Windows firewall blocking network shares through VPN server
I have a VPN server in front of a 172.16.0.0/24 network. On my client side is a 192.168.1.0/24 network. I am able to successfully VPN in to the server network from the client, and I am trying to mount a network share through TCP IP (e.g., \172.16.0.20\Folder). I have enabled NetBios over TCP on 172.16.0.20's network adapter.
However, when I try to mount the folder I get a failed connection. I am positive this is the "Private networks" Windows firewall blocking it. If I disable the private network Windows firewall, I am able to mount the folder without any issues through the VPN (keeping the public network firewall enabled). However, as soon as I enable the private network firewall again, the mount fails. Note that I am able to Remote Desktop to the machine (172.16.0.20) without an issue.
I have tried manually forwarding UDP ports 137 and 138, as well as TCP port 139. That doesn't seem to work. Is there something else I need to enable?
Solution 1:
I realize this is almost three years late, but I just spent today fighting with the same problem. I did get it working, so I figured I'd share. Note that I'm using a Windows 7 PC as the file server; other versions might need slightly different configuration.
In the "Windows Firewall with Advance Security", there are several "File and Printer Sharing" rules:
- File and Printer Sharing (NB-Datagram-In)
- File and Printer Sharing (NB-Name-In)
- File and Printer Sharing (NB-Session-In)
- File and Printer Sharing (SMB-In)
(There are additional rules, but I didn't care about printer sharing. The same changes would apply if you want those.)
File and Printer Sharing appears to default to "Local subnet" only. You'll need to add the subnet of your VPN clients.
Modify each of those rules as follows:
- Open the Properties dialog for the rule.
- Navigate to the Scope tab.
- In the Remote IP address section, the "These IP addresses" radio button should be selected.
- Click "Add..." next to the list of addresses. By default, only "Local subnet" is in the list.
- In the "This IP address or subnet:" field, enter the subnet assigned to your VPN clients (this is probably 192.168.1.0/24 in the OP, but if not, it's the subnet assigned to the VPN adapter on the client side), then click OK.
- If you're also using IPv6, add the VPN client IPv6 subnet as well.
That was enough for me to access file shares over the VPN.
(If you want to do it manually, you need to open TCP ports 139 and 445, and UDP ports 137 and 138, in the file server's firewall.)