread)?

I'll try to explain again what I did to make it work by only changing the 'File and Printer Sharing (SMB-In)' properties.

Go to the Windows Firewall on the PC you want to have access to over the VPN.

Click Advanced Settings. Click Inbound Rules.

Find the 'File and Printer Sharing (SMB-In)' rule and double click it to make it editable.

Click on the Scope tab and under 'Remote IP address', change it to 'Any IP address' (default is 'These IP addresses' and the only entry is 'Local subnet'). Click Apply.

Now click on Advanced and select all the Profiles; Domain, Private and Public. Click Apply.

You will now have access to the shares on that computer over the VPN (you will need to type in the address share like so; '\\xxx.xxx.xxx.xxx' and you will still have RDP access too.


My question though, are the above changes 'safe'? They seem to be, but I think I don't know how to fully test them.

 

[yorgi]

http://www.snbforums.com/threads/vpn-server-issue-with-lan-and-win-10-firewall.33558/#post-270250

I don't know if anyone saw the above (post 11 in this thread)?

I'll try to explain again what I did to make it work by only changing the 'File and Printer Sharing (SMB-In)' properties.

Go to the Windows Firewall on the PC you want to have access to over the VPN.

Click Advanced Settings. Click Inbound Rules.

Find the 'File and Printer Sharing (SMB-In)' rule and double click it to make it editable.

Click on the Scope tab and under 'Remote IP address', change it to 'Any IP address' (default is 'These IP addresses' and the only entry is 'Local subnet'). Click Apply.

Now click on Advanced and select all the Profiles; Domain, Private and Public. Click Apply.

You will now have access to the shares on that computer over the VPN (you will need to type in the address share like so; '\\xxx.xxx.xxx.xxx' and you will still have RDP access too.


My question though, are the above changes 'safe'? They seem to be, but I think I don't know how to fully test them.

There are 3 SMB-in rules. which one of them did you choose?
also why put an entire subnet, when all you need access to is the one pc?
if the pc you want to access is 192.168.1.128 why not just put that in the firewall rule?