Products > Networking & Wireless

Funny PING problem

(1/4) > >>

peter-h:
I have a LAN, say 192.168.1.*

On that LAN I have a fixed IP device, a little win7-64 industrial PC, say 192.168.1.123

From any PC on that LAN I can ping the 123 one, I can run RDP to it, and I can browse it with File Explorer (by going to \\192.168.1.123).

I also have a VPN (from a remote site) terminating on the above LAN.

From the remote site I can ping or file-browse all devices on the above LAN. Except the .123 one!

But from the remote site I can run RDP (remote desktop) to the .123 device. So RDP works to .123 but I cannot ping it. I also cannot browse it by going to \\192.168.1.123 (the usual error code 0x80004005).

Yet pings (ICMP) cannot be disabled in the .123 firewall because one can ping it from another PC on the same LAN. Same for file browsing - cannot be disabled.

The VPN is IPSEC, site to site. Been working for years. All PCs are win7-64.

This is quite a narrow scenario and I wonder what it could be. Two things not working to .123. It is as if access was allowed from a local subnet only, but where might this be configured? But the VPN is terminating on the LAN i.e. something like 192.168.1.200 - that is how a VPN is supposed to work. The remote user is de facto on the LAN; he's not "remote".

gmb42:
Have a look at Windows network profiles.  There are three, for domain, private and public and they set firewall restrictions accordingly.

Not entirely sure what such a decrepit OS supports, but in PowerShell I use
--- Code: ---Get-NetConnectionProfile
--- End code ---
to see the profile of all interfaces and
--- Code: ---Set-NetConnectionProfile InterfaceIndex xxx -NetworkCategory yyy
--- End code ---
to modify it.

peter-h:

--- Quote ---There are three, for domain, private and public
--- End quote ---

My point is that how can the .123 device tell?

A PC on the same subnet should appear the same as a PC on the far end of a VPN which terminates on the same subnet.

Looking at the firewall settings, private profile, I find, as expected, that enabling/disabling incoming firewall controls whether the remote ping works or not.

So I went to look through the firewall inbound rules to see which are for private profile and block but I see no obvious candidates. There is a lot of ICMPv6 but I have IPV6 disabled at the adapter properties.

2N3055:

--- Quote from: peter-h on October 09, 2024, 11:23:21 am ---
--- Quote ---There are three, for domain, private and public
--- End quote ---

My point is that how can the .123 device tell?

A PC on the same subnet should appear the same as a PC on the far end of a VPN which terminates on the same subnet.

Looking at the firewall settings, private profile, I find, as expected, that enabling/disabling incoming firewall controls whether the remote ping works or not.

So I went to look through the firewall inbound rules to see which are for private profile and block but I see no obvious candidates. There is a lot of ICMPv6 but I have IPV6 disabled at the adapter properties.

--- End quote ---

Might be stupid question, but did you try disabling FW altogether on .123 device for starters?
Do you have any AV software on it? ESET, for instance, has it's own FW too.

peter-h:

--- Quote ---but did you try disabling FW altogether on .123 device for starters?
--- End quote ---

Yes - as I say above. It makes it work. Problem is, the number of potential rules to try turning on and off is vast.

No AV software.

Navigation

[0] Message Index

[#] Next page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod