RC2 blocking ssh on vlan?

louis-m

i have 5x vlan with the ADMIN vlan being able to access the other vlans but the other vlans are restricted to themselves or designated servers on the other vlans.
anyway, to cut a long story short, when the ADMIN vlan ssh's into a server on the other vlan, it connects but is dropped within 10secs.
checking pfsense logs and pfsense blocks the ssh (even though ADMIN can access everything on the other vlans)
clicking on "easy rule" adds the ssh rule into the appropriate interface but pfsense continues to block & log ssh as blocked.
this worked fine in the last month and has only occured within the last few days since upgrading pfsense to the latest snapshot.
i haven't tested this with any other protocol yet and won't be able to for another day or two.

louis-m

this one is a bit strange. after further testing, it also blocks other connections eg https, http and these are shown in the log as blocked.
try to reconnect a few seconds later and you can. then pfsense blocks it again even though you put pass rules in pfsense.
if you put a block rule in, it blocks. put a pass rule in and it runs for a minute and then blocks!

jimp

Sounds like you have some asymmetric routing somewhere, as in some packets are taking a different path back at some point. Seeing the actual log entries would be helpful to say for sure.

Make sure your VLANs are all completely separated and that the firewall is the only thing connected between the VLANs.

louis-m

i think you are right, but how to correct it?

i have:
admin vlan 200 10.0.200.0/24
server vlan 201 10.0.201.0/24

from the admin vlan 200 on host 10.0.1.100:

if i ssh onto a scientifix linux 6 server which only has 1 x vlan (201) , it works fine. no drops
if i ssh onto a freenas x8 server which has 2 x vlan (200) and (201) , it drops

if i delete the vlan 200 from the freenas box, i can ssh from vlan 200 to 201 and stay connected.
i could do with having the 2 vlans running.

jimp

Well that would explain it. If you try to talk across the VLANs the traffic will go:

Client -> pfSense -> Server

And the reply:
Server -> Client

It is directly connected to both networks, it will always take the most direct path.

Your servers shouldn't be connected to both VLANs, that would be somewhat of a security problem.

Either that, or the firewall on the systems that are dual homed would have to somehow be set to always send traffic back out the way it came in.

louis-m

i have a backup server on the admin vlan which is why the freenas is connected to it.
i take it i would be better moving the backup server onto it's own vlan ie out of the admin vlan?

the other issue it caused was for pfsense to give up and drop the internet connection etc.
i think it may have been getting confused along the way.

jimp

Yes, make a third VLAN for the backup traffic and connect the NAS and the backup server there so they can talk directly. That would be secure and eliminate the asymmetric routing.

louis-m

jimp…. thank you very much for your help and input with this. it's most appreciated.