Windows Share problem

Metu69salemi

What firewall rules and what outbound nat rules you have concerning this setup?

krisken

Dear Metu69salemi,

i've made some screenshots for you so you can get a clear view of the setup.
There can be some mistakes because i've tried to fix it using trial and error :)

Dashboard : http://kris.derocker.name/pfsense/windowsshare/dashboard.jpg
Outboud NAT : http://kris.derocker.name/pfsense/windowsshare/firewall-nat-outbound.jpg
Firewall rules LAN : http://kris.derocker.name/pfsense/windowsshare/firewall-rules-lan.jpg
Firewall rules WIFIPRIVATE : http://kris.derocker.name/pfsense/windowsshare/firewall-rules-wifiprivate.jpg

Metu69salemi

You may need new rule on manual outbound nat as:
from privatewifi to lan check the box DO NOT NAT

krisken

I've tried these settings without effect…

WIFIPRIVATE  10.0.0.0/24 * * * * * NO
LAN  10.101.0.0/24 * * * * * NO
WIFIPRIVATE  10.101.0.0/24 * 10.0.0.0/24 * * * NO
LAN  10.0.0.0/24 * 10.101.0.0/24 * * * NO

Lan = 10.0.0.1/24 range
WIFIPRIVATE = 10.101.0.1/24 range

Metu69salemi

did you change the order that more specific is uppermost?

cmb

I don't see any reason you need manual outbound NAT, better to use automatic, it won't NAT between internal subnets which is what is breaking your Windows share.

Metu69salemi

ok, thanks for the info, it was new to me also.

krisken

I use manual NAT because i also route some IP blocks (external IP's)

cmb

@krisken:

I use manual NAT because i also route some IP blocks (external IP's)

Ok, in that case just make sure you don't have outbound NAT rules matching traffic between internal networks.

krisken

Dear,

I don't think i have…do i?

cmb

Too many interfaces there in outbound NAT and not enough context to tell. Run a constant ping to the NAS, and check Diagnostics>States. Should just show two IPs there, not a third in the middle where it's translating it. If that's good, then your problem is almost certainly the NAS is setup to not serve Windows shares to off-subnet hosts. For instance Samba has a config option that lets you restrict what IP subnets it will serve, if it's a Windows host, the default Windows firewall settings commonly block all off-subnet file access.

krisken

This is what i get with ping :

icmp 10.0.0.31:768 <- 10.101.0.2 0:0
icmp 10.101.0.2:768 -> 10.0.0.31 0:0

10.0.0.31 = NAQ
10.101.0.2 = laptop using wireless

cmb

Then you aren't NATing, so that much is good. Problem is on the server then, what I noted in my last post.

krisken

cmb,

Thanks for your support, time and answers!