Accessing a NAS across a pfsense firewall from a windows pc

picnic · 27 Apr 2020 at 15:42

So I have a Diskstation NAS drive on the WAN side of the pfsense firewall and a Windows laptop the other side. I can ping the NAS drive OK but I can't get the file sharing side to work. Am I wasting my time?

To explain a bit more I've added an entry to lmhosts for the NAS and file explorer shows a green network icon implying the network share is OK but it doesn't show any files if I delve into the share, I get an error about it being unavailable. If I try from a command prompt I can see the share names at \\diskstation or via \\ip.address but again I can't venture in to the folder shares and see some files.

Are there rule I can configure in pfsense from WAN lan ( 192.168.99.0/24 ) to the firewalled side ( 192.168.199,0/24 ) ?

TIA

Rainmaker · 30 Apr 2020 at 14:22

Is there a particular reason you've put it on the WAN side? That doesn't really make sense. Since pfSense is designed as a router and firewall rather than just a firewall, how did your NAS end up in front of it? Are you just trying to separate the NAS from your trusted network? You'd be better off putting it on a separate subnet behind the router, rather than trying to keep it in front. What's actually acting as your router if pfSense isn't? By that I mean if pfSense is serving your LAN, where is the DiskStation getting its WAN from? Explain your topology and the actual goal.

DiskStation requires a fair few ports forwarding, for SMB, AFP, FTP(S), SSH, IMAP/SMTP and any other services. That's intended to run behind a firewall not in front of it. While you could theoretically open ports from the WAN to LAN for that specific device (i.e. pass in on egress from $(DiskStation) to $(LAN)) it's messy and not necessary. Just DMZ it.

picnic · 30 Apr 2020 at 14:58

Thanks for taking the trouble to reply. My system was simply ISP Router -> Home Network however due to recent lifestyle changes I've invested in a few smart things; Lights/Sockets/Speakers etc. and I've been having problems with the network which I've blamed on the router not being able to handle the number of devices. I also work from home a lot and thought it would be 'clever' to put more important computers behind another firewall. Double protection so to speak. I also have a dedicated gaming PC which I wanted to keep as close to the WAN as possible.

So now I have

ISP-Router -> Smart Devices / Gaming PC / AV bits / pf-Sense -> Items I want to protect more

The pfSense is the DMZ for the ISP's router.

Because the main PC has all the virus protection etc I used do my downloads there and store the data on the NAS. Then I'd access the files from the gaming PC.

I'm not trying to over complicate things, as you've probably guessed, I'm no network guru and floundering in the dark here somewhat. Better ideas gratefully received.

Rainmaker · 30 Apr 2020 at 17:40

So essentially your 'extra protected' devices are suffering double NAT.

1) What IP ranges do you have being issued from (a) the ISP router and (b) your pfSense box?
2) When you say the pfSense machine is 'the DMZ for the ISP's router' what exactly do you mean? Does that mean it has a static local IP and is skipped for firewall purposes? That it has a separate public IP on WAN?
3) Who is the ISP and what is their router?

How many network ports does the pfSense box have? You'd be better off just using the pfSense box as your main router and subnetting away anything untrusted to a separate LAN. So instead of the weird (broken) setup you have now of ISP > random LAN devices > pfSense > more LAN stuff, you'd have:

Internet > pfSense

LAN PORT 1

Gaming PC, trusted local devices

LAN PORT 2

'Smart' IoT devices, NAS, untrusted stuff

You can then set rules so that the trusted stuff on LAN1 can access resources (like files) on LAN2 but conversely LAN2 can't get at anything in LAN1, keeping them safe from any potential breached devices (IoT and NAS are notorious for being breached).

If all that's too far over your head and you're not in the mood to tinker (and possibly break your network temporarily a few times, while you learn) then just go back to the ISP router. Anything behind NAT (as your ISP router is) will have fairly decent incidental protection from baddies on the WAN simply because they're not routable in public IP space. Your ISP router is already effectively a hardware firewall, even before you turn on the software firewall side (if you do).

picnic · 30 Apr 2020 at 19:55

ISP is PlusNet so one of their hubs. The PN Router's DMZ is pointed to the pfSense box which has a fixed IP on the 192.168.99.0/24 range. The pfSense intern dishes out DHCP on 192.168.199.0/24.

