VPN connects but still can't access services on server

Are you using the Mac OS X firewall? This is a known bug I hope 10.5.7 fixes the issue.

A work around would be to disable the Mac OS X firewall, and enable your routers firewall...

I found a solution that worked for me. In my case, I have a mac pro acting as a VPN server, dhcp, nat, firewall, basically everything. One ethernet is for the external network. One is for the internal network.

The issue was I could not see or ping anything other than the vpn server.

All I did is on the server, go to system preferences and add a connection using the same ethernet that is on your local network. ie, ethernet 1 is wan, ethernet 2 is lan, I made a second ethernet 2 and called it Ehternet 2b. Then assign it an additional internal IP, ie, if ethernet 2 was 172.20.0.1, i made ethernet 2b 172.20.0.5 with a 255.255.255.0 subnet, and 172.20.0.1 router. apply, restart services. Now you can ping the whole network. No idea why, but it worked on 3 different server installs I have..

Hope that helps.

I presume the server is not the default gateway on your network?? If it was, this would all work without the additional Ethernet interfaces (virtual interfaces)..

I accomplished the same kind of fix by using arp to create static entries... For example,

arp -s 172.20.0.1 00:16:ad:af:57:dc pub

This creates entries such as this:

hostname:~ admin$ arp -an
? (192.9.200.57) at 0:16:cb:af:57:dc on en0 permanent published [ethernet]
? (192.9.200.58) at 0:16:cb:af:57:dc on en0 permanent published [ethernet]
? (192.9.200.59) at 0:16:cb:af:57:dc on en0 permanent published [ethernet]
? (192.9.200.60) at 0:16:cb:af:57:dc on en0 permanent published [ethernet]

I hope this helps..

I can't answer why it worked in Tiger but not Leopard.. I have only run Leopard server myself as I came over from the unix/linux side..

Why it doesn't work unless the server is the default gateway makes perfect sense... It is a routing issue and the static arp entries cause route entries to be created.. Look at arp -a and netstat -rn to see the changes to these tables before and after one of the possible solutions..

To summarize my options, you can do one of the following:

1) Add interfaces (virtual ones) as you describe...

2) Add static arp entries using the command I documented above

3) Add routing in your default gateway for those addresses that point to your server

4) Add arp entries on your default gateway for each of the vpn range addresses that points to the server.

I hope this helps...

Hi -- I just set up a fresh install of leopard server and I seem to be running into a similar problem as was discussed in this post. I don't have extensive experience with Mac OS X server beyond the advanced GUI setup (server admin / workgroup manager).

My setup is as follows:
Mac Mini 2009 (4GB ram) running Leopard Server 10.5.7. I have an apple USB ethernet adapter set up with a public IP through my company's bonded T1 line and the internal ethernet port is used for my LAN. The machine is set up to do everything as it's a standalone server in this environment. This includes DHCP, NAT/Firewall, DNS, Open Directory and AFP. I have set up DHCP and VPN to use different address ranges on the internal subnet.

My original problem was that when on VPN the only device on my internal network that I could connect to was the server (via internal IP or .private DNS). As per this post, I added an additional virtual interface on the ethernet port on my LAN connection and now I can access all devices without issues.

The current problem is that when on VPN the server doesn't come up in an ARD scan of my internal LAN by name. I can add it manually (192.168.9.10) when on the VPN, but the name and password won't verify. When I skip verification I gain access but it never shows up by name or with any status. The firewall logs show that the VPN machine's external address tried to access the server's external address at the ARD port 3283. Since I don't want ARD available over the Internet it denied it.

I have narrowed this down to some sort of VPN routing issue only to the server but I have no idea how to fix it. I have tried to add a VPN network routing definition setting the server's external IP as private but that didn't work. Is there anything I can do to force ARD to only work over the internal LAN port?

Any ideas would be greatly appreciated.

Thanks

Brian, you made my day. I was searching for a solution to this issue ever since upgrading from Tiger to Leopard Server and was already pulling my hair about this.

Your method absolutely works. You are the best!

Dear Sir /Madam/Miss

I am IT support in one factory and i never use mac os before. but my manager at Thailand use mac and one day her vpn client are connected but can not access filesharing. i try to use ping command , but not result . it said no route to host and then host is down.
hope you can help me than
my email address: ratha_h@honda.com.kh ; khun_ratha2005@yahoo.com ;

I wounder if this could be the old problem with the firewall, that you might have to enable access in from ppp0 "interface", depending on how the firewall rules are setup.

Also the (private) routing definitions matter and what IP:s are given to the VPN clients (if they are part of the LAN subnet or not).

If you have an all "public" IP LAN you have to setup an alias IP on the server that you can use to connect to the server itself to when connected through the VPN, if the server's main IP is behind a firewall and only VPN traffic is allowed through to it.

If the LAN DNS is setup in another machine you could use the OS X server DNS to point to the alias IP for the server name and only give the server IP as the DNS for VPN clients.

