PFSense is blocking samba without any restrictions

Hello,

I’m trying to get Plex re-setup and connected to the TrueNAS via samba. I can establish the connection to the share via command line (mount -t cifs …) but after making that connection PFSense immediatley closes the connection and shows that it is blocking connections from Plex to TrueNAS on port 445. For the sake of troubleshooting, I have an allow all on all protocols, IPs and ports rule setup. Yet PFSense is still blocking the request, despite having no block rules and the 1 allow everything rule.

On the Plex server I get the following error every 3 minutes: “CIFS VFS: \192.168.xxx.xxx has not responded in 180 seconds. Reconnecting…”.

The firewall log has a steady stream of blocking port 445 from source Plex to destination TrueNAS on interface Plex (again, I allow everything and block nothing). pfTop on the firewall shows “SYN_SENT:CLOSED” and “CLOSED:SYN_SENT” every 3 minutes.

I have 2 other computers on 2 other subnets that can connect and maintain a connection with TrueNAS.

Network setup:
Plex & TrueNAS are the same computer with a dual SFP+ NIC. TrueNAS is on port 1 with subnet of 20 and Plex is a VM tied to port 2 with a subnet of 30.

TrueNAS is on a VLAN that goes through 2 Ubiquiti switches (both handle VLANs) than to PFSense. Plex goes directly to PFSense.

PC1 is plugged directly into PFSense and can connect to & maintain a connection to TrueNAS
PC2 is on a VLAN with subnet of 10 and goes through the same 2 UI switches as TrueNAS and can connect & maintain a connection to TrueNAS.

I’m hoping someone can point out the obviuos error I’ve made because I’m stumped. I can’t figure out why PFSense is blocking that port only on that interface despite having an allow all rule.

Thanks

Not sure why pfsense is blocking SAMBA unless you have Suricata or Snort rules, but you also should not be routing SAMBA across the firewall.

Thanks for the response Tom. This is a fresh install on a new firewall so no additional add-ons yet (I am interested in Suricata though). I’m going to try recreating the interface and see if that does it, if not I’ll move it to a free port the switch on same side as everything else.

I’m still new to a lot of this so why wouldn’t you want to route SAMBA traffic across the firewall? Is it simply because it’s one of those “You just shouldn’t” type things?

Thanks

The SMB protocol is not ideal for routing and slows down substantially when there is any added latency.

I have a video here talking about those issues:

Thank you for the response. I did a ping test and was getting about 0.15ms delay when crossing the firewall but even after remaking the interface, it was still blocking the port for some reason. I ended up moving it to a switch on the same network as the file server.

Thanks for the information and video links.

Why not just have a dedicated connection from the TrueNAS to the Plex server with a /30 subnet and just bypass pfSense altogether? Wouldn’t that work? And then just have another dedicated connection from Plex to pfSense for anything not related to Samba. Both the Plex and TrueNAS server must have two NICs, though. For the first NIC, both TrueNAS and Plex can go out to pfSense and for the second NIC, TrueNAS and Plex can talk to each other using the SMB protocol. You can then just block out SMB going out to pfSense and it will be secure!

While I agree that SMB should not be routed for best performance, it should still work, though. I route a TrueNAS SMB share through pfSense, serving files to Plex, and it’s working perfectly fine. Latency isn’t really critical for video streaming anyways.

Unfortunately I can’t say why it doesn’t work in this case. Maybe no gateway is configured on the associated interface or it is configured incorrectly? Or maybe there is some incorrectly configured firewall rule…?

Thanks for the continued responses guys. As for the subnetting, I’m honestly just not that familiar with subnets and properly configuring then. (Everything on my network is /24 as that is what I know). Also, not sure if it effects what you suggested but the Plex server and smb server are on the same machine but Plex is a VM.

I agree with you bb77 and Tom, there’s no reason it shouldn’t have worked. I’m probably going to try it again when I’m not as busy with work and have time. I’m more just curious about if I can get to work if the remote users (for Plex) would notice much of a difference or not.

Do you have your SMB service restricted for specific subnets for access? Maybe it’s not pfsense doing the blocking.