Short connection lost - randomly for ~15 sec
-
I'm using pfSense since about 2 years, on some very old PC works great on two internet connections, 2 IPSEC vpn, aobut a dozen openpvn clients, and about 100 PC's in LAN. works great, stable as a rock and everything prefect. Now I installed PFsense in another company, simple network, 20 PC's internet access only, all I needed was a firewall with rules. Installation without any problems, works stable etc. just the problem is, that few times a day it loses connection. Once a few hours, in totally random moments (even at night when noone works) one cannot connect the network. Pings don't reply, the strange thing is sometimes I can ping the pfsense gateway but can't connect the internet, other times can't connect none, I think sometimes the net works but can't ping gateway, but I'm not sure about the last. It's about 15-20 seconds, but people here find this annoying (IM messages aren't delivered sometimes and a remote Exchange server disconnects).
Network configuration looks ok, it's almost te same as the other pfsense I have. I would know what to do if it wouldn't want to work at all, but this way (works, works, stop for a few seconds then work again).
I'm pretty sure this is only pfsense, because when I use strait gateway to router it works 100% ok. My network looks like this:
–-------------0.DSL router --------------------> here's a strange VPN to the main company, using telephone cable
1.Cisco 2600 <- 1 Lan cable as output for LAN access 192.168.48.129 (255.255.255.128)
2.lan switch -------------------> some PC's connected here, other to the second switch
3.lan switch no.2 ---------------- same mask –--------------
other computer I know I could connect pfSense straight to the cisco, but since it doesn't work ok I can't do this :(
The Cisco hardware is a property of internet provider and they don't want to give me access to it :( it does DHCP with a strange net mask 255.255.255.128, but this shouldn't make a difference the same as everything going to the same switch, but this also works ok, the only problem is when I set the pfsense IP as gateway address. If I only change it straight to Cisco router all works fine. There are no firewall rules on traffic from LAN sideSoon I will try to use some other PC as pfSense hardware, but still I'm confused, because this one works ok on 99,99% time, none hardware hang, nothing wrong in the logs, it even says in interfaces status menu:
In/out packets 2719315/2534748 (457.02 MB/2.42 GB)
In/out errors 0/0I've found an information to disable interfaces bridge, done this, tried to change everything in the configuration, still the same, I have no other idea, of course tried to change the pfsense cables.
The hardware is a new good PC, it was working about two months for test without crash or anything. http://www.barebone.com.pl/typ-k45-c-23_15.html
I can try to change it's network card, but maybe someone has some other ideas before I try the hard way?Today I found something new in log:
Sep 22 16:57:36 last message repeated 11 times
Sep 22 16:57:24 last message repeated 28 times
Sep 22 16:56:52 kernel: arp: 00:30:1b:46:dd:f5 is using my IP address 192.168.48.151!The mac 00:30:1b:46:dd:f5 is the WAN interface MAC but this should not happen since the configuration is totally different:
WAN interface (msk0)
Status up
MAC address 00:30:1b:46:dd:f5
IP address 192.168.48.149
Subnet mask 255.255.255.128
Gateway 192.168.48.129
ISP DNS servers 192.168.48.201
Media 100baseTX <full-duplex,flag0,flag1>In/out packets 3152311/1902404 (2.48 GB/364.32 MB)
In/out errors 0/0
Collisions 0
LAN interface (rl0)
Status up
MAC address 00:30:4f:6f:a8:49
IP address 192.168.48.151
Subnet mask 255.255.255.128
Media 100baseTX <full-duplex>In/out packets 2778259/2557641 (462.13 MB/2.44 GB)
In/out errors 0/0
Collisions 0</full-duplex></full-duplex,flag0,flag1> -
You have a configuration error in having two distinct physical interfaces on the same subnet.
-
Oh, I get it, I haven't know it can't work like this.
So can I set different ip prefix and mask on Lan interface and then change it on the clients the same way and it will work?
eg.192.168.48.149/25 WAN
192.168.0.1/24 LAN
192.168.0.2/24 CLIENT -
Yes, that will work for addresses but the firewall needs to be placed between two different networks if it's going to filter anything. It can not be connected to the same switch on WAN and LAN interfaces.
-
But the firewall works on this network (just sometimes you have no connection for few seconds) and in another company I have also pfSense, both interfaces plugged to the same switch, just different subnets and it works cool, 100% satisfaction. If you have on the client gateway set pfSense's Lan interface routing does everything, even on the same switch :)
-
Having WAN and LAN plugged into the same interface will not only break an untold number of things, it is also highly insecure. There is basically no protection of any kind going on there, anyone could send out the right traffic and completely bypass the firewall.
The fact that it managed to miraculously work in one location should not be taken as any indication that it will or should work in any environment.
Get two switches, do it right. One subnet per switch or VLAN.
-
Yes, I know this all, but the problem is, that this is a production area, it needs to work all the time and, what's even worse - I'm only part time working in this company, so i need to be able to change the settings remote. I'll separate the networks when it will work without any problems. For now I can only create new subnet and start moving IP's there. If it only fix the network lost problem
-
yeah, jacked up topology. nothing you can do other than to fix it correctly.
-
Yes, I know this all, but the problem is, that this is a production area, it needs to work all the time and, what's even worse - I'm only part time working in this company, so i need to be able to change the settings remote. I'll separate the networks when it will work without any problems. For now I can only create new subnet and start moving IP's there. If it only fix the network lost problem
I'm not quite sure you get it: What you are doing is wrong and will not work properly. Nothing anyone can tell you will make it work properly other than correctly wiring the network to separate switches.
Edit: Locked thread.