_____________________________________________________________________ Ron Lemon Information Technology Manager, Maplewood Computing Ltd. | 800.265.3482 | www.maplewood.com
This email message, and any files transmitted with it, are confidential and intended solely for the use of the intended recipient(s). Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and attachments. -----Original Message----- From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris Buechler Sent: Wednesday, November 23, 2011 9:21 PM To: pfSense support and discussion Subject: Re: [pfSense] Unstable RDC connections On Wed, Nov 23, 2011 at 5:18 PM, Ron Lemon <r...@maplewood.com> wrote: > > Good Afternoon, > > > > I have an odd problem that I am hoping someone might be able to assist me > with. I have a pfSense 2 box with 2 NICs in it. WAN and LAN. The LAN has 3 > subnets on it 10.0.0.0/24, 10.0.1.0/24 and 10.0.4.0/24. > > > > 1. If I sit in 10.0.1.0 I can connect to an RDC server in the same > subnet with no problems. > > > > 2. If I sit in 10.0.0.0 and try to connect to the same server as the > previous test my RDC connection drops and reconnects maybe once every minute > or two. > > > > 3. If I sit in 10.0.0.0 and try to connect to and RDC server in > 10.0.4.0 it is rock solid. > > > > 4. If I connect to the same 10.0.1.0 server as in 1 and 2 above from > outside the building and come in through the WAN it is rock solid. > > > > So it does not appear to be the server, it does not appear to be the switches > in the building, it doesn't look like the FW as other paths on the same > interfaces work no problem. I am stumped. > Guessing that one of the affected hosts is dual homed, so the firewall only sees one direction of the traffic, and hence will eventually drop the TCP connection as it starts looking like spoofed traffic. Can't statefully filter with any firewall if it doesn't see both directions. That or the other alternative is there is another router in the mix somewhere that's routing the opposite direction traffic. There is a work around to not keep state on traffic in those scenarios for the most common case, where there is a static route involved, but that wouldn't be applicable here. That's an ugly network in general with 3 subnets on the same broadcast domain, splitting that up properly into VLANs or similar and hence fixing all the weird routing possibilities you have in that scenario is the best option, and really the only option if you need to filter between the subnets. Adding sloppy state firewall rules for traffic passing between the internal subnets should work around it too. _______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list [Ron] Hi Chris, Your possibilities gave me the missing clue. We have no dual homed hosts and technically we only have 1 router but we do have a load balancer and for these machines (and only these machines) it is acting as a router as well as a load balancer. So essentially we did have a man in the middle scenario. So now that I know what is wrong I can see if we still need this functionality (funny it used to work under 1.3 and as far as I know has been working under 2.0 for the last couple of weeks since the upgrade) and if so will work on the changes needed to make it follow all the rules. So to go with your "ugly network" comment, and I am not disagreeing, I have machines in the 10.0.0.0 and 10.0.4.0 subnet that need to access machines in the 10.0.1.0 subnet which is why (in addition to not knowing any better way at the time) it was setup this way with FW rules allowing the required network paths to touch where required. If I go with VLANs (which will be a brand new experience I have wanted to try, but we have the ugly 4 letter word "time" that is needed to learn how) can I segregate these networks, still have them all on a single interface and still allow them to touch where needed? Can you suggest any beginning reading for setting up VLANs? I now have to support this network layout (which keeps growing) with Hyper-V machines, Blade servers, and physical boxes just so you have an idea of what kind of a layout I am in. I always look forward to learning something new. Thanks for the kick in the right direction. PS So far I am liking 2.0 much better than the previous version and as far as I knew then it was pretty darn good. Ron _______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
