Windows shares behind NAT



  • Hi.

    I installed a pfSense system with three interfaces (LAN, WAN and OPT).

    I have a Windows server on the OPT network and its shares need to be accessed from clients on the LAN network, so I created a manual outbound NAT entry.
    All other protocols and services work without any problem from LAN to OPT networks, but accessing the Windows shares is very unstable. If I transfer very small files I have no problem, but if I transfer big files or folders the connections hang themselves.

    I tried to setup the static port on the outbound NAT rule but it solved the problem for only 10 minutes.

    Could you help me please?
    Thank you very much!
    Bye.



  • Your OPT network, is it using a private or public IP range? How about the LAN network? Are the OPT and LAN networks using separate ranges? I'm a little confused why you don't just use firewall rules to allow traffic between the networks instead of NAT.



  • I'm not exactly sure why you are trying to NAT the Windows File Sharing stuff … but you might not be forwarding all the correct ports.  This snippet below came from a larger article on the Microsoft Support page, http://support.microsoft.com/kb/298804:

    Important If you set up a firewall to help protect computer ports that are connected to the Internet, we do not recommend that you open these ports because they can be exposed to other computers on the Internet. Additionally, specific computers cannot be granted access to the open ports.

    The following ports are associated with file sharing and server message block (SMB) communications:

    * Microsoft file sharing SMB: User Datagram Protocol (UDP) ports from 135 through 139 and Transmission Control Protocol (TCP) ports from 135 through 139.
        * Direct-hosted SMB traffic without a network basic input/output system (NetBIOS): port 445 (TCP and UPD).

    I'm not sure exactly what you're trying to do, but you could always use Web-based directory browsing instead of File Sharing.  By setting up a Web-based solution, you'd only need to deal with one port, and you could still use password protection to prevent unauthorized users from gaining access to certain shares.  Of course, this idea would only really work if you didn't need to allow the users to add files to the shared folders.  Alternatively, FTP might be an option for you as well, but getting FTP to work through NAT can sometimes be a pain.

    Alternatively, assuming you are NATing all the ports shown above, you might not have enough RAM or processing power on your pfSense box to handle that many NAT translations and connections.


Locked