[need some help] Firewall rule for vlan

  • I am current with

    Version 2.3.2-RELEASE-p1 (amd64)
    built on Tue Sep 27 12:13:07 CDT 2016
    FreeBSD 10.3-RELEASE-p9

    The system is on the latest version.

    I have 3 ports on the pfsense, port 1 for wan, port 2 for lan, and port3 for lan2.

    I setup 4 vlans, which is vlan 1, 20, 40, 100 is assigned to lan2

    I want vlan 40, can use the file server(SAMBA) in vlan 20.

    I have been apply rules to vlan 20, 40.  pass,  protocol  any,  Source any, Destination any, but I still can not access the file server, but ping is fine.

  • maybe because server is on different lan then client you need to adjust firewall on that server to accept connection from that client specific lan address ?

  • Thanks. I have been open any ports for all lans, it still not work.

  • LAYER 8 Global Moderator

    your vlan 1 tag is 1?  This is normally the default vlan.  Did you change the default vlan on your switch.  What vlan is your lan on your switch?

    You do have a smart switch that does vlans right?  And your port connected to your port 3 (lan2) is trunked with the allowed vlans?

    What are networks?  They do not overlap?

    If your rules on  your vlan 40 are any any, then it should be able to access your samba server on vlan 20.  Check the firewall on this server, and if running samba also check the allowed hosts in the samba conf.  If the vlan 40 network is not allowed, then no it would not have access.

  • Banned

    If by "cannot access" you mean that \NetBIOSName\share does not work, then kindly switch to \f.q.d.n.\Share like you should have done some 15+ years ago and it will work just fine.

  • @doktornotor:

    If by "cannot access" you mean that \NetBIOSName\share does not work, then kindly switch to \f.q.d.n.\Share like you should have done some 15+ years ago and it will work just fine.

    I would add that first test if you can ping it, just to ensure you have no routing issues.

  • Banned

    Unfortunately, ping is NOT a useful test with Windows across different networks, it will just be blocked by the Windows "firewall". (Thanks, M$  ::))

    Now, that reminds me - disable the Windows firewall on both ends of testing before testing anything.

  • Thank you so much for all of you!

    I have been open all the ports on any lan(and vlans).  allow any any any

    From vlan 40, I can ping, I also can ssh connect to the Freenas on Vlan 20, but I can not net view \Freenas IP\

    which will show me error 53.

    My question is, which interface was blocking me, even I open all the ports on all the interface.

    I do the ports scan, inside the same vlan, I can see all the ports on the FreeNas, but on the other vlans, I can't see port utp 139 and tcp 445.

    Btw, I did not setup ip address on the trunk Lan.

  • LAYER 8 Global Moderator

    Dude if your rules are any any, and you say when you scan on the same vlan you see the ports open.  But when you scan from another vlan they are not open.  That points to local firewall on that device..