Netgate SG-1000 microFirewall

Author Topic: Windows File Sharing DMZ -> LAN Working *Sometimes*??  (Read 11007 times)

0 Members and 1 Guest are viewing this topic.

Offline 0x0

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Windows File Sharing DMZ -> LAN Working *Sometimes*??
« on: May 26, 2011, 11:32:42 pm »
I've tried just about every firewall rule possible to get my linux servers in the DMZ to share samba shares with my windows box, but I can't seem to get it working.

Here are the facts:

  • Windows firewall on my windows 7 64-bit box is completely turned off
  • I've added LAN and DMZ rules to allow TCP/UDP on ports 135-139 and 445 - then I added every rule I could come up with - see image (LAN/DMZ.png)
  • My LAN gateway 10.10.10.250, DMZ gateway 192.168.100.1, Win IP 10.10.10.130
  • The samba machine runs on an ESXi server that is using a virtual setup to control packets --see image attached
  • I can ping the server(s) I'm trying to connect to samba from the win7 machine
  • I can't seem to telnet on ports 139 or 445 from the win7 -> samba linux machine
  • I can ssh to any of these machines from win7
  • I've been trying for a few days
  • I've never been very good at *networking*
  • I've had a bit of scotch...  :P

The strangest part of all this is that file sharing *seems* to work briefly if I telnet from the linux server to the windows machine (telnet 10.10.10.130 445). Once this initial packet is sent it allows me to log in and navigate the shares. So, I initiate the mapping of the samba share in windows by requesting the UNC in explorer (my computer) \\192.168.100.10\, then I do the telnet command on the samba machine (telnet 10.10.10.130 445) and file sharing works if I continue to keep the connection alive.

I'm thinking it is because of port triggering, but, like I said, I'm pretty lost when it comes to networking.

*Any* help would be appreciated. Thanks.



Offline Metu69salemi

  • Hero Member
  • *****
  • Posts: 1556
  • Karma: +2/-0
    • View Profile
Re: Windows File Sharing DMZ -> LAN Working *Sometimes*??
« Reply #1 on: May 27, 2011, 12:11:26 am »
you could see if there is something blocking traffic from status: system logs: firewall

Offline 0x0

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: Windows File Sharing DMZ -> LAN Working *Sometimes*??
« Reply #2 on: May 27, 2011, 07:23:53 am »
That's a good tip, didn't even know that was there.

Here is what I get when I try to open port 445 from win7 box:

System
Code: [Select]
May 27 12:17:20 last message repeated 5 times
May 27 12:18:36 kernel: arp: 10.10.10.130 is on em0 but got reply from 48:5b:39:70:ff:04 on em1
May 27 12:19:03 kernel: arp: 10.10.10.130 is on em0 but got reply from 48:5b:39:70:ff:ff on em1
May 27 12:19:15 kernel: arp: 10.10.10.40 is on em0 but got reply from 00:1b:78:71:ff:fe on em1

Firewall
Code: [Select]
May 27 12:16:07 WAN 10.10.10.131:137 10.10.10.255:137 UDP
May 27 12:16:58 WAN 10.10.10.104:138 10.10.10.255:138 UDP
May 27 12:18:02 WAN 10.10.10.104:137 10.10.10.255:137 UDP

The first bit suggests maybe on configuration issue?

The firewall data is pretty strange. Why is it sending to 10.10.10.255 broadcast? And why is traffic going to the WAN at all?

Offline Perry

  • Hero Member
  • *****
  • Posts: 1152
  • Karma: +1/-0
    • View Profile
Re: Windows File Sharing DMZ -> LAN Working *Sometimes*??
« Reply #3 on: May 27, 2011, 08:05:18 am »
just my 2 cent.....
Could it be that wan and lan are on overlapping subnet?
em0 and em1 belongs to?
remove all rules on dmz and only leave the default lan rule on lan.
/Perry
doc.pfsense.org

Offline 0x0

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: Windows File Sharing DMZ -> LAN Working *Sometimes*??
« Reply #4 on: May 27, 2011, 08:20:45 am »
em0 is LAN and em1 is WAN

I've removed all of the DMZ rules and left only the LAN rule with *'s in each position.

It's very strange behavior. Everything has been working fine, http/s, ssh, IMAP/S, etc.

All I wanted to do was allow file sharing from the LAN to DMZ and it's getting all hosed up.

What would be a rule that would allow all DMZ traffic to the LAN and visa versa? Maybe this would help with troubleshooting?

I'm just really confused why it allows port 22, 80, etc, but it would not allow 135-139 and 445.
« Last Edit: May 27, 2011, 10:43:18 am by 0x0 »

Offline Metu69salemi

  • Hero Member
  • *****
  • Posts: 1556
  • Karma: +2/-0
    • View Profile
Re: Windows File Sharing DMZ -> LAN Working *Sometimes*??
« Reply #5 on: May 28, 2011, 03:11:34 pm »
Are you sure that you don't have machines outside of network? as an example: wan side?
Can you take screenshots from your rules?

