Freenas Cannot access subnet (VPN)

[CedSha]

Hi all, I am turning mad with this configuration...
I set up two networks in two sites linked with VPN IPSec (via 2 x IPCop)
192.168.0.0/24 Site 1
192.168.10.0/24 Site 2
The FreeNAS box (8.0.4-RELEASE-p2-x64 (11367) ) reside in 192.168.0.2
while each IPCop reside in 192.168.x.1

I can
SSH to any machine including freenas from 192.168.0.* Site 1
SSH to any machine except freenas from 192.168.10.* Site 2
PING to freenas from all

I cannot
PING or SSH from freenas to any machine in 192.168.10.* Site 2

From a post in this forum I add 192.168.0.1 as a gateway in
Network setting > global configuration (w/o success)
I check also the hosts.allow but it start with
ALL : ALL : allow

How can I debug further ?
Help would be more than WELCOME ;)
CedSha

 

[Alec Edworthy]

Can you send the output generated by the following commands when executed in a shell on the FreeNAS box please:

[pre]netstat -nr
ifconfig -a[/pre]

You will need to put it in code or pre tags when you post it.

Kind regards, Alec

 

[oddeypaulo]

Maybe the problem is with the VPN? Did you cross check? I'm using Freenas with a VPN at http://www.SunVPN.com and I'm not having any issues :)

 

[CedSha]

Thanks for answers,
Alec,
Here the result of the requested commands.
(I try to understand it, and wonder if link#2 could be a problem
as I have only one net card)

Code:

Routing tables
 
Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.0.1        UGS        0      652    re0
127.0.0.1          link#2            UH          0        0    lo0
192.168.0.0/24    link#1            U          1  299031    re0
192.168.0.2        link#1            UHS        0      19    lo0
192.168.10.0/24    192.168.0.1        UGS        0    1200    re0
 
Internet6:
Destination                      Gateway                      Flags      Netif Expire
::/96                            ::1                          UGRS        lo0
::1                              ::1                          UH          lo0
::ffff:0.0.0.0/96                ::1                          UGRS        lo0
fe80::/10                        ::1                          UGRS        lo0
fe80::%re0/64                    link#1                        U          re0
fe80::6e62:6dff:fefa:673f%re0    link#1                        UHS        lo0
fe80::%lo0/64                    link#2                        U          lo0
fe80::1%lo0                      link#2                        UHS        lo0
ff01:1::/32                      fe80::6e62:6dff:fefa:673f%re0 U          re0
ff01:2::/32                      ::1                          U          lo0
ff02::/16                        ::1                          UGRS        lo0
ff02::%re0/32                    fe80::6e62:6dff:fefa:673f%re0 U          re0
ff02::%lo0/32                    ::1     
 
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
    ether 6c:62:6d:fa:67:3f
    inet6 fe80::6e62:6dff:fefa:673f%re0 prefixlen 64 scopeid 0x1
    inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255
    nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
    media: Ethernet autoselect (1000baseT <full-duplex,master>)
    status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=3<RXCSUM,TXCSUM>
    inet 127.0.0.1 netmask 0xff000000
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
    nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
 
 

oddeypaulo
I crawl the website you gave and cannot find any valuable information about FreeNas.
Would you mind to be a little bit more precise ?

 

[Alec Edworthy]

Hmm, not sure what's going on here. The link#2 isn't an issue, that's an alias of lo0 (loopback interface). There's some more debug which can be collected but I'll need access to my FreeNAS to confirm commands properly and a proper keyboard (iPads have their limitations sometimes unless you are very determined).

Sorry I can't help more right now, hopefully I'll be back in touch shortly with more commands to run :)

Alec

 

[cyberjock]

Since you are running 8.0.4 I'd STRONGLY recommend you upgrade to 8.3.1 or 8.3.2. There's so many security vulnerabilities and bugs in that version I'd be scared to use it.

 

[CedSha]

Again Tks for your supports messages,

Alec,
Hope you could have some interesting debugging !

cyberjock,
Yes you're right my system definitely need an upgrade !
I just noticed from download page the latest version is 9.2.1.3 do you
think reasonable to directly upgrade to this one ? as you suggested older ones...

 

[Alec Edworthy]

Wow, I hadn't clocked just quite how out of date your system is :)

OK, on to the debugging I'd recommend. Apologies in advance if I'm explaining anything here that you already know/understand, I thought I'd try to spell everything out as clearly as possible so that anyone stumbling across this post could use the steps.

