Netgate SG-1000 microFirewall

Author Topic: Windows File Sharing DMZ -> LAN Working *Sometimes*??  (Read 11359 times)

0 Members and 1 Guest are viewing this topic.

Offline wallabybob

  • Hero Member
  • *****
  • Posts: 5239
  • Karma: +11/-1
    • View Profile
Re: Windows File Sharing DMZ -> LAN Working *Sometimes*??
« Reply #15 on: May 31, 2011, 06:42:57 pm »
I used telnet to check for a listening service on that port. (i.e. >telnet 192.168.100.10 445)

Telnet will connect to the port if there is a service listening and it has a path to the host.
What does telnet report? There isn't information here to distinguish between a number of different failures. Telnet might "fail" because it receives no response to its connect attempt, its connect attempt was refused, its connect attempt succeeded but it received an "invalid" message from the remote end etc etc.
What is it you are trying to prove?

For troubleshooting purposes, could you suggest rules on the interfaces that would definitively allow 445?
Do you know the problem is a firewall problem? As I suggested earlier there might be other reasons why you can't access shares by hostname. Have you checked the firewall log on pfSense to see if its blocking access?



Offline 0x0

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: Windows File Sharing DMZ -> LAN Working *Sometimes*??
« Reply #16 on: May 31, 2011, 08:06:28 pm »
That's correct, telnet would fail and you would receive a multitude of failure responses, connection refused, connection timed out, could not open connection to host on port, no route to host, et al. It's a very basic way to test if a service is listening on a host.

I was attempting to rule out the firewall as a problem at this point by opening the needed ports and giving carte blanch access to any traffic between the interfaces.

At no time did I ever suggest that I was attempting to access any host by its hostname - all connections are purely IP based.

Yes, I have checked the firewall log and the states and there is no record of the packets being blocked.

Offline wallabybob

  • Hero Member
  • *****
  • Posts: 5239
  • Karma: +11/-1
    • View Profile
Re: Windows File Sharing DMZ -> LAN Working *Sometimes*??
« Reply #17 on: May 31, 2011, 09:14:57 pm »
That's correct, telnet would fail and you would receive a multitude of failure responses, connection refused, connection timed out, could not open connection to host on port, no route to host, et al. It's a very basic way to test if a service is listening on a host.
If you are getting that variety of responses to your telnet access attempt then I think you should look at the log of the application thats providing the service on port 445. That variety of responses suggests the service is sometimes working and sometimes isn't. Maybe its encountering an error and restarting in an attempt to recover from the error.
 

Offline 0x0

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: Windows File Sharing DMZ -> LAN Working *Sometimes*??
« Reply #18 on: June 01, 2011, 06:05:01 pm »
Ok, so I think I've got this figured out, but I don't know how to solve the issue.

It looks like the issue is that the desktop PC gateway is 10.10.10.1 and the LAN gateway for pfsense is 10.10.10.25.

Code: [Select]
GATEWAY 10.10.10.1

C:\>tracert 192.168.100.10

Tracing route to 192.168.100.10 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  xxxxxxxxxxxx.com [10.10.10.1]
  2     1 ms     1 ms     1 ms  xxxxxxxxxxxx.com [173.x.x.x]
  3     1 ms     1 ms     1 ms  192.168.100.10

Trace complete.
Code: [Select]
GATEWAY 10.10.10.25

C:\>tracert 192.168.100.10

Tracing route to 192.168.100.10 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  xxxxxxxxxxxxxx.com [173.x.x.x]
  2    <1 ms    <1 ms    <1 ms  192.168.100.10

Trace complete.



The attached image is a diagram of my network for the most part. So, my question is; how do I access the samba shares in the DMZ, but still allow me to remote in using VNC to my PC should there be an issue with pfsense that needs to be corrected? Having 10.10.10.1 as my gateway allows me to VNC in and repair/configure pfsense and I don't have to worry about lockign myself out. If I change my gateway to 10.10.10.25, my shares work, but my VNC forwarding from the 10.10.10.1 router breaks. Vice versa, using gateway 10.10.10.1, my VNC works, but my shares don't.

