No access to SQLServer and MS Shared Folder
-
All my tests on pfSense were needed to be able to replace a firewall with pfSense.
This is the scenario:
in LAN- 4 PCs with IP 192.168.101.101/2/3/4
in DMZ
- 1 Windows Server with SQLServer with IP 192.168.102.11
- 1 Debian server with a shared folder in SMB/CIFS with IP 192.168.102.12
- 1 Win10 PC with a shared folder with IP 192.168.102.13
The 4 PCs are able to access the two shared folders and launch the programs that use SQLServer
So, I change the old firewall with pfSense
in LAN there are two rules
*From=LAN Net, Ports=Those-for-Shared-Folder, to=DMZ Net
*From=LAN Net, Ports=Those-for-SQLServer, to=DMZ NetNow the PCs see the shared folder on Debian, but they don't see the one on the Win 10 PC and neither SQLServer.
Maybe on the old firewall there are other ports and therefore I insert on pfSense, first of all the rules
- From=LAN Net, Ports=Any ,to=Any
Same situation: access only to the shared folder on Debian.
I turn off pfSense, turn on the old firewall and everything works again.
I lost all Sunday doing all the tests I could and looking at all the logs, but I couldn't figure out where I'm wrong.
It would be enough for me to understand now what test I can do now to find the error.
-
@darkcorner Windows Firewall perhaps? Did you try turning it off on the Windows server and WIn10 box just to check? Any time traffic appears to be blocked, check the pfSense Firewall log. If nothing is being blocked, use Packet Capture to see that the traffic is entering the LAN interface and exiting the DMZ interface.
-
@kom said in No access to SQLServer and MS Shared Folder:
@darkcorner Windows Firewall perhaps? Did you try turning it off on the Windows server and WIn10 box just to check? Any time traffic appears to be blocked, check the pfSense Firewall log. If nothing is being blocked, use Packet Capture to see that the traffic is entering the LAN interface and exiting the DMZ interface.
I thought so too, but it can't be the windows firewall because it would also block traffic with the old firewall.
Unless pfSense needs some other configuration, but it would seem strange to me. -
@darkcorner said in No access to SQLServer and MS Shared Folder:
From=LAN Net, Ports=Any ,to=Any
Like :
this rules passes everything to everything.
Run the packet capturing on LAN to see your 'SQL server ' and 'file system' packets.
Do the same test on DMZ : you should see them also on that network. -
This afternoon I did some other tests, tomorrow I will do some more complete ones.
At the moment the situation has not changed.
The 4 PCs of users all see the NAS with the shared folders in Samba, so the Any to Any rule works, of course.
But they do not see the shared folders of the Windows PC and there is no reason why they do not see them since they are the same PCs and the same server that instead work with IPFire.
It is as if IPFire allows something more than pfSense, or vice versa.
Or there is some mistake of mine that I can't see. -
@darkcorner On your 2 LAN networks (LAN and DMZ), what are your subnet mask sizes set to? They should be a /24 size network. And, also verify on your hosts (the servers on the DMZ and the PCs on the LAN network), that their subnet masks are correct. Everything should be set to size /24.
Do all of the machines also show the correct gateway? That matters too.
-
This afternoon, doing all the possible tests, I discovered that the problem is not in pfSense, but it was in PCWin 10 which was configured as a public network.
Changed as a private network, the folders are finally shared by the PCs on the LAN.But I don't understand why with the other firewall (IpFire) everything works without changing the folder sharing settings on this PC.
Thank you all for your interest and your suggestions.
-
@darkcorner said in No access to SQLServer and MS Shared Folder:
But I don't understand why with the other firewall (IpFire) everything works without changing the folder sharing settings on this PC.
When you changed the gateway of your PC - ie exchanged your ipfire for pfsense, its quite possible it changed to public policy vs private policy.. Even if the IP of the address of the gateway was the same, the mac address would of changed - and this could trigger the PC firewall to flip its policy..
-
@johnpoz said in No access to SQLServer and MS Shared Folder:
When you changed the gateway of your PC - ie exchanged your ipfire for pfsense, its quite possible it changed to public policy vs private policy.. Even if the IP of the address of the gateway was the same, the mac address would of changed - and this could trigger the PC firewall to flip its policy..
Yours is an interesting opinion to be held in high regard in the future.
Thank you.