Access Control

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
timboau
Posts: 10
Joined: Wed Aug 31, 2016 12:30 am

Access Control

Post by timboau » Fri Apr 17, 2020 3:15 am

I have tried a all sort s of combinations without success.

I have:
20 groups - users in each group should only be able to access their own RDP server (Most in 1 subnet, some in others) 3389
1 group users can access all 20 individual RDP servers (mix of subnets) 3389
1 group can access everything all ports etc

I'm missing something as it doesn't seem to do any limiting, based on groups (have tried log in/out of VPN session etc)

I have seen other sites where we need to check for an existing session firs

allaboutthebase
Posts: 11
Joined: Thu Apr 09, 2020 3:53 pm

Re: Access Control

Post by allaboutthebase » Fri Apr 17, 2020 7:14 am

I have something similar to you but not as many groups.

in access list I have a PASS rule for each RDP session from a user to their PC (10 in total) and then the last rule is to DISCARD RDP for a group that all the users the are in the individual rules are members of.

So the DISCARD rule blocks RDP for them all to all devices and then the PASS rule for each person allows them access their own RDP session to their PC.

You'd need to give some details to the Access List Items you have configured to see where you are going wrong.

timboau
Posts: 10
Joined: Wed Aug 31, 2016 12:30 am

Re: Access Control

Post by timboau » Fri Apr 17, 2020 7:39 am

Hey thanks, I think you might have dropped a few characters in the reply but it made me really study what you were trying to say :)

From what I can see its sort of an ass about firewall - that makes sense in a strange way!

Allow the group access to the IP / PORT of the server

add the DNS, DHCP, domain controller etc without a group as allow
then block all subnets /everything as last rule (no group) - ie catch all

I just need to setup all the groups and add the catch all before it comes into force..

timboau
Posts: 10
Joined: Wed Aug 31, 2016 12:30 am

Re: Access Control

Post by timboau » Tue Apr 21, 2020 7:46 am

Hi again and thanks for your previous assistance - its going great now!

I have a bit of a weird issue though - any ideas?

Essentially "Network identification" doesn't happen successfully when the VPN connects to the network anymore. Causing some delays until it times out 'identifying'

This causes a few issues for instance when I'm trying to connect to a Synology SMB file-share its asking for re-authentication and takes 30 seconds or so to establish a connection. Once connected its fine. (but sometime if not used it does time out and then pause again, only to be fine after the initial delay)

I do have Ports 88 Kerberos 123 NTP, 53 DNS , 139, 445 SMB open between the IP of the SoftEther Server and the NAS

Could it be the Kerberos having issues traversing the NAT to the Softether clients - any suggestions if so? It must have something to do with the ACL as both network identification and instant logon to the SMB share was OK before.

timboau
Posts: 10
Joined: Wed Aug 31, 2016 12:30 am

Re: Access Control

Post by timboau » Tue Apr 21, 2020 10:39 pm

Ive created two new rules

Allow everything to the DNS server
Allow everything to the Internal Router IP

I connected with both of these enabled and boom - away it went instantly identified.

Turning either one off seems to be ok - so its identifying from either from what I can see.

Any idea exactly whats its looking for to do this and best practice around best enabling this feature?

timboau
Posts: 10
Joined: Wed Aug 31, 2016 12:30 am

Re: Access Control

Post by timboau » Wed Apr 22, 2020 11:06 pm

Yes that's correct - RDP is working as expected.

If I allow all ports to both Router and DNS server the network is identified immediately.

What I'm looking for is the ports that Windows 10 Uses to 'identify' the network and to which devices its trying that on?

Post Reply