next »

[krisken]

Dear,

I have a dual wan setup at home with a lot of interfaces/ip ranges:
- 10.0.0.1/24 for pfsense, switch, voip ata's, LAN disks, computers connected to LAN, ...
- 10.101.0.1/24 (vlan) for private wifi usage (all wireless devices from myself and my girlfriend such as laptop, netbook, phone, tablet, ...)
- 10.102.0.1/24 (vlan) for trusted wifi usage (wireless devices from friends and neighbours)
- 10.103.0.1/24 (vlan) for public wifi usage (wireless devices from people i don't know, but just wants to surf the internet)

All wireless connections goes tru the Meraki AP (Meraki MR12) which supports the vlans.  All internet connections work perfect including landing pages, ip ranges etc.  Also email, msn, ftp, ssh, ... work great! 

One of my LAN disks has ip 10.0.0.31.  When my netbook is connected to the switch (and gets an 10.0.0.31/24 ip), i can access it perfectly.  But when connected to wifi-private i can't access the windows share (\\10.0.0.31).  Only the webserver (http://10.0.0.31) works.

Can someone please help me with this issue?

[Metu69salemi]

What firewall rules and what outbound nat rules you have concerning this setup?

[krisken]

Dear Metu69salemi,

i've made some screenshots for you so you can get a clear view of the setup.
There can be some mistakes because i've tried to fix it using trial and error

Dashboard : http://kris.derocker.name/pfsense/windowsshare/dashboard.jpg
Outboud NAT : http://kris.derocker.name/pfsense/windowsshare/firewall-nat-outbound.jpg
Firewall rules LAN : http://kris.derocker.name/pfsense/windowsshare/firewall-rules-lan.jpg
Firewall rules WIFIPRIVATE : http://kris.derocker.name/pfsense/windowsshare/firewall-rules-wifiprivate.jpg

[Metu69salemi]

You may need new rule on manual outbound nat as:
from privatewifi to lan check the box DO NOT NAT

[krisken]

I've tried these settings without effect...

WIFIPRIVATE      10.0.0.0/24    *    *    *    *    *    NO
LAN      10.101.0.0/24    *    *    *    *    *    NO
WIFIPRIVATE      10.101.0.0/24    *    10.0.0.0/24    *    *    *    NO
LAN      10.0.0.0/24    *    10.101.0.0/24    *    *    *    NO

Lan = 10.0.0.1/24 range
WIFIPRIVATE = 10.101.0.1/24 range

[Metu69salemi]

did you change the order that more specific is uppermost?

[cmb]

I don't see any reason you need manual outbound NAT, better to use automatic, it won't NAT between internal subnets which is what is breaking your Windows share.

[Metu69salemi]

ok, thanks for the info, it was new to me also.

[krisken]

I use manual NAT because i also route some IP blocks (external IP's)

[cmb]

I use manual NAT because i also route some IP blocks (external IP's)

Ok, in that case just make sure you don't have outbound NAT rules matching traffic between internal networks.

[krisken]

Dear,

I don't think i have...do i?

[cmb]

Too many interfaces there in outbound NAT and not enough context to tell. Run a constant ping to the NAS, and check Diagnostics>States. Should just show two IPs there, not a third in the middle where it's translating it. If that's good, then your problem is almost certainly the NAS is setup to not serve Windows shares to off-subnet hosts. For instance Samba has a config option that lets you restrict what IP subnets it will serve, if it's a Windows host, the default Windows firewall settings commonly block all off-subnet file access.

[krisken]

This is what i get with ping :

icmp    10.0.0.31:768 <- 10.101.0.2    0:0    
icmp    10.101.0.2:768 -> 10.0.0.31    0:0

10.0.0.31 = NAQ
10.101.0.2 = laptop using wireless

[cmb]

Then you aren't NATing, so that much is good. Problem is on the server then, what I noted in my last post.

[krisken]

cmb,

Thanks for your support, time and answers!