Can not see NAS
-
I am fairly green to networking and PFSense so forgive my questions. I have a Protectly Vault that has 6 ports. One is my WAN and the other 5 are assigned different subnets. I can ping the NAS in PFSense (xxx.xxx.xxx.50) but not from windows. I can ping (xxx.xxx.xxx.1) from windows. In (Status / DHCP Leases) I do not see the NAS either. Please help me figure out which steps to take to allow my NAS on the network.
Thanks
Bryan -
@Bryan81 If you can ping the nas IP .50 from pfsense, but not from another network.. Either your rules on the interface your pinging from do not allow it.. But since you can ping the .1 I take that is pfsense on the interface your nas is connected to. I take it your rules allow..
By default the lan rules on pfsense are any any - so this would allow access to anything on any of your other local networks, unless you were doing policy routing and sending traffic out a specific wan gateway or vpn, etc.
More than likely your issue is just the firewall on the nas not allowing access from an IP that is not on its network.,
I would put your windows pc on the same network as your nas - and adjust the firewall rules to your needs/wants.
As for not showing up in dhcp leases.. More than likely you have it setup static on the nas - how else would you know that its IP ends with .50
BTW its pretty useless to hide your local rfc1918 networks.. x.x.x.50 and then x.x.x.1 just make it harder to help you. Is .1 your pfsense, is it your lan or the nas network? What network is your pc in? Is it in this x.x.x.50 network? Just guessing because you hid what the actual IP is.
My lan network is 192.168.9.0/24, my pc is at .100 my pfsense is at .253, my nas it at .10 on this network.. What do you think anyone could do with that info? Other than assuming I live on the planet earth ;)
-
Thanks
My pc is at 192.168.144.12 (the only thing on that port / subnet). My nas is at 192.168.147.50 also (the only thing on that port / subnet). So my pc can ping the nas's default gateway 192.168.147.1 but not the nas at 192.168.147.50 If I log into pfsense from my pc I can ping both .1 and .50 but not from the pc's command line. In the list of dhcp leases on pfsense I see all the devices connected to the Protectly Vault including static ip's but not the nas. The onlly firewall rule for 192.168.147.1 is allow all (for testing).
-
@Bryan81 said in Can not see NAS:
he onlly firewall rule for 192.168.147.1 is allow all (for testing).
what rules you have on the nas network interface in pfsense doesn't matter, what matters is the interface your coming from and trying to talk to the nas. What rules do you have on the 192.168.144 interface. if you allow your 144 network to talk to your 147 or the nas IP, the state would allow the return traffic.. You can have zero rules on this pfsense nas interface if you wanted.
Example my cameras - don't have any access to the internet or anything.. There are zero rules on that interface.
But I can still view them, because the state I create when I allow the traffic, allows the return traffic.
Again to dhcp - again if the device is static set on the device then no you wouldn't see it in the dhcp leases because it will never get one. How do you know the nas 147.50 if you didn't set it up to be that on the nas?
I am talking about the nas firewall.. You need to set it to allow your connections from your 144 network. Or just turn it off. What specific nas do you have?
Notice on my nas I have it off.
I have a synology ds918+ running dsm 7.2.1u6 currently.
I have zero reason for a firewall on the nas - my network is secure, only trusted devices on my network can talk to it, my iot and other vlans can not talk to it, and its not exposed to the public internet. I have zero reason to run a host firewall on it. My stuff on my roku vlan can only talk to plex on the 32400 port for example.
-
My nas is a QNAP brand. I have one 10 gig port going straight to my pc's 10 gig port (nas address 169.254.9.255) and 1 port of the nas to the Protecti Vault port set up as gateway 192.168.147.1 I logged onto the 169.254.9.255 address and changed the nas back to DHCP. It now shows up in pfsense leases as 192.168.147.100. The firewall rules for the both the nas and pc are set to pass any /any. I still can't ping the nas from the pc but the gateway pings.
-
@Bryan81 again what are your rules on you interface of this 192.168.144 interface in pfsense?
If the nas has no firewall setup and you can ping it from pfsense IP on the 147 network. Then either your not allowing the traffic to get to the 147 network from your 144, or you policy routing out some other gateway.. Or do you have any rules in floating?
Post up a picture of your rules the pc is on, this 192.168.144 network...
See there is no gateway set in the rule that allows any any.. Do you have any rules in floating - if so post those, those are evaluated before interface rules.
-
No float rules.
-
@Bryan81 well if you have no rules in floating, those rules would for sure allow access.
What I would suggest is you sniff and validate pfsense is indeed sending on the traffic.. So do a packet capture and send say a ping to your nas IP.. I will use for example a pi I have in my dmz vlan.. so my pc 192.168.9.100 pinging 192.168.3.32
So if I packet capture on my dmz (192.168.3.253 in my psfsense) interface and ping that IP from my pc..
You can see the request coming from my 9.100 IP going to the 3.32 IP.. And you see the reply
If you do not see the request or the reply - if you do not see the request, pfsense is not sending it on, or pfsense is never seeing it on your PC interface.. You could packet capture there and verify pfsense is seeing the traffic. Possible your PC has a mask and thinks 192.168.147 ip of your nas is on its local network and never sending it to pfsense to be routed to your nas.
If you see pfsense send it on when packet capture on your nas interface, but no reply then either your nas has its firewall running and just doesn't want to answer, or its mask is wrong and thinks that pc IP is on its local network so never sending back to pfsense. Or your nas is using some other gateway and not sending it back to pfsense?
But some packet captures can show you exactly what is going on.
-
Thanks Much. I will give it a try and update what I find but it maybe a few days until I have time.
Thanks Again!!
