It's all a question of firewallrules. Also keep in mind that firewallrules are always applied for incoming traffic at an interface and first match wins. For nameresolution across the subnets you should enable the "register dhcp leases in dns forwarder" option at services>dns forwarder.
Holger > -----Original Message----- > From: David Brown [mailto:[EMAIL PROTECTED] > Sent: Thursday, January 04, 2007 9:10 AM > To: discussion@pfsense.com > Subject: [pfSense-discussion] Windows shares across the firewall > > I'm planning to set up a new firewall/router at our company, > and am leaning towards using pfSense because I want several > green networks (either using multiple ports on the firewall > machine, or using a managed switch and VLANs - as far as I > understand it, they can work the same way). > > There are going to be a couple of server machines on > different branches of the LANs, but I need access to them > from the other branches. The setup I've planned looks like this: > > > /-----------\ > | |-red1----internet > | pfSense |-red2----(second internet connection, optional) > | | > | |-orange--DMZ---web server, mail server, squid, etc. > | | > | |-blue---(wireless for laptops, including visitors) > | | | | | > | | LinkSys WRT54GL LinkSys LinkSys > | | / \ / \ / \ > | | laptops, etc. > | | > | |-green1---LAN (192.168.1.x)---server1.1, pc1.1, > pc1.2, etc. > | | > | |-green2---LAN (192.168.2.x)---server2.1, pc2.1, > pc2.2, etc. > | | > | |-green3---LAN (192.168.3.x)---server3.1, pc3.1, > pc3.2, etc. > | | > \-----------/ > > > Making appropriate firewall and routing rules for access to > the DMZ servers from the green LANs is easy enough, as are > things like allowing ssh access on different LANs for > administrative purposes. But it is also important that I can > get windows share access in some way across the LANs. For > example, pc1.2 (say, 192.168.1.102) should be able to mount a > share on server2.1 (192.168.2.1), while the reverse is not > true (i.e., no machine on LAN2 should see the pc's on LAN1). > Is it sufficient, and safe, to simply open a pinhole for > traffic on port 139 towards 192.168.2.1 from 192.168.1.x ? I > suppose I could set up VPNs somewhere to tunnel traffic > around, but I can't see that this would actually improve > matters (I have no need to encrypt traffic passing between > greens) - I would need similar rules to limit the VPN traffic. > In fact, I'm assuming that once I've got things figured for > cross-green routing, I can use the same sorts of rules for > VPN's from laptops on the blue zone or attaching via the internet. > > As far as I can tell, it is only the share access that I need > from the SMB/CIFS protocols. pfSense's DNS server should be > able to handle naming, and I am not running a windows domain > (it's all set up as a workgroup). > > If I can't get a stable and secure arrangement for SMB > sharing, what are my other options? At the moment, we have a > couple of linux file servers and one old windows one, which > can be replaced if it is not flexible enough. I've heard of > using WebDAV as a protocol - W2K and XP (and linux, and > presumably FreeBSD :-) can mount WebDAV paths, and use them > directly. If the WebDAV access is over https, then it could > be used directly from outside the LANs without needing a VPN. > Another idea I have read about is using a SFTP server along > with WebDrive software. > > Any hints, tips, website pointers, or comments about how only > an idiot would arrange things like that, would be much appreciated. > > mvh., > > David > > > > >
