My RDP Drop every 30 sec
-
Hi All,
I have some problem banging my head against an issue with RDP drop in every 30-40 sec. and reconnecting again.
I have Cisco RV42 with real ip and after that i have Cisco SG300 L3 with 4VLAN
VLAN 1 - management VLAN
VLAN 2 - Servers VLAN
VLAN 3 - Workstation VLAN
VLAN 4 - WiFi VLANAfter that i have ESXi with all VLAN attached as network adapters VLAN 1 is management for ESXi and all other is vSwitch
PfSense is VM with :
VLAN 1 for WAN
VLAN 2 for LAN
VLAN 3 for OPT1
VLAN 4 for OPT2I have firewall rule to PASS - > OPT1&2 traffic LAN and filter/block only facebook and youtube IP's
After that i have VM for Windows AD & DCHP for LAN, OPT1 and OPT2
So everything work like a charm i have, no drop ping packed and every network have i-net.
But when i make RDP to some external network (REAL IP address) it drop in every 30 sec. and reconnecting again
Please Help and be Kind i newer here :) 10x in advance
-
SG300 L3, so your using it in L3 mode?
What is a REAL ip? you mean public? and not rfc1918?
So your rdping over the public internet? through your ISP.. And are you using tcp or udp? When you connect what does your rdp client say your quality is?
-
Hi Johnpoz,
Yes i mean public address. All my drop is when i connect to some public address using RDP and i using TCP protocol and quiality is good
-
So your running public IP on your network? Or your RV042 is natting? And are you routing on yoru L3 SG300?
Please draw your network Since saying you have rv042 and the L3 switch and then esxi makes no sense.. You make no mention of a wan or public vlan or connection.
I assume your trying to blame your rdp to the public internet on pfsense? Do you get drops between your local networks? Why don't you just sniff the traffic and see what is happening…
-
With the dearth of information about from which network to which network that johnpoz has asked for, my gut reaction is an asymetric route. The initial connection goes through PFSense, but the response goes through the switch or something. PFSense never sees the response and kills the state as incomplete. Missmatch in subnet masks?
-
Here is a network topology and all setting from PfSense, RV42 and SG300
The WAN address on RV42 is my public IP address and i do NAT for all VLAN's
All connection between VLAN work just fine
![Firewall LAN.png](/public/imported_attachments/1/Firewall LAN.png)
![Firewall LAN.png_thumb](/public/imported_attachments/1/Firewall LAN.png_thumb)
![Firewall NAT.png](/public/imported_attachments/1/Firewall NAT.png)
![Firewall NAT.png_thumb](/public/imported_attachments/1/Firewall NAT.png_thumb)
![Firewall OPT1&2.png](/public/imported_attachments/1/Firewall OPT1&2.png)
![Firewall OPT1&2.png_thumb](/public/imported_attachments/1/Firewall OPT1&2.png_thumb)
![Firewall WAN.png](/public/imported_attachments/1/Firewall WAN.png)
![Firewall WAN.png_thumb](/public/imported_attachments/1/Firewall WAN.png_thumb)
![Network Topology (2).jpg](/public/imported_attachments/1/Network Topology (2).jpg)
![Network Topology (2).jpg_thumb](/public/imported_attachments/1/Network Topology (2).jpg_thumb)
![RV42 Static Route.png](/public/imported_attachments/1/RV42 Static Route.png)
![RV42 Static Route.png_thumb](/public/imported_attachments/1/RV42 Static Route.png_thumb)
![SG300 Static Route.png](/public/imported_attachments/1/SG300 Static Route.png)
![SG300 Static Route.png_thumb](/public/imported_attachments/1/SG300 Static Route.png_thumb)
![SG300 VLANs.png](/public/imported_attachments/1/SG300 VLANs.png)
![SG300 VLANs.png_thumb](/public/imported_attachments/1/SG300 VLANs.png_thumb) -
That is a MESS!!! Been looking at it for 5 minutes and can not figure out WTF your trying to do??
Why are you trying to do L3 Routing in front of pfsense, and then the same networks behind pfsense?
In your sg300 you say if trying to go to 192.168.11.0/24 go to 192.168.10.2 – but that is just another interface on your sg300? How is esxi configured?
Why are you trying to do routing on this switch?? And what exactly do you want pfsense to do in this setup? How is esxi networking setup.. Do you have physical interfaces connected vswitches, is there just 1 physical nic in the esxi box with vlans on it?
Did you turn off nat, why is there only loopback in your nat tab?
-
First I want to apologize for my broken English, I will try to explain the whole task again.
This is a course project which should create a test network with a public address and 4 subnets.