   

Offline wallabybob

  • Hero Member
  • *****
  • Posts: 5239
  • Karma: +11/-1
    • View Profile
Re: Windows File Sharing DMZ -> LAN Working *Sometimes*??
« Reply #19 on: June 01, 2011, 09:04:30 pm »
Your network configuration strikes me as being a bit unusual. I don't know if thats the final configuration you want or if you happened upon that configuration in an attempt to get something else working. (For a start, your LAN is potentially unprotected by pfSense.)

If you came upon that configuration in an attempt to test internet access to your services then you should be aware that it isn't testing what your cable network adapter will do on access attempts from the internet and you will probably have to test that from the "outside". (Like pfSense, many of this sort of box treat the WAN port as special.)

I think you should move the switch from the pfSense WAN interface to the LAN interface, connect the pfSense WAN interface directly to the cable network adapter and connect the 10.10.10.130 PC to the switch connecting to the pfSense LAN interface. 

You don't say what your cable network adapter does. Since you say you have a route in it I'll assume you have it operating as a router rather than a bridge or modem. Many of this sort of device have a rudimentary firewall in which case you will need to configure port forwarding rules for the services you wish to be accessible from the internet (e.g. FTP from the internet , ssh, vnc etc should all go to the pfSense WAN interface IP address) and corresponding port forwarding rules should be setup in pfSense (Firewall -> NAT click on Port Forward tab) to forward these access attempts to the appropriate server.

Perhaps you have combined the pfSense LAN and WAN so you can get access to the the cable network adapter configuration mechanism at 10.10.10.1. I suspect (I don't have suitable equipment to test this) that you could provide such access by configuring a Virtual IP of type IP Alias with IP address 10.10.10.x/24 on the pfSense WAN interface. (See Firewall -> Virtual IPs, click on Virtual IPs tab.) You would need to have a different subnet on the LAN interface first.


Offline Metu69salemi

  • Hero Member
  • *****
  • Posts: 1556
  • Karma: +2/-0
    • View Profile
Re: Windows File Sharing DMZ -> LAN Working *Sometimes*??
« Reply #20 on: June 02, 2011, 04:00:47 am »
I agree with wallabybob..

I don't understand why to have firewall wan/lan within same umanaged switch?
I assume that you are trying to use pfsense as an router, because it's placed in the network and not to the edge of it. Am i right?
Or you're doing some sort of test environment inside of network



Offline 0x0

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: Windows File Sharing DMZ -> LAN Working *Sometimes*??
« Reply #21 on: June 02, 2011, 08:52:41 am »
Ok, I'll tinker around with things later tonight in an attempt to conform to your suggestions; however, please keep in mind that the pfsense LAN, WAN, and DMZ are all self contained in a virtual machine running on VMWare ESXi. The server has two NICs, and they both act as switches, not as a traditional NIC - this is just how ESXi operates.

The cable modem is acting as a network adapter (as much as I can get it to) and it is providing DHCP. It's a crappy Comcast SMC business adapter/cable modem and isn't a very robust unit. It has an IP like 173.x.x.6 and pfsense has virtual IPs 173.x.x.1 - 173.x.x.5 using ARP (I'm not 100% sure how that works, but it does.) The pfsense then can allow/deny rules based on the ones on that interface. 

There are a few computers, wireless routers and other devices that use 10.10.10.1 as their gateway. I saw no reason for them to use pfsense since it would be a single point of failure. And god help me if netflix goes down while I'm at work and the kids can't watch spongebob...  :P

I have the VNC port being port forwarded from the cable modem right to the 10.10.10.130, should my ESXi server fail, I can still access the network to fix things.

I appreciate everyone helping with this, I really figured all this out on my own, that's why my network looks like it is held together with duct tape and magic (because it is...).

Offline stortoaranci

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Windows File Sharing DMZ -> LAN Working *Sometimes*??
« Reply #22 on: June 21, 2011, 07:46:11 am »
Hi,

I've the same problem too. the only difference is that LAN is bridged network in order to allow wi-fi connections.

In my case if i go through WLAN then i can reach the samba server in dmz but i'm unable from eth0. no rules in the WLAN/ETH interfaces.

in wireshark i can see dmz traffic in reply to lan requests but service always ask for a password.

samba server has its own dns server, no dhcp.

no problem trough openvpn too.

I'm able to connect on the same server via ssh, vnc, http...

pfsense ver is the yesterday's build.

thank you for the help.