• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Linux logon based on LDAP cannot go through pfSense

Scheduled Pinned Locked Moved Firewalling
5 Posts 3 Posters 2.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    rawe
    last edited by Jan 19, 2007, 5:16 PM

    Hi everybody

    First of: thank you all for a great system. Seems to work great even though I just started using it!

    But I have a problem: we have a hardware-based firewall just after our router. After the firewall we have a number of servers (web, email, LDAP and others) and amongst them is our pfSense server. Behind this machine is our client machines (we more or less have a DMZ although it's behind another firewall).
    The client machines run Linux and to keep things simple we authenticate against a LDAP server. This server is, for a number of reasons, placed in the 'DMZ' and we cannot move it behind the pfSense box.

    When we boot up one of the Linux machines it doesn't seem to log on. I suspect that it is because it cannot get to the needed shares on our file server (via NFS). If I log onto the Linux client as root (and thereby log on locally) then things work out fine - except that as root I also cannot get in contact with the NFS server.

    I can browse the internet from the Linux box (going through the pfSense box just fine), check emails and I can even ping the NFS server as well. So there is routing via the pfSense box.

    Could anybody come up with a possible explanation for this behavoir?

    Best

    Rasmus Wehner
        Denmark

    1 Reply Last reply Reply Quote 0
    • D
      DanielSHaischt
      last edited by Jan 20, 2007, 9:23 PM

      Seems like your pfSense box is blocking NFS related ports such as rpcbind (111) etc.. Did you create appropriate rules on your pfSense box to allow NFS traffic traverse your WAN iface?

      Regards
      Daniel S. Haischt

      Mit freundlichen Gruessen / With kind regards
      DAn.I.El S. Haischt

      1 Reply Last reply Reply Quote 0
      • R
        rawe
        last edited by Jan 24, 2007, 2:02 PM

        Hi Daniel

        Thank you for your reply.
        My firewall rules are that all traffic from LAN to WAN is allowed (every protocol on every port from every LAN computer is allowed to communicate to every protocol on every port on every computer on WAN). It's the default configuration for pfSense once you boot up the fist time.

        I thought that this configuration would mean, that a client computer (on the LAN side of pfSense) would be allowed to contact a NFS server on the WAN side without any problems. But it doesn't seem to be the case.

        When we try to mount the NFS share (on the WAN side) from a client (on the LAN side), we get the following entry in the NFS servers log file:

        rcp.mountd: refused mount request from 192.168.1.28 for /home (/home): illegal port 65026

        Does this give you any clues to what might be wrong with our setup?

        If someone coud give us a tip to where to find more information about this problem then we would be very happy.

        Best

        Rasmus Wehner
            Denmark

        1 Reply Last reply Reply Quote 0
        • H
          hoba
          last edited by Jan 24, 2007, 2:10 PM

          There is NAT going on from LAN to WAN. Either convert your setup into a routing scenario or add custom advanced outbound nat rules to shut down NAT for traffic going directly to the WAN subnet.

          1 Reply Last reply Reply Quote 0
          • D
            DanielSHaischt
            last edited by Jan 24, 2007, 2:58 PM

            Btw, on FreeBSD it is possible to force mountd (rpc.mountd in your case) to bind to a specific port instead of dynamically choosing a port. That way it's possible to create a filter rule for mountd by using that particular port.

            Regards
            Daniel S. Haischt

            Mit freundlichen Gruessen / With kind regards
            DAn.I.El S. Haischt

            1 Reply Last reply Reply Quote 0
            1 out of 5
            • First post
              1/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received