Pfsense blocking traffic on the same network.
-
Hello all,
I'm doing some tests in my lab and found a very weird problem. I have a vmware workstation and have three vms installed on it. One is a winxp, one is PFSENSE 2.0.1 and the third one is Endian UTM. PFSENSE is the only one with two networks: one is connected to my wired card and the other one is connected to my wireless card, that is not connected to a wireless networks. I am using this card just to try to separate the network traffic.
They all talk to each other and pfsense is the only one that has internet access thru my wired card. The problems is every time I add the pfsense ip as the default gateway for the Endian vm, pfsense starts to block traffic that comes from the winxp vm towards the endian vm although the traffic is host to host, not passing by pfsense, or so I thought. See image attached.
My guess is that although I am using different interfaces for lan and wan in pfsense, vmware is passing all the traffic through the same channel.
Thoughts?
-
That … or you have your wired network in promiscuous mode (so that it is acting as a hub and not a switch). If that is the case then pfsense would see it and block the unknown network.
This is of course a speculation since there are no networking details provided.
-
That might be the case. I need to find out how check that on vmware. That is a question for a different forum, unless there is a way to see that from inside pfsense?
-
Not from within pfSense. It is located on the vswitch properties … iirc.
-
ethernet0.noPromisc = "true"
This is the parameter to add into your vmware configuration file to disable promiscuous mode - which is enabled by default on Windows. It did not work, though. pfSense still blocking my connections. I will move it from a vm to a real hardware and this should solve the problem.
Thanks for your answers, podilarius! 8)
-
I think you have to also set the vswitch to non promiscuous mode as well.
-
I am using vmware workstation, not ESX
-
The only way traffic is handled by the firewall is if it's destined to a MAC on one of its interfaces (unless you're bridging). Blocking SYN ACKs as shown here indicates SYNs get somewhere without touching the firewall, and the SYN ACKs are wrongly routed back through the firewall.
-
Thanks for your reply, CMB. So, at this point, we can say that my Endian firewall box is our villain. I just don't understand why it would be sending its traffic through its gateway(pfsense is the default gateway of endian) if the communication is happening on the same network. To be on the safe side, endian and pfsense are installed in two different hardware, not vms anymore.
Endian is a linux box. I looked at its route table, but there is only the default gateway route. I even cleaned up all the iptables rules, but the packets still going through pfsense. Google tells me that two more people faced the same issue when trying put an endian box behind a pfsense, but it seems that they just given up. :-(
I am running out of ideas so if anyone has any, I'd love to hear. My next test is to put a different linux box(probably an opensuse as Endian is based on RedHat) and see if I will see the same problem. I doubt it, though.