Unable to connect to OPT1 from LAN

Bai Shen

I have a file server that I'm running on OPT1 one.  My understanding is that the default rules allow LAN to connect to anything, so I should be able to make connections to the file server from my desktop on LAN.

However, I can't seem to connect.  I've tried using the default windows file share and ftp, and neither one works.  I can't find anything in the logs showing traffic being blocked.

What could be preventing my LAN machine to connect to the OPT1 box?  What can I check?

Metu69salemi

would you kindly provide more info, screenshots of rules and ip-addressing scheme would be good starting ppoint

Bai Shen

@Metu69salemi:

would you kindly provide more info, screenshots of rules and ip-addressing scheme would be good starting ppoint

I'm pretty much running the default firewall rules.  Both OPT1 and LAN have their own DHCP server and subnet.  I was under the impression that LAN should be able to connect to anything unless it was specifically disallowed.

I have to rebuild my machine this weekend anyways, so is there anything in particular I should look for?  I plan on doing a clean build using the latest RC.

heper

just add a rule on the lan tab like this:
allow
proto: any
src: lan-subnet
destination: opt1-subnet

Metu69salemi

Your assumption is right, LAN should be allowed to any by default. OPT1 isn't

Bai Shen

@heper:

just add a rule on the lan tab like this:
allow
proto: any
src: lan-subnet
destination: opt1-subnet

Doesn't the default rule already allow this?

@Metu69salemi:

Your assumption is right, LAN should be allowed to any by default. OPT1 isn't

So why wouldn't I be able to connect from LAN to OPT1?

I just realized something.  I can connect to the web server on OPT1 from LAN, but not a file share or ftp server.  Is there something different about those protocols that would cause them not to work?

Metu69salemi

smb and ftp might need some more knowledge, try to use search. There is lot of discussion already in this forum

Nachtfalke

If there is no firewall rule on and interface it means, that everything is blocked.
So if you would like to allow traffic from LAN to everywhre (WAN, OPT1) then add a firewall rule with:

protocol: any
source: any OR LAN subnet
port: any
destination: any
destination port: any

If you would like to connect from the OPT1 interface to your lan than you have to enter there a firewall rule, too.

Bai Shen

@Metu69salemi:

smb and ftp might need some more knowledge, try to use search. There is lot of discussion already in this forum

All I really found for smb was this post.

http://forum.pfsense.org/index.php/topic,37044.0.html

And I have the DNS override settings enabled, and I've tried it with just the ip.  It doesn't work either way.

It does mention Samba locking things down by subnet, but how do I check that?

@Nachtfalke:

If there is no firewall rule on and interface it means, that everything is blocked.
So if you would like to allow traffic from LAN to everywhre (WAN, OPT1) then add a firewall rule with:

protocol: any
source: any OR LAN subnet
port: any
destination: any
destination port: any

If you would like to connect from the OPT1 interface to your lan than you have to enter there a firewall rule, too.

The default rule already covers this.  I'm not sure why people keep repeating it.

And I don't care about going from OPT1 to the LAN.  I just want to be able to connect to a share on OPT1 from the LAN.

Perry

A local firewall on the file server with a wrong range?

Bai Shen

@Perry:

A local firewall on the file server with a wrong range?

Tried turning it completely off and still couldn't connect.

It looks like smb doesn't work well across subnets.  I'm okay with using FTP instead, but I'm not sure why FTP isn't working either.

Metu69salemi

are you having active or passive ftp?

Maybe you should try to create a rule in opt1
allow smb traffic from servers to lan subnet

Bai Shen

@Metu69salemi:

are you having active or passive ftp?

Whatever Filezilla defaults to.  I didn't mess with any of the settings.

Maybe you should try to create a rule in opt1
allow smb traffic from servers to lan subnet

How would that work?  What ports are you saying I should open?

Metu69salemi

Google has the answer. I almost had to find it twice
few ports and remember to read that tcp/udp 445 also. it's not in the box

Bai Shen

@Metu69salemi:

Google has the answer. I almost had to find it twice
few ports and remember to read that tcp/udp 445 also. it's not in the box

Since the LAN rule allows the traffic to OPT1, I'm assuming you mean I should open the port from the DMZ side.  Do I really need it if I only want access from the LAN to OPT1?

I just tried opening 445 tcp/udp from the server to the LAN subnet and it doesn't seem to have had any effect.  I still can't connect a windows share.

I ended up installing CopSSH, and that's working so far, but my transfer speeds are horrible.

Metu69salemi

SMB itself isn't the easiest traffic type to troubleshoot. Thats is the reason why to use opening ports from another interface also. and yes i do know what is the meaning of spi

Bai Shen

@Metu69salemi:

SMB itself isn't the easiest traffic type to troubleshoot. Thats is the reason why to use opening ports from another interface also.

Well, like I said, I opened 445 tcp/udp from the server on OPT1 to LAN and I still can't connect from the LAN.

and yes i do know what is the meaning of spi

Huh?

Metu69salemi

spi = Stateful firewall should keep ports open some while if connection is from inbound of it.

Then i have to admit, i don't have a glue what is the problem on this

Bai Shen

@Metu69salemi:

spi = Stateful firewall should keep ports open some while if connection is from inbound of it.

Then i have to admit, i don't have a glue what is the problem on this

Me either.  We'll see how things go when I swap out my current box for the new one.

Honestly, it wouldn't be so bad if sftp wasn't so slow.

pcbosrders

@Metu69salemi:

smb and ftp might need some more knowledge, try to use search. There is lot of discussion already in this forum

here is some info regarding SMB i'm in the proccess to allow file share between ubuntu and windows
through pfense
this might help on the ports to open

netbios- ns -137/tcp # NETBIOS Name Service
netbios- dgm -138/tcp # NETBIOS Datagram Service
netbios- ssn -139/tcp # NETBIOS Session Service
microsoft-ds -445/tcp #if you are using Active Directory

some other ports that might help
Ports 389/tcp For LDAP
port 445/tcp  NETBOIS was move to 445 after 2000 (CIFS)
port 901/tcp for SWAT service (web gui to configure Samba)

here is a link that i got most of the info i needed also there is a sample ip table
http://www.cyberciti.biz/tips/connecting-linux-unix-system-network-attached-storage-device.html
i know this doesn't have a sample for pfsense but you can get what rules to create from the ip tables