The pfSense box actually has 4 1Gb Ethernet ports so I'm up for trying what you've suggested. I have, I guess, 2 problems
1) my only WiFi is from the PN router
2) I've only got one Ethernet cable going to the rest of the house from the pfSense box so it's hard to physically isolate the 2 network cables or not share a switch. I don't want to physically move the pfSense box as it's an old Dell 1u server which isn't the quietest of devices.

I need to think about that more. Could you please advise me on suitable networks and subnets. I guess I need to start with a netmask of 255.255.0.0 to make subnetting easier?

Janesy B · 30 Apr 2020 at 20:44

Sounds like you don't have all the ports needed to be open to get the file share to work. Perhaps allow everything and start locking down specific ports until it breaks again. But your setup sounds over-complicated and I think you've introduced even more problems than necessary.

What problems were you having with the Plusnet Hub? Mine really didn't like me changing around static DHCP reservations and I ended up having to do a factory reset which sorted it out in the end.

Alternatively you can replace the PN Hub with a VDSL modem and use the pfSense as the router/fw if you don't think the hub is up to the task.

picnic · 30 Apr 2020 at 21:43

Janesy B said:
What problems were you having with the Plusnet Hub? Mine really didn't like me changing around static DHCP reservations and I ended up having to do a factory reset which sorted it out in the end.

As part of my work I sftp files to a backup PC here, this has recently had periods were it won't work reliably. Be fine for a period then would fail continually for a day or two then magically start working again. Initially I blamed Internet Weather or the ISP but then I started getting problems where one of the smart sockets or bulbs would drop off the network. Adding 2 and 2, and probably really getting 5, I decided to help the router out

Since I've had this new network concoction I've not had any of these problems. I know, tempting fate, it'll all go wrong again now

Rainmaker · 30 Apr 2020 at 22:12

picnic said:
ISP is PlusNet so one of their hubs. The PN Router's DMZ is pointed to the pfSense box which has a fixed IP on the 192.168.99.0/24 range. The pfSense intern dishes out DHCP on 192.168.199.0/24.

The pfSense box actually has 4 1Gb Ethernet ports so I'm up for trying what you've suggested. I have, I guess, 2 problems
1) my only WiFi is from the PN router
2) I've only got one Ethernet cable going to the rest of the house from the pfSense box so it's hard to physically isolate the 2 network cables or not share a switch. I don't want to physically move the pfSense box as it's an old Dell 1u server which isn't the quietest of devices.

I need to think about that more. Could you please advise me on suitable networks and subnets. I guess I need to start with a netmask of 255.255.0.0 to make subnetting easier?

Easiest long term solution (provided you stick with the pfSense route) is use a VDSL modem and connect that to pfSense to provide WAN, on port 1. Use ports 2 and 3 for trusted and untrusted subnets (i.e. local stuff and then IoT/servers). You can attach a switch to ports 2 and 3 so that you can have as many devices as needed attached to them. For WiFi either stick the old PN router into access point mode and attach it to the LAN switch, or get a Unifi dish or whatever.

You can use whatever private IPs and subnets you like. I have 192.168.1.0/24 and 192.168.2.0/24, but you could just as easily have 10.0.100.0/24 and 10.0.200.0/24, or 10.10.0.0/16 and 10.20.0.0/16, or whatever you like.

If this is really just over a few dodgy port forwards and you don't want to learn a *lot* about networking, BSD (what pfSense is built on) and such, though, it'd be much easier to just reset the PN router and set it up again properly.

picnic · 1 May 2020 at 12:08

Rainmaker said:
it'd be much easier to just reset the PN router and set it up again properly.

That would be the lazy option and may not fix the issues.

Thanks for the other advice, if I can find the original VDSL modem I had when I first got FTTC I think I have a project for the weekend

EDIT: Oh ****, just remembered I've got a SamKnows monitor box hung off the back of the router prior to going to the rest of the network.