One for management, one for servers, one for a client's stations and last for WiFi.With RV42 we meet our internet provider and he will take G2G VPN networks with other test networks. The device directly attached to the network will not be filtered and monitored, this is a network vlan1 -10.12.10.x
With SG300 do individual VLAN for the selected networks vlan1 -10.12.10.h, vlan2-10.12.11.h for servers vlan3 10.12.12.h for worstation and last for vlan3 10.12.13.h for WiFi devices
SG300 all VLAN’s have a direct cable connection to ESXi and all 4-VLAN are connected like a virtual switchs. The first we need, a VM for PfSense and AD (active directory) on this ESXi. All traffic from VLAN 2-4 must pass through PfSens and we need one VM with AD will distributes DHCP for three VLAN ‘s
Then a job must bind to individual VLAN resp physical or virtual machines and do G2G tunnel with colleagues from other groups who will be usinng same VM for AD to join there VM on the same domain controller that is on our ESXi.
As one of our tasks below (and the main purpose) is to filter facebook and youtube as after which it will start adding content filters and etc.
-
Why are you trying to do routing on your sg300? I have a sg300 and run multiple vlans on it, layer 2 behind pfsense on esxi..
And sure you could setup site to site with other locations if me I would use pfsense for the site to site vpns..
So here is my setup as example - maybe it will help you with your school work.. Its not anywhere near complete drwing but very basic just threw togteher to hopefully let you see how its setup. As you can see pfsense has a virtual nics and 1 has some vlans that are connected to it. Which are tied to vswitches.
The sg300 is connected to esxi trunk port on the physical port to allow vlans and vswitch is setup with 4095 on it to also allow vlans to the esxi vnic. Then on the sg300 you put whatever ports you want in different vlans. There is no routing done on the sg300, its just layer 2. If you want to route on it.. Then pfsense would just have transit network to it with routes pointing to the networks behind the sg300.
Then as you can see from the esxi networking there are other vms connected to the different vswitches to put them on those networks.
If you were going to do L3 on the sg300, then would connect with a /30 transit network, create your routes on pfsense to point to the sg300 transit IP and on the sg300 you would have a default route to the pfsense /30 transit IP.
You could put sg300 doing L3 in front of your esxi host with a transit to pfsense wan but why would you not want all your networks behind pfsense firewall?
-
While your whole configuration may be a mess, I also want to point out that RDP dropping and reconnecting cyclically is a symptom I experienced when trying to use static routes over pfsense. That may be a related or contributing issue to your problem. Solution here: https://forum.pfsense.org/index.php?topic=99768.msg555804#msg555804
-
Not sure what your issue was but you sure and the hell do not have to setup states to NONE to have static routes work.. If you think that fixed your issue, your issue is most likey a problem with asymmetric routing.
From that thread, I got as far as this
"Let's say SITE1 is 192.168.1.0 /16 and SITE2 is 192.168.2.0 /16."Those are the SAME network with a /16 mask.
System -> Routing -> Gateways -> add new Gateway
Interface: LAN
Gateway: 192.168.1.2System -> Routing -> Static Routes -> add new Route
Destination Network: 192.168.2.0 /16
Gateway: 192.168.1.2 (defined above)And was clear whoever was posting this has a mess.. You would not route a /16 that overlaps your own /16 to somewhere else without most likely having issues. If you have a downstream network you need to get to then you should use a transit network for another not hairpinning connection out the same interface you came in on.
So you have a client in 192.168.1.0/16 wanting to get a 192.168.2/16 For starters why would the client even talk to pfsense since 192.168.2/16 is in his own local network.. Did the poster mean 1.0/24 and 2.0/24 for the other network?
Even if /24 on both sides you really should use a transit network to route to there and not an IP address in the same network your on, or your hairpinning your connection and have issue with asymmetrical traffic on the return..
Nobody should be reading that thread for another other than how NOT to do something correctly!!!
-
Not sure what your issue was but you sure and the hell do not have to setup states to NONE to have static routes work.. If you think that fixed your issue, your issue is most likey a problem with asymmetric routing.
From that thread, I got as far as this
"Let's say SITE1 is 192.168.1.0 /16 and SITE2 is 192.168.2.0 /16."Those are the SAME network with a /16 mask.
Even if /24 on both sides you really should use a transit network to route to there and not an IP address in the same network your on, or your hairpinning your connection and have issue with asymmetrical traffic on the return..
Nobody should be reading that thread for another other than how NOT to do something correctly!!!
You're right about /16 being wrong for my example. I have updated the original post to show the correct CIDR of /24, but that doesn't explain my issues.
I used 192.168.x.x as an example, but I am actually using something more like this:
10.10.0.0 /16 and 10.11.0.0 /16
When I converted the reality to an example, I simply forgot to convert the CIDR to match my Class C example (in other words, I am using /16 for my real scenario because the two different networks are actually Class B address spaces). I am aware that the routes become asymmetric using this setup, but I am not sure why this would cause the problems that I saw, nor why changing the State Type would fix all my issues.
The way I see the routes working (in my example) are:
Incoming: CLIENT2 -> INTERNET -> GATEWAY1B -> CLIENT1
Outgoing: CLIENT1 -> GATEWAY1A -> (static route) -> GATEWAY1B -> INTERNET -> CLIENT2If you think my issue can be solved a better way (now that I have fixed the CIDR typo), it seems that it would be more on-topic for you to reply to me in that thread.
Edit: I supposed something like this would be a better solution: http://networkguy.de/?p=409