C Class Network Problem
-
hi all,
i have a big problem. my network map and installations like below :
1 - i have metro ethernet lines.
2 - i have 2 offices and i have mpls vpn between offices.
3 - i have 2 ip range at c class subnet.(192.168.180.0 and 192.168.181.0)
4 - i installed the pfsense without any issue. set the interfaces and ip address: my static ip @ wan (95.70.x.x) and lan ip 192.168.180.0.
5 - i set the static route to 192.168.181.0 network.
6 - 2 offices accessing the internet and the peoples connecting from internet my mail, web and bla bla servers.
7 - firewall rules pfsense s default any rule and i added the rule for 192.168.181.0 network to any.everything looks fine but 2 offices has connection problem. 192.168.181.0 network accessing 192.168.180.0 network but 192.168.180.0 network doesn t. just dns port looking ok and all other ports looking blocked at firewall rules. anyone has any idea about my problem. thanks for your help.
-
Are you seeing anything in the firewall logs?
What is at the other end? Have you added a static route at the other end?
What VPN are you using?Steve
-
192.168.180.0/24 –--pfsense1 WAN1-IP-------MPLS------WAN2-IP-pfsense2----192.168.181.0/24
Is this your network configuration ?
If you enter a static route on pfsense1 for 192.168.181.0/24 with gateway WAN2-IP
then you have to do the same on the other side:
static route on pfsense2 to 192.168.180.0/24 with gateway WAN1-IPpfsense2 needs an "allow" firewall rule TO subnet 192.168.180.0/24 and TO the VPN/MPLS network on LAN
pfsense1 needs an "allow" firewall rule TO subnet 192.168.181.0/24 and TO the VPN/MPLS network on LANpfsense2 needs an "allow" firewall rule FROM subnet 192.168.180.0/24 and FROM the VPN/MPLS network on WAN
pfsense1 needs an "allow" firewall rule FROM subnet 192.168.181.0/24 and FROM the VPN/MPLS network on WAN -
ups, my mistake i forgot the say i have just a pfsense at my head office. branch office cooming to center over mpls vpn and accessing internet over pfsense. i tried to many way, i added the rules between 2 network bidirectional. i add the rule any to any but same old same old. my isp saying everything ok at cisco. they told me ve create the routes and passing the all packages from 192.168.180.0 () network.
nachtfalke my network :
head office - 192.168.180.0/24 –--pfsense1 WAN1-IP-------MPLS------WAN2(Router)----192.168.181.0/24 - branch office
-
Then you WAN2 Router needs the default gateway to your WAN1-MPLS-IP so that all traffic from your branche office is using this gateway.
Your head office needs a static route for network 192.168.181.0/24 with WAN2-MPLS-IP as Gateway.
So all traffic from head office which has destination 192.168.181.0/24 is using the MPLS VPN tunnel and all other traffic (internet) is using the default gateway to your internet provider.Of course you need the according firewall rules. pfsense2 needs an allow "any to any" on LAN interface AND an allow "any to any" on the WAN interface (so that the head office can connect to the branch office).
Best way is to configure the static routes and gateways at first. Then create an allow "any to any" firewall rule that there will be no problems if you test the connections.
Then try to ping the different interfaces of both routers and check out where it works and where is something blocked. -
static route added. Ping ok between 2 network but for exm. When i trled to connect to rdp my terminal server, brach cooming my server but the server s answers blocking at somewhere else.
-
If you are NATing on pfsense2 (branch) then you have to do a portforward if you like to connect to the server on the branch network.
If there is no NAT on pfsense2 (branch) than you have to check the firewall of the server (or disable it for testing).
Can you ping the server on the branch network from a client on the head network ?
Can you ping from a client on the branch network to a client on the head network ?Did you allow the traffic on the WAN1-MPLS-IP from the branch network ?
-
nats ok. Ping ok between two network. Problem at the tcp udp ports. Actually problem at head offlce to brach connections.
Allow rules added biderectional. -
If ping is ok then the routes are ok. you can also check with "trace route"
If there is a problem with tcp/udp than there seems to be a firewall problem on pfsense1, pfsense2 or the client/server you try to connect to.You should now check step by step the firewall/router logs the traffic uses and check if something is blocked.
Remote Desktop Protocol (RDP) is using Port 3389/TCP. You could check the logs for this port.I am sure this has nothing to do with your problem but I just want to mention it:
Not sure if you use multiple gateways on pfsense1 (head) but perhaps it helps if you add the correct gateway in the firewall rules for the destination network 192.168.181.0/24 (branch). -
ups, my mistake i forgot the say i have just a pfsense at my head office. branch office cooming to center over mpls vpn and accessing internet over pfsense.
I think he is saying he only one pfSense box at one end of the VPN and that all traffic from the other end is routed to is routed to the internet via this one box.
I am unfamiliar with MPLS. Do they provide simply incoming ethernet connections?Steve
-
ups, my mistake i forgot the say i have just a pfsense at my head office. branch office cooming to center over mpls vpn and accessing internet over pfsense.
I think he is saying he only one pfSense box at one end of the VPN and that all traffic from the other end is routed to is routed to the internet via this one box.
I am unfamiliar with MPLS. Do they provide simply incoming ethernet connections?Steve
I know with the pfsense boxes but it was easier for me to say "pfsense1" and "pfsense2" because of his structure in previous posts.
MPLS is, as far as I know, a routing protocol on layer 2. And as I understand him his provider offers him an ethernet network between branch and head.
–--edit----
ah, ok. pfsens1 and pfsense2 spelling was my mistake ;) -
stephenw10, you are right. i have just a pfsense appliance at my head office. any way my isp made a comment, they said state table making problems. they offered me setup your firewall "none state or keep state mode" i installed the many pfsense but i never see the state mode' s setup. how can i change my pfsense' s state mode?
-
stephenw10, you are right. i have just a pfsense appliance at my head office. any way my isp made a comment, they said state table making problems. they offered me setup your firewall "none state or keep state mode" i installed the many pfsense but i never see the state mode' s setup. how can i change my pfsense' s state mode?
I do not know what your ISP means with "none state or keep state mode". I am sorry.
-
yeah me too but isp' s firewall admin said u can but he don t know anything about pfsense…
-
I found it on pfsense:
Go to
FIREWALL -> RULES -> Edit/Create a rule.
Scroll down till you find "State type" click advanced and then try what the admin said. -
ok thanks a lot. what an easy, read read read i hate myself ): a turkish says : perfection hide in simplicity.
