Bug in code, or i do not understand firewalls please help me to understand
-
@johnpoz
yes you are correct about the subnet; the correct way is 192.168.0/23 = 192.168.0.0 - 192.168.1.255
my clients are in that subnet. (/23 255.255.254.0)
(forgive my drawing art plz, really appreciate your effort in helping me out)so from my laptop/PC i can easiliy manage both FW's.
however if i want to reach the web interface of SW-B i'm starting to get the issues as described. I can ping it though (which means routing is OK as there is layer 3 connectivity)
The strange part is that i have squid installed on FW-B (FW-B has more bandwidth upstream) and the clients behind SW-A make use of that and works like a charm.
My mailserver (behind FW-A) 192.168.0.10 can be accessed via Wifi, where the accesspoint is behind SW-B. -
@JKnott you are right, i didnt tell correct, i attached a little drawing and explanation.
thnx for the help so far, really appreciate it.
This is how i came to class B.
-
Well, if that's it's idea of class B, it's wrong. Originally, there was no such thing as classes. Everyone got /8 networks. Then, when they realized that wouldn't last, they created classes, with A the original /8, B with /16 and C, /24. Even that didn't work well, with B being too big for many organizations and C too small. So, back in the early 90's CIDR was introduced, which allowed choosing the appropriate length and many more networks.
-
Well you have a mask set wrong on that switch.. because if everything was in 192.168.0/23 then you talking to the switch from a client also in that same /23 wouldn't send any traffic to pfsense.. Why would any traffic go to gateway?
But if you switches mask was say /24 or something else where 192.168.0.115 was not in its local network, then your PC IP would not be in its network, and it would send its syn,ack to its gateway..
Pfsense would say sorry - don't see any state for that, never saw the syn, so it would be blocked.
Why would you not just connect your 2nd internet connection to FW-A? I don't see any need for 2 pfsense in such a setup. And if you were going to do that, then connect the fw-a and b together via transit and policy route traffic you want to use the 2nd internet connection.
Or just setup a HA pair and let them load balance or policy route traffic out your 2 internet connections, etc.
-
@johnpoz OMG i understand! i configured a default gateway on the management interface of the switch, im really sorry this really is a noob error.
Thanx it works! \o/ Basically you were right: assymetric routing (within the same subnet, LOL I kid you not, the subnet on the switch was configured properly, however i configured a default gateway (FW-B, doh). Now i removed it and it works. -
Well your switch software is buggy then!!
If it has a IP of 192.168.1.1/23 and you talk to it from 192.168.0.115 which is in the network 192.168.1/23 192.168.0.1-192.168.1.254.. It shouldn't be sending traffic to its gateway..
So either the mask was wrong.. Or the switch is buggy and really doesn't understand its in a /23 network 255.255.254.0
But for future, pretty much anytime you see a SA block on firewall, unless its on your wan and that is the sort of probing they are doing - it just screams asymmetrical traffic flow.
-
@johnpoz yup i think it doesn't(but it works)
-
I really do not get why your wanting to use /23 in the first place.. Do you have over 250 clients?
This whole setup seems wonky to me, would never ever in a million years setup something like that ;)
-
@johnpoz nope, i've been into networking for 15 years, networking engineer. Working with L2/L3 and L4 and IDS and IPS-es.
This is just my hobby home network.
It's about 20 machines.
so it was actually 2 /24's. When i had to do maintenance or softwareupgrade i noticed my internetconnection somehow suffered impact due to the maintenance, so i got myself another internet connection. Then i got the idea of connecting.
Well, i wanted to try policy based routing in the first place, as the ISP's are different in terms of network usage. On the first it is ok to have a mailserver, but on the other you can only send mail via the mailservers of the ISP.
So when i thought of connecting do i have to reconfigure all my clients, so i did via DHCP, the switches had to be done manually.
with static ip's going via 1, with DHCP with the other connection, by just changing the subnetmask on the FW's and in the DHCP scope. -
@Rob-Vercouteren said in Bug in code, or i do not understand firewalls please help me to understand:
nope, i've been into networking for 15 years, networking engineer. Working with L2/L3 and L4 and IDS and IPS-es.
Then why did you need that subnet calculator? I've never found the need for one.
-
/shrug I use one all the time. Use one to do base conversions and basic math too. Even though I know how to do it manually.
-
Well, I was working with binary, octal & hex long before I even heard of IP, so that may have something to do with it. In fact, one trick I used to use for doing math in my head was to convert to binary, shift as required and back to get a ball park figure. I'd also frequently use logarithms and trig identities, again in my head. Of course, that was several years ago, but I'm still fairly sharp with logs.
