LAN clients and shared folders in DMZ & SQL Server connection [SOLVED]



  • Hi guys,

    I have pfSense with this conf:

    WAN  (public IP)
    LAN    192.168.1.1
    DMZ  192.168.2.1

    I have some shared folders on two servers in DMZ but LAN client can't read them anyway!  :-[

    On the LAN interface I put those rules

    IPv4 TCP/UDP    LAN net    *    DMZ net    137 - 138    *    none        Allow LAN to NetBIOS
    IPv4 TCP/UDP    LAN net    *    DMZ net    139 (NetBIOS-SSN)    *    none        Allow LAN to NetBIOS
    IPv4 TCP/UDP    LAN net    *    DMZ net    445 (MS DS)    *    none        Allow LAN to MS SMB

    but it doesn't work. Could you tell me what was wrong, please?  ??? :'( :(

    Thanx a lot for your time.



  • I don't have a specific answer for you, but any time things aren't working and I wonder why, I do a packet capture and see is being blocked between the two systems.



  • I can show all the rules in LAN and DMZ, for completing infos.






  • That is only helpful if you know exactly what you need in your rule, and you're checking to make sure you didn't omit something.  Obviously something is being blocked but you don't know what.  That is where packet capture comes in.



  • The ports I usually open to allow SMB, is TCP 137-139 and TCP 445. From your screenshots, I can see that you do not allow TCP 137-138, only UDP. Perhaps you can try to change the rule with ports 137 and 138 to TCP instead?

    In addition, the three bottom rules on your DMZ interface will never be used/doesn't have any effect.

    Edit: Regarding your rules on the DMZ interface, you are aware of that "WAN address" isn't the whole Internet right? "WAN address" is only the IP address on your WAN interface. So you are in fact allowing hosts in DMZ to access the Web GUI on pfSense.



  • @vindenesen:

    The ports I usually open to allow SMB, is TCP 137-139 and TCP 445. From your screenshots, I can see that you do not allow TCP 137-138, only UDP. Perhaps you can try to change the rule with ports 137 and 138 to TCP instead?

    Changed, thanx.

    @vindenesen:

    In addition, the three bottom rules on your DMZ interface will never be used/doesn't have any effect.

    But I thought I had to allow NetBIOS and SMB to let the Windows network could resolve the clients names correctly. isn't it?

    @vindenesen:

    Edit: Regarding your rules on the DMZ interface, you are aware of that "WAN address" isn't the whole Internet right? "WAN address" is only the IP address on your WAN interface. So you are in fact allowing hosts in DMZ to access the Web GUI on pfSense.

    Which are the correct rules to allow the DMZ only go to the web and not to the whole networks? I mean, I think that a rule like

    IPv4 TCP DMZ net    *    *    22 (SSH)    *    none        Allow DMZ to SSH

    allow the access to the SSH protocol from the DMZ to all the networks around (WAN and LAN), right? So which is the correct rule to let the DMZ goes only to the web direction?

    Thanx.

    P.S.: Now if I write the server IP (\192.168.2.x) I can see the shared folders, but if I write the server name (\SERVER-NAME), I don't.



  • @Thorthegod:

    But I thought I had to allow NetBIOS and SMB to let the Windows network could resolve the clients names correctly. isn't it?

    Traffic on the DMZ-interface will never have source set to "LAN net". Rules are evaluated on incoming traffic on an interface, and you will never have traffic coming from LAN going in on the DMZ interface. And I think NetBIOS name resolution only works per subnet, not across subnets. For that you need DNS.

    @Thorthegod:

    Which are the correct rules to allow the DMZ only go to the web and not to the whole networks? I mean, I think that a rule like
    IPv4 TCP DMZ net    *    *    22 (SSH)    *    none        Allow DMZ to SSH

    allow the access to the SSH protocol from the DMZ to all the networks around (WAN and LAN), right? So which is the correct rule to let the DMZ goes only to the web direction?

    The rule above, will like you said allow SSH to all your networks. What I usually do, is to create an alias containing all my local networks (let's call it Local_Networks). And then I create a rule that allows traffic from "DMZ net" to "not Local_networks". See attached image. My rule allows traffic destined for all addresses, except my local networks.

    @Thorthegod:

    P.S.: Now if I write the server IP (\192.168.2.x) I can see the shared folders, but if I write the server name (\SERVER-NAME), I don't.

    Again, that's because of the fact that NetBIOS name resolution does not work across subnets. Routers block broadcasts. You need to setup DNS properly.




  • Hi guys,

    I installed a WINS server service on a server in my DMZ. Now, with the rules I posted in my last message and adding the WINS port rule, I am able to share folders from the DMZ servers to the LAN clients. But I still have some problems.

    Browsing the network resources in my win7 client I'm not able to find the servers shared folders; I can see them only if I write the network path by myself (i.e. \server-name\folder-name or \server-name).

    Connecting the SQL Management to the server in DMZ the timeout connection is very high (about 50 seconds). With my IP that can do everything (I set my static IP for admin reasons with all permissions) the DB connection is very quick (about 2-3 seconds!).

    Please, help me!



  • If you can't browse them but you can get to them if you manually put in their netbios name, doesn't that usually mean that network discovery is disabled on your Win7 client?


  • Rebel Alliance Global Moderator

    "Browsing the network resources"

    Browsing across network segments always been a pain - you need to have master browser in both segments, you need them to exchange info and you wins server is needed yes.

    I really never understand this - don't you know their names, don't you know what you want to connect to - then why do you need to browse?  Use the FQDN and connect to them ;)



  • Ok guys,

    I almost solved the problem about browsing resources on the network, I'll let you know as soon as possible.

    The most important thing for me, now, is allowing the MS SQL Server connection from LAN to DMZ.
    I explain as well as I can.
    I have two Win Server 2003 on the DMZ with SQL Server on.
    I have Win7 Pro clients on the LAN.
    I allowed 1433 and 1434 ports for SQL Server connection.
    Moreover I know that the SQL Server Browser Service is used on the server to listen the dynamic ports that SQL uses for connection and send them to the client that is going to connect to it. The used ports are those over 1024.

    Now, I don't know how to manage this kind of connection. Maybe setting a static port or what else?

    Thanx a lot.


  • Rebel Alliance Global Moderator

    Set your sql to use a specific port for each instance your running
    http://msdn.microsoft.com/en-us/library/ms177440.aspx
    Configure a Server to Listen on a Specific TCP Port (SQL Server Configuration Manager)



  • Hi guys,

    I have the solutions.

    For shared folders I had to install a WINS server on my DMZ server, so I can write \servername\ and I can reach the right folders.

    For the MS SQL SERVER connection I had to allow the 1433 and 1434 standard ports about MS SQL. Morover, I had to check the dynamic ports in SQL SERVER. I had to set a fixed port in the SQL network settings, in the TCP/IP section, in the AllIP profile, in port value. Then I allowed that specific port.

    Now it's all right!!!

    Thanx to all of you!!!