No connection LAN -> DMZ after some time
-
Hello Guys!
By the way: great work. I like pfsense - it's stable, PPTP is working, configuration is fine, Webgui intuitive.
But the only problem i have is:
Sometimes (once a month or something) there is no connection from LAN -> DMZ anymore. The firewall from PFSENSE won't let anything out. There's a rule allowing LAN -> DMZ: all and some Port from DMZ -> LAN. LAN ist 192.168.0.* and DMZ is 192.168.100.*.To make it work again i have to "refresh" the Firewallsettings (deactivete a rule, activate it again and "Apply Settings"). After that it work's again for some weeks. Any hints?
icanton
-
Version? Hardware?
If you visit the firewall tab in the logs do you see anything blocked?
Any other entries in the system-logs that indicate a problem? -
Version: 1.0.1
Hardware: dmesg is too much i think :-) Normal PC with 3x 1GBit ETH, CPU 3.5GhZ, 1GB RAMLogs has been okay. The next time the problem occurs I'll take a closer look.
icanton
-
It happened again.
Systemlog
Sep 21 08:17:18 mpd: [pt0] IFACE: Up event Sep 21 08:17:18 mpd: [pt0] exec: /usr/local/sbin/vpn-linkup ng1 inet 192.168.100.90 192.168.0.245 vpn.userxyz Sep 21 08:17:18 mpd: [pt0] exec: /sbin/route add 192.168.100.90 -iface lo0 Sep 21 08:17:18 mpd: [pt0] exec: /usr/sbin/arp -s 192.168.0.245 0:c:46:46:81:ab pub Sep 21 08:17:18 mpd: [pt0] exec: /sbin/ifconfig ng1 192.168.100.90 192.168.0.245 netmask 0xffffffff -link0 Sep 21 08:17:18 mpd: [pt0] setting interface ng1 MTU to 1396 bytes Sep 21 08:17:18 mpd: [pt0] IFACE: Up event Sep 21 08:17:18 mpd: 192.168.100.90 -> 192.168.0.245 Sep 21 08:17:18 mpd: [pt0] IPCP: LayerUp Sep 21 08:17:18 mpd: [pt0] IPCP: state change Ack-Rcvd --> Opened Sep 21 08:17:18 mpd: SECDNS 192.168.0.14 Sep 21 08:17:18 mpd: PRIDNS 192.168.0.1 Sep 21 08:17:18 mpd: IPADDR 192.168.0.245 Sep 21 08:17:18 mpd: [pt0] IPCP: SendConfigAck #8 Sep 21 08:17:18 mpd: SECDNS 192.168.0.14 Sep 21 08:17:18 mpd: PRIDNS 192.168.0.1 Sep 21 08:17:18 mpd: 192.168.0.245 is OK Sep 21 08:17:18 mpd: IPADDR 192.168.0.245 Sep 21 08:17:18 mpd: [pt0] IPCP: rec'd Configure Request #8 link 0 (Ack-Rcvd) Sep 21 08:17:18 mpd: [pt0] IPCP: state change Req-Sent --> Ack-Rcvd Sep 21 08:17:18 mpd: IPADDR 192.168.100.90 Sep 21 08:17:18 mpd: [pt0] IPCP: rec'd Configure Ack #62 link 0 (Req-Sent) Sep 21 08:17:18 mpd: SECDNS 192.168.0.14 Sep 21 08:17:18 mpd: PRIDNS 192.168.0.1 Sep 21 08:17:18 mpd: IPADDR 192.168.0.245 Sep 21 08:17:18 mpd: [pt0] IPCP: SendConfigNak #7 Sep 21 08:17:18 mpd: NAKing with 192.168.0.14 Sep 21 08:17:18 mpd: SECDNS 0.0.0.0 Sep 21 08:17:18 mpd: NAKing with 192.168.0.1 Sep 21 08:17:18 mpd: PRIDNS 0.0.0.0 Sep 21 08:17:18 mpd: NAKing with 192.168.0.245 Sep 21 08:17:18 mpd: IPADDR 0.0.0.0 Sep 21 08:17:18 mpd: [pt0] IPCP: rec'd Configure Request #7 link 0 (Req-Sent) Sep 21 08:17:18 mpd: [pt0] setting interface ng1 MTU to 1396 bytes Sep 21 08:17:18 mpd: Decompress using: MPPE, 128 bit, stateless Sep 21 08:17:18 mpd: Compress using: MPPE, 128 bit, stateless Sep 21 08:17:18 mpd: [pt0] CCP: LayerUp Sep 21 08:17:18 mpd: [pt0] CCP: state change Ack-Rcvd --> Opened Sep 21 08:17:18 mpd: 0x01000040: MPPE, 128 bit, stateless Sep 21 08:17:18 mpd: MPPC Sep 21 08:17:18 mpd: [pt0] CCP: SendConfigAck #6 Sep 21 08:17:18 mpd: [pt0] CCP: Checking whether 128 bits are acceptable -> yes Sep 21 08:17:18 mpd: 0x01000040: MPPE, 128 bit, stateless Sep 21 08:17:18 mpd: MPPC Sep 21 08:17:18 mpd: [pt0] CCP: rec'd Configure Request #6 link 0 (Ack-Rcvd) Sep 21 08:17:18 mpd: [pt0] CCP: state change Req-Sent --> Ack-Rcvd Sep 21 08:17:18 mpd: 0x01000040: MPPE, 128 bit, stateless Sep 21 08:17:18 mpd: MPPC Sep 21 08:17:18 mpd: [pt0] CCP: rec'd Configure Ack #32 link 0 (Req-Sent) Sep 21 08:17:18 mpd: IPADDR 192.168.100.90
Firewall (but nothing seems blocked from 192.168.0.* (LAN) even if i Ping to the DMZ):