First of all open two console/command line connections to the NAS, they can be local consoles or remote SSH. If remote SSH then find out what the IP address is you're connecting to the FreeNAS from as we'll need that later and will refer to it as source_IP when we need it. Get root in one session, we'll refer to the two sessions as the root console and the normal console, the second session does not need to be non-root but equally it does not need to be root. Throughout this posting where you see me using angle brackets around something, e.g.

Code:

<source_IP>

I mean replace the text (including the angle brackets) with the piece of information, e.g. if my source_IP was 10.0.0.100

Code:

ping -c <source_IP>

would become,

Code:

ping -c 4 10.0.0.100

and always ignore the 1. at the start of the line, it's a forum formatting thing (I could use pre tags rather than code tags but I don't like them as much).

OK now run the following command in the root console,

Code:

tcpdump -eqnntl -i re0 not host <source_IP> and \( ether host 6c:62:6d:fa:67:3f or ether broadcast \) and not ip6 | tee <path_to_a_writeable_file_inside_a_data_set>

(Note the backslashes on the brackets there). The last part of that command involves writing the output to a file so you'll need somewhere you can write to (e.g. one of your existing data sets), if you don't have somewhere to write to then ignore everything on that command from the | onwards.

Now in the normal console execute the following command,

Code:

ping -c 4 <IP_address_in_192.168.10.*_range>

Followed by,

Code:

ssh <IP_address_in_192.168.10.*_range>

The ssh command will probably hang so give it ten seconds and then kill the command by pressing ctrl-C.

Now go back to the root console and press ctrl-C there to kill the tcpdump session then execute the following command,

Code:

arp -an

Now please send the output from the tcpdump command (which is stored in the file mentioned after tee on that line), the output from the arp command and a cut and paste of the output of the ping and ssh attempts as attachments to a reply to this thread please. It would be possible to send the normal console output and the arp command output as a cut and paste in a reply (using code tags) but I suspect that the tcpdump output will be much larger (tens of lines) and so will need attaching really so it's up to you if you use three attachments or one attachment and two blocks of output in code tags (the code tags are VERY important otherwise formatting and some content may be lost).

I can't guarantee that this will permit the cause to be identified but it's my starter for ten!

Kind regards, Alec

 

[gpsguy]

When you upgrade I wouldn't try going straight to the latest - that too big a jump. Try one of the 8.3x versions as cyberjock suggested. You can download older versions here: http://download.freenas.org


Sent from my phone

 

[cyberjock]

I would do this:

1. Backup your config file
2. Upgrade to 8.2.0
3. Backup your config file again
4. Upgrade to 8.3.1
5. Backup your config file again
6. Upgrade to 9.1.0
7. Backup your config file again
8. Upgrade to whatever version you want. I'm running 9.2.0 because 9.2.1.x has had some problems.

Yes, this is time consuming. But, you are like 3 years behind! So I think that taking an hour total to do all of this isn't asking too much. ;)

Keep in mind that the hardware requirements have increased since 8.0.4. If your CPU was slow 3 years ago it might not be good for FreeNAS 9+. Also, the minimum RAM for FreeNAS 9 is 8GB. :(

 

[CedSha]

Hi all very nice for your continuing support..

I am in a true nightmare... :) but I'll wake up soon it's sure !
cyberjock, gpsguy,
I try to follow your advices
So for the update part :
1./ Try to update from the GUI download the 8.20 version backup config... and launch update
everything go smoothly computer restart and surprise ! This is still 8.04.
2./ I try to do new USB key, (My system already reside in an USB key) download, verify SHA256
checksum uncompress the img version on the USB Key then cannot boot this USB key
(Try with another USB Key same)
I am not sure if I can do like that, but also try to uncompress on my desktop and mount the resulting .img
with Disk Image Mounter to see what is inside, but there is nothing !

Seems I should install one CD Drive to install it.

