I was hired to do the same thing for a small business a year ago. I learned about a month and a half into the project that windows shares, while they work across subnets, the hostname can't be used because of WINS, only the IP address. Workgroups especially do not work across subnets. I would like to know if DNS will work for your workgroup. I can't remember if I tried that, or even had the proper settings for get it to work.
My employer's entire network was set up with a workgroup that had been tweaked to act sorta like a domain. I set up a FreeBSD domain server, but he wanted a "god box" that was his domain server, web server, firewall-which I wouldn't build due to security reasons-and he had some custom server software that would only work under windows, so I was let go; his son can do windows stuff for free. Sorry, I got off topic there. WebDAV over https sounds like an interesting idea. I hope I have been of some help. ----- Original Message ----- From: "David Brown" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Thursday, January 04, 2007 12:09 AM Subject: [pfSense-discussion] Windows shares across the firewall > I'm planning to set up a new firewall/router at our company, and am > leaning towards using pfSense because I want several green networks > (either using multiple ports on the firewall machine, or using a managed > switch and VLANs - as far as I understand it, they can work the same way). > > There are going to be a couple of server machines on different branches > of the LANs, but I need access to them from the other branches. The > setup I've planned looks like this: > > > /-----------\ > | |-red1----internet > | pfSense |-red2----(second internet connection, optional) > | | > | |-orange--DMZ---web server, mail server, squid, etc. > | | > | |-blue---(wireless for laptops, including visitors) > | | | | | > | | LinkSys WRT54GL LinkSys LinkSys > | | / \ / \ / \ > | | laptops, etc. > | | > | |-green1---LAN (192.168.1.x)---server1.1, pc1.1, pc1.2, etc. > | | > | |-green2---LAN (192.168.2.x)---server2.1, pc2.1, pc2.2, etc. > | | > | |-green3---LAN (192.168.3.x)---server3.1, pc3.1, pc3.2, etc. > | | > \-----------/ > > > Making appropriate firewall and routing rules for access to the DMZ > servers from the green LANs is easy enough, as are things like allowing > ssh access on different LANs for administrative purposes. But it is > also important that I can get windows share access in some way across > the LANs. For example, pc1.2 (say, 192.168.1.102) should be able to > mount a share on server2.1 (192.168.2.1), while the reverse is not true > (i.e., no machine on LAN2 should see the pc's on LAN1). Is it > sufficient, and safe, to simply open a pinhole for traffic on port 139 > towards 192.168.2.1 from 192.168.1.x ? I suppose I could set up VPNs > somewhere to tunnel traffic around, but I can't see that this would > actually improve matters (I have no need to encrypt traffic passing > between greens) - I would need similar rules to limit the VPN traffic. > In fact, I'm assuming that once I've got things figured for cross-green > routing, I can use the same sorts of rules for VPN's from laptops on the > blue zone or attaching via the internet. > > As far as I can tell, it is only the share access that I need from the > SMB/CIFS protocols. pfSense's DNS server should be able to handle > naming, and I am not running a windows domain (it's all set up as a > workgroup). > > If I can't get a stable and secure arrangement for SMB sharing, what are > my other options? At the moment, we have a couple of linux file servers > and one old windows one, which can be replaced if it is not flexible > enough. I've heard of using WebDAV as a protocol - W2K and XP (and > linux, and presumably FreeBSD :-) can mount WebDAV paths, and use them > directly. If the WebDAV access is over https, then it could be used > directly from outside the LANs without needing a VPN. Another idea I > have read about is using a SFTP server along with WebDrive software. > > Any hints, tips, website pointers, or comments about how only an idiot > would arrange things like that, would be much appreciated. > > mvh., > > David > > > >