Sep 21 08:43:47 LAN 192.168.92.1:123 80.237.128.148:123 TCP Sep 21 08:43:47 LAN 192.168.186.1:123 80.237.128.148:123 TCP Sep 21 08:43:31 LAN 192.168.92.1:123 80.237.128.148:123 TCP Sep 21 08:43:31 LAN 192.168.186.1:123 80.237.128.148:123 TCP Sep 21 08:43:15 LAN 192.168.92.1:123 80.237.128.148:123 TCP Sep 21 08:43:15 LAN 192.168.186.1:123 80.237.128.148:123 TCP Sep 21 08:42:59 LAN 192.168.92.1:123 80.237.128.148:123 TCP Sep 21 08:42:59 LAN 192.168.186.1:123 80.237.128.148:123 TCP Sep 21 08:42:43 LAN 192.168.92.1:123 80.237.128.148:123 TCP Sep 21 08:42:43 LAN 192.168.186.1:123 80.237.128.148:123 TCP Sep 21 08:42:34 DMZ 192.168.100.7:110 192.168.0.39:4098 TCP Sep 21 08:42:27 LAN 192.168.92.1:123 80.237.128.148:123 TCP Sep 21 08:42:27 LAN 192.168.186.1:123 80.237.128.148:123 TCP Sep 21 08:42:11 LAN 192.168.92.1:123 80.237.128.148:123 TCP Sep 21 08:42:11 LAN 192.168.186.1:123 80.237.128.148:123 TCP Sep 21 08:41:55 LAN 192.168.92.1:123 80.237.128.148:123 TCP Sep 21 08:41:55 LAN 192.168.186.1:123 80.237.128.148:123 TCP Sep 21 08:41:46 DMZ 192.168.100.7:110 192.168.0.39:4098 TCP Sep 21 08:41:39 LAN 192.168.92.1:123 80.237.128.148:123 TCP Sep 21 08:41:39 LAN 192.168.186.1:123 80.237.128.148:123 TCP Sep 21 08:41:23 LAN 192.168.92.1:123 80.237.128.148:123 TCP Sep 21 08:41:23 LAN 192.168.186.1:123 80.237.128.148:123 TCP Sep 21 08:41:07 LAN 192.168.92.1:123 80.237.128.148:123 TCP Sep 21 08:41:07 LAN 192.168.186.1:123 80.237.128.148:123 TCP Sep 21 08:40:51 LAN 192.168.92.1:123 80.237.128.148:123 TCP Sep 21 08:40:51 LAN 192.168.186.1:123 80.237.128.148:123 TCP Sep 21 08:40:35 LAN 192.168.92.1:123 80.237.128.148:123 TCP Sep 21 08:40:35 LAN 192.168.186.1:123 80.237.128.148:123 TCP Sep 21 08:40:19 LAN 192.168.92.1:123 80.237.128.148:123 TCP Sep 21 08:40:19 LAN 192.168.186.1:123 80.237.128.148:123 TCP Sep 21 08:40:12 LAN 130.11.7.118:138 130.11.7.255:138 UDP Sep 21 08:40:03 LAN 192.168.92.1:123 80.237.128.148:123 TCP Sep 21 08:39:47 LAN 192.168.92.1:123 80.237.128.148:123 TCP Sep 21 08:39:47 LAN 192.168.186.1:123 80.237.128.148:123 TCP Sep 21 08:39:31 LAN 192.168.92.1:123 80.237.128.148:123 TCP Sep 21 08:39:31 LAN 192.168.186.1:123 80.237.128.148:123 TCP Sep 21 08:39:15 LAN 192.168.92.1:123 80.237.128.148:123 TCP Sep 21 08:39:15 LAN 192.168.186.1:123 80.237.128.148:123 TCP Sep 21 08:39:05 WAN 76.190.225.55:15571 194.8.192.2:18912 TCP Sep 21 08:39:04 DMZ 192.168.100.7:110 192.168.0.39:4095 TCP Sep 21 08:38:59 LAN 192.168.92.1:123 80.237.128.148:123 TCP Sep 21 08:38:59 LAN 192.168.186.1:123 80.237.128.148:123 TCP Sep 21 08:38:43 LAN 192.168.92.1:123 80.237.128.148:123 TCP Sep 21 08:38:43 LAN 192.168.186.1:123 80.237.128.148:123 TCP Sep 21 08:38:27 LAN 192.168.92.1:123 80.237.128.148:123 TCP Sep 21 08:38:27 LAN 192.168.186.1:123 80.237.128.148:123 TCP Sep 21 08:38:15 DMZ 192.168.100.7:110 192.168.0.39:4095 TCP Sep 21 08:38:11 LAN 192.168.92.1:123 80.237.128.148:123 TCP Sep 21 08:38:11 LAN 192.168.186.1:123 80.237.128.148:123 TCP Sep 21 08:37:55 LAN 192.168.92.1:123 80.237.128.148:123 TCP
I can't see anything unusual within the logfiles. After reloading the firewall (deactivate/active a rule and "apply settings") it work's again. Any ideas?
icanton
-
what are you trying that doesn't work? i.e. is it just one thing that stops, like HTTP maybe, or do pings not work, or does everything stop, or? You can still get from LAN -> Internet and DMZ -> Internet when this happens?
1.0.1 isn't the recommended version anymore. I would definitely recommend upgrading to 1.2rc2 since you're having problems.
-
Nothing is working, not even ping LAN -> DMZ. WAN -> DMZ is working.
So i should upgrade you think? I'm unsure which package to use from ftp://reflection.ncsa.uiuc.edu/pub/pfSense/updates :-)
This one using the WEB Gui Upgrade function? pfSense-Full-And-Embedded-Update-1.2-BETA-2.tgz? Never upgraded before…icanton