[SOLVED]: NetBios browsing across subnets/VLANS

neilgreene

I just noticed that when I got to a Windows PC on 1 of my networks/subnets/vlans, it can see Windows Netbios names from other networks/subnets/vlans.

NETWORKS

WAN - 192.168.50.1/24
MGMTLAN - –> 192.168.1.0/24
VLAN10 --> 192.168.10.0/24
VLAN20 --> 192.168.20.0/24
etc

FIREWALL RULES

I have a firewall rule on my networks which block seeing the other network:

VLAN 10 - Blocking any packets (all protocols) to VLAN20
VLAN 20 - Blocking any packets (all protocols) to VLAN10

ISSUE

Computers on VLAN10 can see computers on VLAN20 for instance in the Network tab under Windows.  Although, any attempts to connect to them fails.
If I try to ping any hosts, I can not even ping the gateway to that network and no attempts to access them is working.
BUT, I can not even understand how they can see these servers in the Network Neighborhood under Windows.

EQUIPMENT

pfSense: 2.4.3-DEVELOPMENT
built on Friday, Nov 17 12:26:58 CST 2017

Switches:  Ubiquiti

THANKS IN ADVANCE

JKnott

????

If you have rules blocking everything, why would you expect to be able to access anything?

Also, you shouldn't be able to browse NetBIOS file shares between networks.  It uses broadcasts, which are not passed by routers.  You need a WINS server to do that.

Derelict

Sounds like your switch is broken/misconfigured or you don't understand the concept of VLANs.

You might want to actually post your rules instead of a description of how you think you set them.

neilgreene

@JKnott:

????

If you have rules blocking everything, why would you expect to be able to access anything?

Also, you shouldn't be able to browse NetBIOS file shares between networks.  It uses broadcasts, which are not passed by routers.  You need a WINS server to do that.

My point is, they should not be able to see each other via NetBios.  My question is, how are they?
I can confirm they can not SCAN any ports on the other network, or perform any ip related access.
So, how are they even showing up in the Network Neighborhood via NetBios (assuming this is a NB thing)

Ng

neilgreene

@Derelict:

Sounds like your switch is broken/misconfigured or you don't understand the concept of VLANs.

You might want to actually post your rules instead of a description of how you think you set them.

I will keep all of the configuration details together in replies if/as more is added.

Here are the block rules (network to network defined):

block return in quick on em1.12 inet from 192.168.12.0/24 to 192.168.20.0/24 label "USER_RULE: Block access to VLAN20 Network"
block return in quick on em1.20 inet from 192.168.20.0/24 to 192.168.12.0/24 label "USER_RULE: Block access to VLAN12 network"

I was going to post the config from Unifi Switch.  Was posting quick.

neilgreene

Figured it out.  Had to enable PORT ISOLATION on the switches for certain ports.  The broadcasts were bleeding over into other vlans and allowing for NetBios to show up even though they could not reach various other neteworks/subnets/vlans.  THANKS to Willie Howe for also verifying and assisting my review and for everyone here in the pfsense community that took the time to start helping as well.  Much appreciated.

Derelict

So you're not using a managed switch and trying to use VLANs?

Raul Ramos

@Derelict:

So you're not using a managed switch and trying to use VLANs?

If he use Ubiquiti Switches than they are managed.

Derelict

Then they are broken or improperly-configured if they are passing broadcasts between VLANs.

And proper configuration should not require anything such as "port isolation."