Cannot get to shared folders

viragomann · Feb 9, 2023, 5:28 PM

@dalicollins
I meant, I need to write them double to get one.

viragomann · Feb 9, 2023, 5:31 PM

@dalicollins
I forgot to ask one essential question: is pfSense the default gateway on the file server?

dalicollins · Feb 9, 2023, 5:32 PM

@viragomann
lol. I think I am really close. probably just missing a rule. Is the IPsec rule I show above correct?

viragomann · Feb 9, 2023, 5:34 PM

@dalicollins said in Cannot get to shared folders:

@viragomann
lol. I think I am really close. probably just missing a rule. Is the IPsec rule I show above correct?

Yes, it allows any protocol to the server. So access to the file share should be allowed.

You can restrict it later if you want.

dalicollins · Feb 9, 2023, 5:37 PM

@viragomann
Yes there is only one default gateway and everything on pfsense uses it. All other functions of pfsense work great. But you brought up an interesting question. The server has two NIC's each connected to a different pfsense firewall. But the other computers on the same firewall can get to the shared folders.

SteveITS · Feb 9, 2023, 5:36 PM

@dalicollins Your IPsec rule allows all traffic and is matching packets so should be fine.

[slash-slash-slash-text seems to work fine. It shows in the preview to the right while typing. ]

viragomann · Feb 9, 2023, 5:40 PM

@dalicollins said in Cannot get to shared folders:

Yes there is only one default gateway and everything on pfsense uses it.

The question was if the server uses the pfSense running the IPSec server as default gateway.

Run

route print

on the command line to show the default route.

dalicollins · Feb 9, 2023, 5:47 PM

@viragomann
On the server
IPv4 Route Table

Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.100.1 192.168.100.26 1255
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.100 266
10.10.10.100 255.255.255.255 On-link 10.10.10.100 315
10.10.10.102 255.255.255.255 10.10.10.102 10.10.10.100 60
10.10.10.105 255.255.255.255 10.10.10.105 10.10.10.100 60
10.10.10.107 255.255.255.255 10.10.10.107 10.10.10.100 60
10.10.10.109 255.255.255.255 10.10.10.109 10.10.10.100 60
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.1.0 255.255.255.0 On-link 192.168.1.100 266
192.168.1.100 255.255.255.255 On-link 192.168.1.100 266
192.168.1.101 255.255.255.255 On-link 192.168.1.100 266
192.168.1.255 255.255.255.255 On-link 192.168.1.100 266
192.168.100.0 255.255.255.0 On-link 192.168.100.26 1255
192.168.100.26 255.255.255.255 On-link 192.168.100.26 1255
192.168.100.255 255.255.255.255 On-link 192.168.100.26 1255
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.100.26 1255
224.0.0.0 240.0.0.0 On-link 192.168.1.100 266
224.0.0.0 240.0.0.0 On-link 10.10.10.100 315
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.100.26 1255
255.255.255.255 255.255.255.255 On-link 192.168.1.100 266
255.255.255.255 255.255.255.255 On-link 10.10.10.100 315

Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 192.168.1.1 Default
0.0.0.0 0.0.0.0 26.0.0.1 9256
0.0.0.0 0.0.0.0 192.168.100.1 Default
0.0.0.0 0.0.0.0 192.168.1.1 Default

192.168.1.1 is the IP going to the other pfsense firewall.
10.10.10.100 is the servers internal Windows VPN which is what I want to switch the uses from.

viragomann · Feb 9, 2023, 5:50 PM

@dalicollins said in Cannot get to shared folders:

192.168.1.1 is the IP going to the other pfsense firewall.

So access from the VPN cannot work.
This would be worth to mention at first of all.

To get access you have to either add a static route to the server for the VPN tunnel pool and point it to the IPSec pfSense or you can masquerade the outgoing traffic on pfSense.

However, if the other router is a pfSense as well, I'm wondering why you fire up an additional to run a VPN on it.

dalicollins · Feb 9, 2023, 5:55 PM

@viragomann
Not sure how to do that. I also tried changing the IPsec rule to an IP of a local computer with only one connection and I can ping that IP. So how do I masquerade the outgoing traffic?

viragomann · Feb 9, 2023, 5:59 PM

@dalicollins
Masquerading is only recommended if you know, what it does and if you have restrict firewall rules. It's a workaround for different issues.
But since this VPN is obviously for your own purposes only, you can do this to get a step beyond.

It's done by Firewall > NAT > Outbound

Select hybride mode and save this first.
Add a new rule:
interface: LAN
source: IPSec tunnel pool (or maybe any, since there is no other passing this pfSense)
destination: any
translation: interface address

Should work then.

dalicollins · Feb 9, 2023, 5:59 PM

@viragomann
I use two pfsense firewalls because I have I two Internet WAN's. One static and the other dynamic. They are totally isolated from one another and come from different ISP's. Each uses it's own subnet on separate NIC's

viragomann · Feb 9, 2023, 6:01 PM

@dalicollins said in Cannot get to shared folders:

I use two pfsense firewalls because I have I two Internet WAN's. One static and the other dynamic. They are totally isolated from one another and come from different ISP's.

That's no reason for running two routers. You can have to WANs on a single pfSense if you have enough interfaces.

And since the are connected to the same LAN, they are not really isolated from each other.

SteveITS · Feb 9, 2023, 6:03 PM

@dalicollins said in Cannot get to shared folders:

@viragomann
I use two pfsense firewalls because I have I two Internet WAN's. One static and the other dynamic. They are totally isolated from one another and come from different ISP's. Each uses it's own subnet on separate NIC's

pfSense can handle two WANs.

In the above case though can you just connect to an IPSec server on the other firewall instead?

The Outbound NAT trick will work too, that makes the connection come from the pfSense LAN IP.

dalicollins · Feb 9, 2023, 6:14 PM

@viragomann
I tried with two WANs in one firewall and it was a mess trying to set that up. The static firewall uses Virtual IP's and with two gateways I couldn't control what went where.
By the way, the outbound NAT seem to fix the issue. It's a lot easier just using two firewalls to keep it all separate.
By the way, Thanks a lot for the help.

viragomann · Feb 9, 2023, 6:22 PM

@dalicollins
pfSense can handle all this pretty well. It gives you full control which traffic to route out to which gateway. You can determine this by source IP or / and ports or destination IP or or / and ports or both.
Just a few firewall rules on a single place.

And the nicest part, it can failover the upstream traffic to the other WAN in case of a dropout of the primary connection. Also it's possible to load balance all upstream traffic permanently.

I can't see any reason for running an additional router for VPN only.

Cannot get to shared folders

@viragomann On the server IPv4 Route Table

Persistent Routes: Network Address Netmask Gateway Address Metric 0.0.0.0 0.0.0.0 192.168.1.1 Default 0.0.0.0 0.0.0.0 26.0.0.1 9256 0.0.0.0 0.0.0.0 192.168.100.1 Default 0.0.0.0 0.0.0.0 192.168.1.1 Default

@viragomann
On the server
IPv4 Route Table

Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 192.168.1.1 Default
0.0.0.0 0.0.0.0 26.0.0.1 9256
0.0.0.0 0.0.0.0 192.168.100.1 Default
0.0.0.0 0.0.0.0 192.168.1.1 Default