Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LAN clients and shared folders in DMZ & SQL Server connection [SOLVED]

    Scheduled Pinned Locked Moved Firewalling
    13 Posts 4 Posters 5.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Thorthegod
      last edited by

      I can show all the rules in LAN and DMZ, for completing infos.

      Fw-DMZ.png
      Fw-DMZ.png_thumb
      Fw-LAN.png
      Fw-LAN.png_thumb

      Sincerely yours,

      ThorTheGod


      Ubuntu 14.04 on Toshiba, pfSense on Intel Appliance

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        That is only helpful if you know exactly what you need in your rule, and you're checking to make sure you didn't omit something.  Obviously something is being blocked but you don't know what.  That is where packet capture comes in.

        1 Reply Last reply Reply Quote 0
        • V
          vindenesen
          last edited by

          The ports I usually open to allow SMB, is TCP 137-139 and TCP 445. From your screenshots, I can see that you do not allow TCP 137-138, only UDP. Perhaps you can try to change the rule with ports 137 and 138 to TCP instead?

          In addition, the three bottom rules on your DMZ interface will never be used/doesn't have any effect.

          Edit: Regarding your rules on the DMZ interface, you are aware of that "WAN address" isn't the whole Internet right? "WAN address" is only the IP address on your WAN interface. So you are in fact allowing hosts in DMZ to access the Web GUI on pfSense.

          Support the project by buying a Gold Subscription at https://portal.pfsense.org
          Running pfSense on SuperMicro A1SRI-2758F with ESXi 5.5

          1 Reply Last reply Reply Quote 0
          • T
            Thorthegod
            last edited by

            @vindenesen:

            The ports I usually open to allow SMB, is TCP 137-139 and TCP 445. From your screenshots, I can see that you do not allow TCP 137-138, only UDP. Perhaps you can try to change the rule with ports 137 and 138 to TCP instead?

            Changed, thanx.

            @vindenesen:

            In addition, the three bottom rules on your DMZ interface will never be used/doesn't have any effect.

            But I thought I had to allow NetBIOS and SMB to let the Windows network could resolve the clients names correctly. isn't it?

            @vindenesen:

            Edit: Regarding your rules on the DMZ interface, you are aware of that "WAN address" isn't the whole Internet right? "WAN address" is only the IP address on your WAN interface. So you are in fact allowing hosts in DMZ to access the Web GUI on pfSense.

            Which are the correct rules to allow the DMZ only go to the web and not to the whole networks? I mean, I think that a rule like

            IPv4 TCP DMZ net    *    *    22 (SSH)    *    none        Allow DMZ to SSH

            allow the access to the SSH protocol from the DMZ to all the networks around (WAN and LAN), right? So which is the correct rule to let the DMZ goes only to the web direction?

            Thanx.

            P.S.: Now if I write the server IP (\192.168.2.x) I can see the shared folders, but if I write the server name (\SERVER-NAME), I don't.

            Sincerely yours,

            ThorTheGod


            Ubuntu 14.04 on Toshiba, pfSense on Intel Appliance

            1 Reply Last reply Reply Quote 0
            • V
              vindenesen
              last edited by

              @Thorthegod:

              But I thought I had to allow NetBIOS and SMB to let the Windows network could resolve the clients names correctly. isn't it?

              Traffic on the DMZ-interface will never have source set to "LAN net". Rules are evaluated on incoming traffic on an interface, and you will never have traffic coming from LAN going in on the DMZ interface. And I think NetBIOS name resolution only works per subnet, not across subnets. For that you need DNS.

              @Thorthegod:

              Which are the correct rules to allow the DMZ only go to the web and not to the whole networks? I mean, I think that a rule like
              IPv4 TCP DMZ net    *    *    22 (SSH)    *    none        Allow DMZ to SSH

              allow the access to the SSH protocol from the DMZ to all the networks around (WAN and LAN), right? So which is the correct rule to let the DMZ goes only to the web direction?