Offline 0x0

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: Windows File Sharing DMZ -> LAN Working *Sometimes*??
« Reply #6 on: May 28, 2011, 04:41:15 pm »
I'm not sure what you mean by 'machines outside of network'.

The most puzzling part of all of this is that I can perform 10.10.10.x -> 192.168.100.x :22/80/443/ect, but I can't do 10.10.10.x -> 192.168.100.x :445/139/etc.

Here are screens of the WAN rules.

Offline Metu69salemi

  • Hero Member
  • *****
  • Posts: 1556
  • Karma: +2/-0
    • View Profile
Re: Windows File Sharing DMZ -> LAN Working *Sometimes*??
« Reply #7 on: May 29, 2011, 02:15:26 pm »
I did a little peak only(Wife is nagging). Try to also allow UDP traffic.

Offline 0x0

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: Windows File Sharing DMZ -> LAN Working *Sometimes*??
« Reply #8 on: May 29, 2011, 07:21:39 pm »
So I should add a rule to allow 445/139/etc on the WAN interface? This is the internet interface though... won't that put my shares on the internet?

Offline Metu69salemi

  • Hero Member
  • *****
  • Posts: 1556
  • Karma: +2/-0
    • View Profile
Re: Windows File Sharing DMZ -> LAN Working *Sometimes*??
« Reply #9 on: May 29, 2011, 11:30:38 pm »
No don't do that. Good point.

Actually i was interested about LAN and DMZ rules.

Offline 0x0

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: Windows File Sharing DMZ -> LAN Working *Sometimes*??
« Reply #10 on: May 30, 2011, 04:06:39 pm »
LAN and DMZ rules are in first post.

Take them with a grain of salt though, I modified the heck out of them to let something through on 445.

Offline Metu69salemi

  • Hero Member
  • *****
  • Posts: 1556
  • Karma: +2/-0
    • View Profile
Re: Windows File Sharing DMZ -> LAN Working *Sometimes*??
« Reply #11 on: May 30, 2011, 10:41:17 pm »
Okay my last change of knowing a thing:
how you tried to connect just typed  \\servername\sharename? and you're having what dns and dhcp servers? and do they know each other? so do you have as an example
LAN, 10.10.1.0/24, separate dns-server, separate/internal dhcp-server
DMZ, 10.10.2.0/24, internal dns-server, internal dhpc-server

To simplify my question, do you happen to have tried to connect with dns or fqdn, but your dns doesn't have A and PTR-records? if thats not it, then i don't know

Offline 0x0

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: Windows File Sharing DMZ -> LAN Working *Sometimes*??
« Reply #12 on: May 31, 2011, 08:00:35 am »
I've circumvented all of that and used the IP to connect. No DNS involved.

For instance, I can connect from 10.10.10.130 to 192.168.100.10 on port 22, but I can't connect to 192.168.100.10 on port 445. If I move the adapter (in vSphere) to the LAN and give it a 10.10.10.x address, everything works fine.

Yeah, it's driving me crazy. Thanks for the help troubleshooting.

Offline wallabybob

  • Hero Member
  • *****
  • Posts: 5240
  • Karma: +11/-1
    • View Profile
Re: Windows File Sharing DMZ -> LAN Working *Sometimes*??
« Reply #13 on: May 31, 2011, 05:44:39 pm »
For instance, I can connect from 10.10.10.130 to 192.168.100.10 on port 22, but I can't connect to 192.168.100.10 on port 445.
This suggests there is something particular about the service on 445 that is causing the connect attempt to fail.

What are you using to make the connection? How is the failure reported? Is there anything in the pfSense firewall log about this attempt?

I don't know how your service on port 445 works. The standard service on that port appears to be microsoft-ds which I presume is microsoft directory services which would probably need to have "outside access" at some stage in which case you would probably need to have firewall rules allowing certain DMZ to WAN access. Its possible you actually are connecting to the service on port 445 and the failure you see is a failure status returned by that service rather than a failure to connect. Does your service on port 445 have a status log you can look at?

I haven't bothered to look at your firewall rules because you "modified the heck" out of the rules you posted. If you have an internal DNS on the DMZ you almost certainly need to allow some sort of access from DMZ to WAN.

I have a Linux server in my DMZ and I can access SAMBA shares (in a WORKGROUP rather than a domain) there from Linux and Windows systems on my LAN through my pfSense box.


Offline 0x0

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: Windows File Sharing DMZ -> LAN Working *Sometimes*??
« Reply #14 on: May 31, 2011, 06:05:52 pm »
I used telnet to check for a listening service on that port. (i.e. >telnet 192.168.100.10 445)

Telnet will connect to the port if there is a service listening and it has a path to the host.

For troubleshooting purposes, could you suggest rules on the interfaces that would definitively allow 445?