Alec,
Here the result, I do it several times so should be I understand all the process :
The Source_IP was 192.168.0.97

Code:

6c:62:6d:fa:67:3f > 00:05:5d:5c:e5:4e, IPv4, length 98: 192.168.0.2 > 192.168.10.1: ICMP echo request, id 23599, seq 0, length 64
6c:62:6d:fa:67:3f > 00:05:5d:5c:e5:4e, IPv4, length 98: 192.168.0.2 > 192.168.10.1: ICMP echo request, id 23599, seq 1, length 64
6c:62:6d:fa:67:3f > 00:05:5d:5c:e5:4e, IPv4, length 98: 192.168.0.2 > 192.168.10.1: ICMP echo request, id 23599, seq 2, length 64
6c:62:6d:fa:67:3f > 00:05:5d:5c:e5:4e, IPv4, length 98: 192.168.0.2 > 192.168.10.1: ICMP echo request, id 23599, seq 3, length 64
00:c0:ee:b0:8f:f0 > ff:ff:ff:ff:ff:ff, IPv4, length 260: 192.168.0.5.1024 > 192.168.0.255.138: UDP, length 218
6c:62:6d:fa:67:3f > 00:05:5d:5c:e5:4e, IPv4, length 74: 192.168.0.2.23399 > 192.168.10.31.22: tcp 0
6c:62:6d:ea:3f:37 > 6c:62:6d:fa:67:3f, IPv4, length 108: 192.168.0.91.33896 > 192.168.0.2.445: tcp 42
6c:62:6d:fa:67:3f > 6c:62:6d:ea:3f:37, IPv4, length 108: 192.168.0.2.445 > 192.168.0.91.33896: tcp 42
6c:62:6d:ea:3f:37 > 6c:62:6d:fa:67:3f, IPv4, length 66: 192.168.0.91.33896 > 192.168.0.2.445: tcp 0
6c:62:6d:fa:67:3f > 00:05:5d:5c:e5:4e, IPv4, length 74: 192.168.0.2.23399 > 192.168.10.31.22: tcp 0
6c:62:6d:fa:67:3f > 00:05:5d:5c:e5:4e, IPv4, length 74: 192.168.0.2.23399 > 192.168.10.31.22: tcp 0
6c:62:6d:ea:3f:37 > 6c:62:6d:fa:67:3f, ARP, length 60: Request who-has 192.168.0.2 tell 192.168.0.91, length 46
6c:62:6d:fa:67:3f > 6c:62:6d:ea:3f:37, ARP, length 42: Reply 192.168.0.2 is-at 6c:62:6d:ea:67:3f, length 28
6c:62:6d:fa:67:3f > 00:05:5d:5c:e5:4e, IPv4, length 74: 192.168.0.2.42940 > 192.168.10.1.22: tcp 0
6c:62:6d:fa:67:3f > 00:05:5d:5c:e5:4e, IPv4, length 74: 192.168.0.2.42940 > 192.168.10.1.22: tcp 0
 
? (192.168.0.97) at e0:3f:49:a3:7d:0d on re0 expires in 802 seconds [ethernet]
? (192.168.0.1) at 00:05:5d:5c:e5:4e on re0 expires in 498 seconds [ethernet]
? (192.168.0.2) at 6c:62:6d:fa:67:3f on re0 permanent [ethernet]
? (192.168.0.91) at 6c:62:6d:ea:3f:37 on re0 expires in 1142 seconds [ethernet]
 
# ping 192.168.10.1
PING 192.168.10.1 (192.168.10.1): 56 data bytes
^C
--- 192.168.10.1 ping statistics ---
133 packets transmitted, 0 packets received, 100.0% packet loss
 
# ssh 192.168.10.31
ssh: connect to host 192.168.10.31 port 22: Operation timed out
 

 

[gpsguy]

Ensure that your flash drive is at least 4Gb in size. Yes, installing it from CDrom generally works better for most users. You could boot the CD in another machine to install FreeNAS on a flash drive.

 

[cyberjock]

You can also boot from a CD to *upgrade* a FreeNAS installation. But if you do that I'd do an upgrade, boot from the USB stick and verify everything works, then do the next upgrade from CD.

 

[CedSha]

Hi all,
New situation today is :
1./
Finally succeed Install all the upgrades as suggested cyberjock
thanks for the "You could boot the CD in another machine to install FreeNAS on a flash drive'
from gpsguy,
It helped me a lot in my case !
2./
Network still not responding on the second subnet :(
Whatever the instruction given by Alec teach me a lot about network debugging.
3./ I noticed and there maybe relation the following error messages :

Code:

grep - error /var/log/messages
...
/var/log/messages:Apr 11 12:42:02 freenas smbd[2599]: dnssd_clientstub ConnectToServer: connect()-> No of tries: 1
/var/log/messages:Apr 11 12:42:03 freenas smbd[2599]: dnssd_clientstub ConnectToServer: connect()-> No of tries: 2
/var/log/messages:Apr 11 12:42:04 freenas smbd[2599]: dnssd_clientstub ConnectToServer: connect()-> No of tries: 3
/var/log/messages:Apr 11 12:42:05 freenas smbd[2599]: dnssd_clientstub ConnectToServer: connect() failed Socket:32 Err:-1 Errno:2 No such file or directory
/var/log/messages:Apr 11 12:43:03 freenas mDNSResponder: mDNS_Register_internal: ERROR!! Tried to register AuthRecord 0000000800C30180 2.0.168.192.in-addr.arpa. (PTR) that's already in the list
...

