Bridge mode causing SMB traffic to fill firewall log
-
It may be out of state traffic if it doesn't seem to match any of your rules.
https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection
-
Thanks for the quick response.
I looked through that article and while it could very well be something to do with what it is talking about, there doesn't seem to be any way of rectifying the issue. Also, the data in my firewall log doesn't seem the same as what is shown in that article as some of the traffic I am seeing doesn't state that it's been blocked by a default deny any rule ipv4.
Another thing I can't understand is why this traffic is ever hitting the firewall, the source and destination addresses on all the hits are physically on the LAN. To clarify, this is a windows domain with two windows domain controllers used for DHCP & DNS, pfsense is nothing more than a firewall and OpenVPN server.
It does seem to be misinformation from the firewall as no user has reported any problems accessing the samba drive.
-
Can you post up screen shot of these firewall hits your seeing. And details of how you bridged your lan to your openvpn - I can think of no reason why that would ever in a million years have to be done to allow access to file shares, etc.
I access file shares over a normal tun setup where openvpn is on own network different than the lan network.
-
I followed this article to set up my OpenVPN:
https://forum.pfsense.org/index.php?topic=46984.0
I could not get VPN clients talking to LAN resources without setting it up this way.
Attached is a screen grab of my firewall log.
-
Did you change your firewalls on your local clients to allow access from a remote network?
TAP is not a good option.. All broadcast traffic is now over your vpn.. Bridges in general are horrible performance.. Unless you had a specific need for say broadcast traffic to be used there is no reason for tap, and accessing file shares sure doesn't need to be on the same segment.
So lets see your rules? Post up rules you have on lan and bridge interfaces in your firewall. All of that traffic is out of state for sure. Also you can click the red x to see what rule it was that blocked.. Or better yet just enable the rule to be listed. In your log settings change it so it displays the rules desc.
That is dated back from 2012? So version 2.0.2 at best.. You do understand the vpn wizard would walk you through setting it up in like 30 seconds. Are you running version 2.0.2? Or current 2.2.4?
-
I haven't changed any client firewalls at all, the WAN on the pfsense box allows openVPN traffic but that's it.
When I click the red X half of the entries are blocked by default deny rule IPV4 and the others are blank. I have already selected the option add pass rule from the firewall but this had no effect and I subsequently deleted those rules.
I'm starting to think maybe I need to set up a new box and try installing OpenVPN with the wizard on TAP and try and get that working again. I used the wizard previously with TAP, I couldn't get anything on the VPN to speak with anything on the LAN with that set up either.
I am currently running 2.2.4.
-
Why do you think you need tap??? You DONT!!! File sharing does not require to be on the same segment.
-
My apologies, please replace TAP with TUN in my last message.
-
don't think you need to setup a new box.. Just redo the vpn connection on this one.
-
I should probably open a new ticket for this but any chance you can point me in the right direction. I have set up the TUN OpenVPN server and connected to it fine. I can see some stuff on the LAN network from the VPN tunnel but I can't access the SMB share. It keeps hitting the firewall despite those rules I have setup allowing traffic over the VPN, I have attached an image of the firewall log.
-
and what are the rules on your vpn tab? By default I believe its an any any - what did you change it to or add above it? Did you check to allow netbios over the vpn?
Enable NetBIOS over TCP/IP
If this option is not set, all NetBIOS-over-TCP/IP options (including WINS) will be disabled.