Thanks for that email! This helped me re-establish my workaround that Leopard 10.5.8 turned into a bug. Back in 10.5.7 I plugged another Ethernet cable into NIC2, when people connected to the VPN on my XServe they'd just use the other IP to actually use the other services on that XServe. When 10.5.8 came out, that extra attached network cable was the core reason I got the dreaded "Invalid Serial Number - duplicate found on network" error from serialnumberd. I adapted your instructions to put another virtual interface on the cable that is already plugged into my server. I get my cake and eat it too, and get my useful workaround back! 🙂 Thanks!

I am having a similar issue and my outside IT consultants are stumped. We are able to connect via PPTP but unable to ping the server and even more confusing, I was able to connect on 2 separate occasions but soon thereafter it was out again with no apparent changes made. My setup is as follows:

1) I have a mini running leopard server 10.5.8 behind an airport extreme (previous model ie not dual band) with no server firewall running.
2) This setup is behind our building firewall and router. We have 5 public IPs and the building IT staff setup their router to forward all traffic on one IP into our Extreme.
3) The Extreme's external IP is assigned by the building router at 192.168.20.1 and then forwards to 10.0.0.1.
4) Our server sits at 10.0.0.11 and acts as the DHCP.
5) Our VPN DHCP range is 10.10.0.101-200
7) We have forwarded the VPN (TCP 1723), FTP, and ARD ports to the server. FTP and ARD work fine.

Any help appreciated as I am stumped. This is my first Mac server setup and I was able to figure out everything else through trial and error but this VPN issue is beyond my ability to understand.

Thanks

So you have double NAT? (Shudder.) That is the first thing I'd look to remove here, as part of testing. Get a subnet in whatever the outer network uses.

Network protocols (and particularly security protocols) tend to have issues around NAT.

After that (failing that), I'd look to switch the Airport Extreme from a router configuration over to an access point; APs look more like "switches" than "routers"; they're rather more transparent. (This does mean you'd VPN into the broader network, then connect to your particular part of the organization's subnet.)

And also confirm that the network address where the VPN starts is NOT in the same subnet as the target network, if you're using NAT. That tends to cause problems (confusion) for IP routing.

Thanks for the feedback MrHoffman. Can you tell me what you mean by switching the AE from a router to an access point?

The current setup we have is as follows:

External IP > Building Firewall > Building Router > Building Switch > Our AE Router (WAN 192.168.20.1 / LAN 10.0.0.1) > Our Switch > Mini Server (10.0.0.11)

The building IT staff has forwarded all external traffic to 192.168.20.1. They have suggested we remove the AE from the configuration and forward ports to the Mini Server directly from the Building Router to remove the double NAT. Unfortunately they believe this could be problematic too as it will result in one external IP for the server and another for all other traffic due to a VLAN setup. (I didn't follow this...)

I however am beginning to suspect a problem with the AE. The VPN connects every time but can't connect to services or ping the server. The 3 times it has mysteriously worked have all come after a hard restart of the AE. 30 minutes later it mysteriously flakes out again.

I am going to try to swap out the AE with a new dual band AE to see if that does anything.

Various WiFi devices can operate as IP routers, or can operate in a mode analogous to an Ethernet switch in a wired LAN. The former is common. The latter is called an Access Point (AP) or sometimes as bridging.

APs are less common in small networks, but are very useful in larger networks; when you have multiple WiFi devices, or WiFi devices that are operating in multiple bands (eg: a and b/g), or when you want to use network-based authentication servers or such. APs let clients move between WiFi devices whether simply moving around in a building, or as a result of the usual sorts of maintenance and reconfiguration tasks that can be required with a network device; WiFi device reboots. Without dropping connections when traveling between APs. A WiFi router knows about the IP addresses and adjacencies and gateways and such, and will tend to drop connections when you're switching between WiFi devices. An AP looks more like a hunk of Ethernet wiring from the perspective of an IP network and of IP routing; an AP is comparatively transparent to IP.

Using an AP does mean that devices "behind" the AP can be needed to serve DHCP requests and such. This might be an IP router, or a Mac OS X Server box, or something else. (Though various APs can be configured to serve DHCP when operating as an AP, recognize that you only want one DHCP server.)

I would expunge as much NAT as I can manage. In particular, here get yourself a subnet allocated in your existing larger 192.168.0.0/16 block for the building, and use that.

As a general rule, I avoid using the 192.168.0.0/16 block in any LAN I install as it tends to lead to routing conflicts, too. For lack of better terminology, that block is what I consider the "home and SOHO and coffee shop IP block." Everybody uses it. Why is this bad? if the VPN client is in the same subnet as the remote LAN on the far end of the VPN connection, then IP routing can get confused. Do try setting the "send everything via the VPN" setting. And yes, re-addressing your building's IP LAN out of 192.168.0.0/16 is probably not within your portfolio.

No The server is not the default Gateway. My Airport would be the gateway. my server is behind the NAT devise.

why does it work in Tiger server, and not Leopard? I've never had to do this before/

Excellent tip! thank, I have been trying to solve this problem for months!