Remote access via VPN

  • 1
  • Question
  • Updated 1 year ago
  • Answered
There are 4400+ conversations regarding VPN and remote access. I "think" I may be overlooking the obvious but here is my question:

Setup: 
WIN10 Professional
Firewall: PFsense - HA
VPN is PFsense's OpenVPN
Using hotspot from phone but have tried numerous hotspots with same results.

I can connect the VPN fine via an outside the firewall hotspot. 
I am able to ping all my local IP's 
I can remotely monitor local IP cameras with no issues.

BUT,,,, I cannot get the DAX or CAT functions to connect, even though for my purposes I appear to be on the local subnet and pingable.

My IP assigned by the VPN is "not" on the same subnet as the local site. Since the local IPs re pingable, doesn't this mean the networks are "bridged" already?

Any suggestions are appreciated. 

See you all in Dayton!!
Photo of Dave Gipson

Dave Gipson

  • 162 Posts
  • 48 Reply Likes

Posted 1 year ago

  • 1
Photo of KB4AAA

KB4AAA

  • 47 Posts
  • 20 Reply Likes
I don't know if PFsense has the option to choose TAP or TUN protocol check and make sure you are using the TAP protocol. I am using OpenVPN via Asus router with securepoint VPN for the Client.  Everything works just like it was on the same LAN. I have to use this option because my ISP appears not to support fragmented packets so Smartlink does not work very good (ie..no waterfall) On a side note my latency is about 50ms better on VPN than smartlink and I can use my antenna rotor software,and DAX so VPN kinda works better for me.
(Edited)
Photo of Neal - K3NC

Neal - K3NC

  • 48 Posts
  • 15 Reply Likes
I would start with turning off your firewall. These seem to be the source of most problems when working on a local subnet.
Photo of Tim - W4TME

Tim - W4TME, Customer Experience Manager

  • 9197 Posts
  • 3557 Reply Likes
Clarification: the PC software firewall, not the network firewall
Photo of Dave Gipson

Dave Gipson

  • 162 Posts
  • 48 Reply Likes
I will check it
Thank you all
Photo of Mark Thomas

Mark Thomas

  • 52 Posts
  • 16 Reply Likes
Hi,

I believe the answer is NO to the question: "My IP assigned by the VPN is not on the same subnet as the local site. Since the local IPs re pingable, doesn't this mean the networks are bridged already?"

Flex radio discovery API wants the radio base to be in the same broadcast domain as the client -- IPs within the same subnet.

I can ping my radio base from my WAN VPN just fine, but flex radio discovery does not work and SmartSDR (and Maestro) have no provision to specify the target radio IP manually, such as when not on the same subnet. There is further discussion about this here, and some work-arounds: https://community.flexradio.com/flexradio/topics/will-maestro-smartsdr-2-0-support-connecting-to-a-l...

-Mark KC3DRE
Photo of Doug Hall

Doug Hall

  • 216 Posts
  • 60 Reply Likes
I'm in the same boat as Mark regarding Flex discovery with my VPN. I can ping the radio and I can use every other piece of IP connected gear on my network when connected via VPN, but the lack of a provision to "connect by IP" to the radio is a shortcoming in SSDR to me.

Flex has made their position clear on this, and we just disagree.

73,
Doug K4DSP
Photo of Cliff - G4PZK

Cliff - G4PZK

  • 30 Posts
  • 10 Reply Likes

In this day and age it's just ridiculous to restrict the network connectivity. I can access my IC7800 from anywhere by IP.

Cliff, G4PZK


Photo of Mark Thomas

Mark Thomas

  • 52 Posts
  • 16 Reply Likes
Unfortunately, in many WAN and multi-subnet LAN environments, passing broadcast packets is either impossible or undesirable. Broadcast traffic is considered network noise by those who work on network performance problems, not something you would want passing over a potentially bandwidth constrained remote link.

I cannot use my Maestro or SmartSDR on my existing WiFi infrastructure, because the configuration (deliberately) uses a different subnet than the wired ethernet. I set up a separate same-subnet wifi access point exclusively for access to the Flex Radio base! (Why should I have to do this?)

I cannot use my Cisco AnyConnect VPN and existing ASA firewalls for remote Maestro or SmartSDR Flex access, even though it works great for security cameras, remote climate control apps, media streaming, SmarSDR for iOS (allows entering target radio IP address!) and native iOS VPN, other remote radio control solutions, and remote voice-over-IP access.

I cannot access my Flex from SmartSDR in VMware Fusion on a WiFi connected Mac Laptop, because WiFi adapters can't be put into promiscuous mode for the sake of guest VM traffic and a shared guest IP interface.

I cannot use my Maestro at my office, because the site to site IPSEC WAN VPN cannot pass broadcast traffic, and due to security constraints I cannot change that.

I cannot use my Maestro or SmartSDR from my favorite vacation spot, because of the broadcast VPN limitations, and hotel NAT that is incompatible with SmartLink, yet otherwise works just great with my AnyConnect SSL VPN.

If there were a simple box where I could enter the target radio IP address, all these "cannots" would be "can" and I would be a happy customer.  "Flex" is an amazing and awesome piece of radio gear, but when it comes to networking is UN-FLEXIBLE due to this basic fundamental SmarSDR client-enforced limitation.
Photo of Doug Hall

Doug Hall

  • 216 Posts
  • 60 Reply Likes
Mark,
I'd even be happy with a command line option, something like:

SmartSDR.exe -a 192.168.0.100

73,
Doug K4DSP
Photo of Tim - W4TME

Tim - W4TME, Customer Experience Manager

  • 9198 Posts
  • 3558 Reply Likes
Official Response
The PFsense forums always provide a wealth of information.  You need a bridged VPN.
https://forum.pfsense.org/index.php?topic=38605.0