              The rule above, will like you said allow SSH to all your networks. What I usually do, is to create an alias containing all my local networks (let's call it Local_Networks). And then I create a rule that allows traffic from "DMZ net" to "not Local_networks". See attached image. My rule allows traffic destined for all addresses, except my local networks.

              @Thorthegod:

              P.S.: Now if I write the server IP (\192.168.2.x) I can see the shared folders, but if I write the server name (\SERVER-NAME), I don't.

              Again, that's because of the fact that NetBIOS name resolution does not work across subnets. Routers block broadcasts. You need to setup DNS properly.

              Rule_internet_access.JPG
              Rule_internet_access.JPG_thumb

              Support the project by buying a Gold Subscription at https://portal.pfsense.org
              Running pfSense on SuperMicro A1SRI-2758F with ESXi 5.5

              1 Reply Last reply Reply Quote 0
              • T
                Thorthegod
                last edited by

                Hi guys,

                I installed a WINS server service on a server in my DMZ. Now, with the rules I posted in my last message and adding the WINS port rule, I am able to share folders from the DMZ servers to the LAN clients. But I still have some problems.

                Browsing the network resources in my win7 client I'm not able to find the servers shared folders; I can see them only if I write the network path by myself (i.e. \server-name\folder-name or \server-name).

                Connecting the SQL Management to the server in DMZ the timeout connection is very high (about 50 seconds). With my IP that can do everything (I set my static IP for admin reasons with all permissions) the DB connection is very quick (about 2-3 seconds!).

                Please, help me!

                Sincerely yours,

                ThorTheGod


                Ubuntu 14.04 on Toshiba, pfSense on Intel Appliance

                1 Reply Last reply Reply Quote 0
                • KOMK
                  KOM
                  last edited by

                  If you can't browse them but you can get to them if you manually put in their netbios name, doesn't that usually mean that network discovery is disabled on your Win7 client?

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    "Browsing the network resources"

                    Browsing across network segments always been a pain - you need to have master browser in both segments, you need them to exchange info and you wins server is needed yes.

                    I really never understand this - don't you know their names, don't you know what you want to connect to - then why do you need to browse?  Use the FQDN and connect to them ;)

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • T
                      Thorthegod
                      last edited by

                      Ok guys,

                      I almost solved the problem about browsing resources on the network, I'll let you know as soon as possible.

                      The most important thing for me, now, is allowing the MS SQL Server connection from LAN to DMZ.
                      I explain as well as I can.
                      I have two Win Server 2003 on the DMZ with SQL Server on.
                      I have Win7 Pro clients on the LAN.
                      I allowed 1433 and 1434 ports for SQL Server connection.
                      Moreover I know that the SQL Server Browser Service is used on the server to listen the dynamic ports that SQL uses for connection and send them to the client that is going to connect to it. The used ports are those over 1024.

                      Now, I don't know how to manage this kind of connection. Maybe setting a static port or what else?

                      Thanx a lot.

                      Sincerely yours,

                      ThorTheGod


                      Ubuntu 14.04 on Toshiba, pfSense on Intel Appliance

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        Set your sql to use a specific port for each instance your running
                        http://msdn.microsoft.com/en-us/library/ms177440.aspx
                        Configure a Server to Listen on a Specific TCP Port (SQL Server Configuration Manager)

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • T
                          Thorthegod
                          last edited by

                          Hi guys,

                          I have the solutions.

                          For shared folders I had to install a WINS server on my DMZ server, so I can write \servername\ and I can reach the right folders.

                          For the MS SQL SERVER connection I had to allow the 1433 and 1434 standard ports about MS SQL. Morover, I had to check the dynamic ports in SQL SERVER. I had to set a fixed port in the SQL network settings, in the TCP/IP section, in the AllIP profile, in port value. Then I allowed that specific port.

                          Now it's all right!!!

                          Thanx to all of you!!!

                          Sincerely yours,

                          ThorTheGod


                          Ubuntu 14.04 on Toshiba, pfSense on Intel Appliance

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.