PfSense in Proxmox dropping LAN connections after timeout

nspr

Please move if this is in the wrong place but I've crawled the forums for hours now and found nothing quite the same.

I live on the same site as our family business, we have a number of VLAN's on seperate subnets being managed by a Sophos appliance.
I have my own LAN interface and subnet, passed straight through the Sophos device with no logging or management (192.168.100.1), connected to eno3 on my DL380 Gen9 which is bridged (vmbr0) through Proxmox to a PfSense VM as my WAN interface (vtnet0) at 192.168.100.2.
A second interface (eno4) is bridged (vmbr1) to pfSense as my LAN (vtnet1) at 192.168.50.1.
Our Ubiquiti switches are configured to deny traffic on my VLAN (50) from being passed to the Sophos device. All ports on the switches assigned to my VLAN are denied to all other traffic.

This worked flawlessly for about 6 hours until my devices began to be disconnected after about a minute. I made no config changes before it stopped working. Feels like a timeout. The web GUI denies the connection, I can't access the internet despite the WAN interface being up. Can only access the Proxmox GUI. I disconnect my laptop from the wifi, reconnect, works again for about a minute until the same happens. Renewing DHCP lease also resolves for a minute.

In frustration I have reinstalled PfSense, exactly per the guide for Proxmox, to the same results, this time straight away. Logs for the firewall show a lot of default deny for both ipv4 and 6. I haven't made any alterations to the default allow rules.
Aware this may well be an issue somewhere else in my setup but I've checked everything I can think of and am stumped.
Anyone who can point me in the right direction, would be much appreciated.

stephenw10

That sounds like a conflict of some sort.

If you connect to the pfSense console through Proxmox what does it show? Is it able to ping out on WAN? To LAN clients?

What do the logs show?

Steve

nspr

@stephenw10 sorry, slow reply!

Can ping:
8.8.8.8
192.168.100.1 (WAN Gateway)
192.168.50.103 (iLO on my server)

Cannot ping:
.50.106 (Proxmox)
.50.104 (Apple Watch)
.50.101 (Macbook)
.50.100 (iPhone)

pfSense logs seem to just be ipv4 / v6 default deny for the firewall.
Found a TCP RST packet issued to the macbook in Proxmox but nothing else and doesn't seem to be at the same time.
Can't access the firewall dashboard or most webpages but can sometimes now refresh pages.
Still seems off for a DNS issue, why would that stop me accessing local resources via IP?

stephenw10

Ok so it appears to be a disconnect on the LAN side.

Check the ARP table in pfSense, run arp -a at the console. Does it still show thiose LAN side clients? At the correct MAC addresses?

Check the ARP table at the clients. Is it showing the correct MAC address for the pfSense LAN IP? If not you may have a rogue dhcp server on LAN.

Steve

nspr

@stephenw10

Correct on console in pfSense, clients are still shown at the correct MAC addresses.
Client ARP table is correct, as is MAC address for both other clients and pfSense. There are however a few external IP's showing here, not sure if that's correct?

nspr

logs do show dhcp6c solicit issued shortly after the ipv4 dhcp ack, could it be switching to a broken ipv6 config after the original ipv4 connection?

stephenw10

Yes it could be. That wouldn't break pinging v4 addresses though.

You are seeing external IP addresses in the client ARP tables directly?

nspr

@stephenw10 Quite sure i had an external ip in my macbooks arp table
Have abandoned the virtualised firewall idea for now, will probably look at a hardware device.