Linux logon based on LDAP cannot go through pfSense



  • Hi everybody

    First of: thank you all for a great system. Seems to work great even though I just started using it!

    But I have a problem: we have a hardware-based firewall just after our router. After the firewall we have a number of servers (web, email, LDAP and others) and amongst them is our pfSense server. Behind this machine is our client machines (we more or less have a DMZ although it's behind another firewall).
    The client machines run Linux and to keep things simple we authenticate against a LDAP server. This server is, for a number of reasons, placed in the 'DMZ' and we cannot move it behind the pfSense box.

    When we boot up one of the Linux machines it doesn't seem to log on. I suspect that it is because it cannot get to the needed shares on our file server (via NFS). If I log onto the Linux client as root (and thereby log on locally) then things work out fine - except that as root I also cannot get in contact with the NFS server.

    I can browse the internet from the Linux box (going through the pfSense box just fine), check emails and I can even ping the NFS server as well. So there is routing via the pfSense box.

    Could anybody come up with a possible explanation for this behavoir?

    Best

    Rasmus Wehner
        Denmark



  • Seems like your pfSense box is blocking NFS related ports such as rpcbind (111) etc.. Did you create appropriate rules on your pfSense box to allow NFS traffic traverse your WAN iface?

    Regards
    Daniel S. Haischt



  • Hi Daniel

    Thank you for your reply.
    My firewall rules are that all traffic from LAN to WAN is allowed (every protocol on every port from every LAN computer is allowed to communicate to every protocol on every port on every computer on WAN). It's the default configuration for pfSense once you boot up the fist time.

    I thought that this configuration would mean, that a client computer (on the LAN side of pfSense) would be allowed to contact a NFS server on the WAN side without any problems. But it doesn't seem to be the case.

    When we try to mount the NFS share (on the WAN side) from a client (on the LAN side), we get the following entry in the NFS servers log file:

    rcp.mountd: refused mount request from 192.168.1.28 for /home (/home): illegal port 65026

    Does this give you any clues to what might be wrong with our setup?

    If someone coud give us a tip to where to find more information about this problem then we would be very happy.

    Best

    Rasmus Wehner
        Denmark



  • There is NAT going on from LAN to WAN. Either convert your setup into a routing scenario or add custom advanced outbound nat rules to shut down NAT for traffic going directly to the WAN subnet.



  • Btw, on FreeBSD it is possible to force mountd (rpc.mountd in your case) to bind to a specific port instead of dynamically choosing a port. That way it's possible to create a filter rule for mountd by using that particular port.

    Regards
    Daniel S. Haischt


Log in to reply