OPT to LAN
-
Hi alla and excuse my little english.
Sorry for cross posting but in italian section i can't find answers.This is the situation:
pfsense 2.0.1
WAN: no problem here
LAN: 10.71.9.251/24 static only standard rules in firewall (anti lockout and lan to any), no problem here i can go to wan and opt
OPT1: 192.168.1.80/24 static i need to allow this net go to local lan, to some hosts only.Firewall rules for OPT1:
Block TCP/UDP OPT1 Net port 135
Block TCP/UDP OPT1 Net port 137-139
Block TCP/UDP OPT1 Net port 445
Pass * OPT1 Net * LAn net * (this is pass 192.168.1.x to my lan no matter the port, i'm right?)Actually pfsense isn't my gateway so i had to add static route on my pc (win xp) on the LAN interface
add route 192.168.1.0 mask 255.255.255.0 10.71.9.251
And i can see opt1 net.I'm doing the same thing on a client in opt1 net (win xp, just for hosts i need):
add route 10.71.9.101 mask 255.255.255.255 192.168.1.80
add route 10.71.9.102 mask 255.255.255.255 192.168.1.80
add route 10.71.9.108 mask 255.255.255.255 192.168.1.80
add route 10.71.9.2 mask 255.255.255.255 192.168.1.80i can ping and get answers from 10.71.9.2 (my pc on the LAN interface)
i can't have any answer from 10.71.9.10x on lan interface (centos server)
on 10.71.9.101 i have samba listening, allowed hosts 10.71.9.0/24 and 192.168.1.0/24
on 10.71.9.102 i have http, but not checked out ports/addresses
on 10.71.9.108 i didn't tested services yetMaybe there's anything about NAT to configure?
thanks in advance.
-
Thoughts ???
Add routes to the gw or the returning TCP traffic won't know which way to return, and it has to come back the same way.
Traceroute from PC and pfSense to each other, note the return route via gw.
You might be able to ping, but telnet x.x.x.x xx won't work.
Route the whole subnet, and control the hosts with firewall rules, mask mismatched?
add route 10.71.9.0 mask 255.255.255.0 192.168.1.80No NAT between OPT1 and LAN
-
Thanks, but i've already:
from 192.168.1.44 traceroute 10.71.9.101
1 1ms 1ms 1ms 192.168.1.80 (pfsense)
2 * * * * no route to hostopened icmp, same result
from 10.71.9.2
traceroute 192.168.1.44
1 1ms 1ms 1ms 10.71.9.251 (pfsense)
2 1 ms 192.168.1.44I can see nothing in firewall rules log!
I think i have to do something on the servers.
Edit: seems that windows ask something on 139 and 445 ports to establish connections using samba, so my first rules break.
-
So try routing the whole subnet first, to try to get it working.
delete the other 10.71.9.xxx routes.
add route net 10.71.9.0 mask 255.255.255.0 gw 192.168.1.80 or whatever syntax your os uses.Check the server gw if it is not 10.71.9.251 then 'add route net 192.168.1.0 mask 255.255.255.0 gw 10.71.9.251 although it should be the default gw.
If that doesn't work, try opening up the firewall by disabling the OPT1 port rules. Although with nothing in Firewall logs, I still think you have a routing issue.
-
10.71.9.251 isn't the default gateway on the lan, it doesn't need to.
partially solved.
Added a static route from servers to the opt1 net and now a can ping/trace from servers to client and viceversa.
Now let me see if i can connect.
Edit:
SOLVED!