WHS2011 rules
-
Been trying to rack my brain on this issue, whereby the server, unless Im on the same subnet as the server is on, I cannot access the WHS server
I've got this one in testing atm, to see if I want to use it for backup purposes, but also considering FreeNAS (As i know thats relatively easy to configure)
So, if my LAN configuration is as follows, how would I go about configuring the firewall/NAT rules to allow access to the 2nd server (which atm will be either FreeNAS or WHS 2011, I'll know by the end of the week) from the other subnets on the network
Network topology is as follows:
ETH1 - 192.168.2.0/24
ETH2 - 192.168.4.0/24I did have a 54m Atheros card in the main box, but took that out as I found the Wireless AP side of pfsense was a little shaky, so I've redirected it through a Linksys WAP-200, and the wireless is fine now ;D
Any hints/tips would be greatly appreciated
-
This depends how you want to access it.
If you just need to access it by IP you just need to add firewall rules, or edit the existing rules, to allow it.If you need the server to just auto-magically appear for windows clients things get more complex. ;)
Steve
-
The Automatically appear/access bit is what Im trying to achieve
Thing is, I can access the WHS box if Im on the Wired (Duh, cuz its on it), but the wireless can ping the box, just not access it.
I'd like to leave it as is, on the Wired (LAN), but be able to access it from the other Subnet (OPT1).
I had an idea I could always take the Wireless card out of the Firewall, put it into the WHS box, and then run on both subnets that way
But thats the easy way out lol ;D
I want to aim for just one connection. But if i have to run 2 NICS, I guess I'll have to
-
Thing is, I can access the WHS box if Im on the Wired (Duh, cuz its on it), but the wireless can ping the box, just not access it.
I would count ping as an access. Please describe the access you are attempting (web?, telnet? ssh? windows explorer? etc), whether the access attempt uses IP address or hostname and what is reported on the access attempt.
On my pfSense box OPT1 interface there is a Linux server running Samba. I can successfully access that server from Windows and Linux systems on the LAN interface including drag and drop files between systems on the LAN and the server.
-
The access I am trying to get is as follows:
http://www.mswhs.com/2007/06/what-ports-do-i-forward-in-my-router-for-whs/
I need File/Print Access as well as what that link suggests
SMB, Filesharing, uPnP (that bit I've got largely sorted out) so I can allow devices on the network to automatically be able to backup the WHS2011 Server, and to be able to access the server itself to administer as necessary
-
Thanks for the additional information. Unfortunately you didn't answer my questions: @wallabybob:
Please describe . . . whether the access attempt uses IP address or hostname and what is reported on the access attempt.
I'm also unclear about your configuration: How many network interfaces does your pfSense have? What are their names? In terms of the pfSense interface names, what accesses do you want to allow? (For example, "I want systems on the pfSense OPT1 interface to be able to access the WHS system on the OPT2 interface.")
-
I'll fully test it out when I get home, I'm currently at work atm
But in regards to the last issue:
WAN (nfe0) - PPPoE
LAN (re0) - 192.168.2.0/24
OPT1 (re1) - 192.168.4.0/24But yes, essentially I want to be able to fully access WHS from either subnet (LAN or OPT1)
-
The default firewall rules allow systems on LAN to access systems anywhere while all access from OPTx interfaces and WAN interface is blocked.
So assuming standard firewall rules and that WHS is on the pfSense OPT1 interface you should be able to access WHS from LAN systems by giving its IP address. (Access by name may require additional configuration.)
Lets start with the simple things: does that much work?
-
AFAIK, it can, but will confirm when I get home
The WHS 2011 box is on the LAN subnet, the Printer (Brother MFC-8840D) as well, and a spare LAN cable for me to patch in on my laptop if needed, and my FetchTV box
Both laptops, the computer in the living room all run from the wireless, as well as mobiles and the tablet
if it was access by IP, that would be ok, but access by name would be good
I've got a majority of the stuff done, its just allowing access fully for the WHS box thats doing my head in atm, lol
I'll grab some screen caps when I get back home, and post up how its configured (I have to take some hardware out when I get back, so will reinstall when I get home)
-
The WHS 2011 box is on the LAN subnet, the Printer (Brother MFC-8840D) as well, and a spare LAN cable for me to patch in on my laptop if needed, and my FetchTV box
Do you want to allow access from the internet to any of these systems?
Both laptops, the computer in the living room all run from the wireless, as well as mobiles and the tablet
And these connect to which pfSense interface?
if it was access by IP, that would be ok, but access by name would be good
Lets keep that goal in mind but aim on getting the basics right first.
A common strategy would be to put everything that wants to talk together on the same pfSense interface (and same IP subnet) since they would then be able to communicate directly without going through pfSense. However systems that need to be accessed FROM the internet would be put on a separate interface to help provide some measure of isolation between them and the other systems. This kind of separation means firewall rules can apply between systems that can be accessed from the internet and systems you don't want accessed from the internet because, being on separate interfaces, communication between them has to go through the firewall.
-
To answer the first question:
Yes, except the Brother device (It doesnt need internet access)
Wireless runs from re1, which I have connected to a Linksys WAP200
Printer is just connected to the LAN (re0)
Moving everything that needs to talk to the WHS box to the same subnet makes sense. If we go by that situation, would setting up a VLAN be the best bet?
Either that or I can always try throwing in that Wireless NIC into the other server, so that its visible on both
-
I asked @wallabybob:
Do you want to allow access from the internet to any of these systems?
to which you replied:
@Nutterpc:To answer the first question:
Yes, except the Brother device (It doesnt need internet access)
I think I need to clarify the question. "access" is not the same as "download". To give an example, you might "access" the pfSense web site (access TO) and then kick off a "download" of an installable file. When you say you want to allow access FROM the Internet to your laptop and Fetch TV box it says to me you want to allow some systems on the internet (which systems? any?) to do some stuff (what stuff? read files? write files?) to your WHS AND laptop AND Fetch TV box. Is that what you mean?
-
WHS relies quite haevily on uPnP style autodiscovery for a lot of it's services, especially if you're not using it as a dhcp server etc.
Getting upnp working across subnets seems to be a 'challenging'. ::) You should be able to make it work using the igmp proxy however I recently failed to guide a another user to do so.Here is what I would do.
Bridge your two interfaces but leave filtering on the bridge members and add rules as and when you need them.Steve
-
Thats what I was trying to find out stephen
So long as I have some information to go by, that will allow me to be able to work on the rest of it
I just have to remember to backup the config now, as I have the squid proxy server finally working as it should be (man you wouldnt believe what relief it is to finally see it working as it should).
I've transferred the Wireless NIC from the Sun Workstation to my Proliant ML350 G5 (which is going to be built as the Fileserver/Backup Server)
But do you think finding 15k RPM SAS drives is cheap? lol as well as DDR3 ECC Ram, lol ;D
I've configured the pfsense box as best I can for now, so I have to finish the rest of it after work tomorrow (Have to be up by 5am to be ready for work ::) )