Also noticed the following (I am not sure could give some clues but I have not so more things to hold on !) :
The answers are not same if I setup
Global configuration > IPv4 Default Gateway
to nothing (default)
PING 192.168.10.1 (192.168.10.1): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
...
or to 192.168.0.1 (I must CTRL C to end)
PING 192.168.10.1 (192.168.10.1): 56 data bytes
^C
--- 192.168.10.1 ping statistics ---
594 packets transmitted, 0 packets received, 100.0% packet loss

 

[Alec Edworthy]

Hello,

Sorry for not getting back to you sooner. OK, looking over the information you sent following the debugging I can see that your FreeNAS box is correctly passing the traffic for 192.168.10.1 to the router (192.168.0.1),

Code:

6c:62:6d:fa:67:3f > 00:05:5d:5c:e5:4e, IPv4, length 98: 192.168.0.2 > 192.168.10.1: ICMP echo request, id 23599, seq 0, length 64

and

Code:

6c:62:6d:fa:67:3f > 00:05:5d:5c:e5:4e, IPv4, length 74: 192.168.0.2.42940 > 192.168.10.1.22: tcp 0

Here you can see that the layer 3 packet is coming from 192.168.0.2 and is addressed to 192.168.10.1, whereas the layer 2 frame is coming from your FreeNAS's MAC address (6c:62:6d:fa:67:3f) and is going to the MAC address of the router on the 192.168.0.0/24 LAN (00:05:5d:5c:e5:4e) which we know is that MAC address given the output from the arp command,​

Code:

? (192.168.0.1) at 00:05:5d:5c:e5:4e on re0 expires in 498 seconds [ethernet]

Can you confirm that you should be able to ping and SSH into the 192.168.10.1 IPCop from a host on the 192.168.0.0/24 network? I wondered if the IPCop might be blocking attempts to connect directly to it except from specific hosts perhaps? Assuming that 192.168.10.1 should allow connections from 192.168.0.2 then the issue lies outside of the FreeNAS as far as I can tell. I would confirm that another host on 192.168.0.0/24 network can ping and SSH to 192.168.10.1. Also check to see that the FreeNAS can ping and SSH to 192.168.0.1 (perhaps you've already confirmed this given the initial diagnosis information you gave though) just incase there is an issue there (but I very much doubt there is). If I were looking into this myself then my next steps would be to run packet captures on one or more of the IPCop on 192.168.0.0/24, the IPCop on 192.168.10.0/24 and a host on 192.168.10.0/24 (and then attempt to ping and SSH into the host you are running the captures on). I am guessing that packet capturing on the IPCops might not be feasible. Can you get shell access to a host on 192.168.10.0/24 and run a tcpdump on there? You'd want to capture packets from the FreeNAS's IP address, e.g.​

Code:

tcpdump -eqnntl -i <interface_name> host 192.168.0.2

and I'd recommend doing captures on the FreeNAS (like before) at the same time too. This is checking to see if the packets for the host on 192.168.10.0/24 are reaching it and whether the host is then responding (i.e. is the issue that the packets never cross the routers going in one direction or the other or are dropped by the receiving host).​

​

Kind regards, Alec​

 

[CedSha]

Hi Alec,

Very nice you are still there to help !
1./ Yes I can ping from any machine on the network 192.168.0.* to 192.168.10.1 except the 192.168.0.2 (Which is the FreeNAs).
2./ Yes also FreeNas can ping all machine in the 192.168.0.*

Do not know how the machine 192.168.0.2 could be 'special' for the ipcop
I need little more time to try other tcpdump as I am in trip and not very familiar with this kind of commands.

Actually to bypass the problem I setup one machine in the 192.168.0.* network, with mounted FreeNAS inside to be able to receive
ssh requests from the machines in the 192.168.10.* network.
So all machines can have access to the data's but feeling really not so good like that !