LAN1 to LAN2 traffic issues



  • Hello everybody,

    I will probably not provide all info you guys will need at my first try, sorry in advance.
    I have been at this issue for two days now, and I dont know where to look any more.

    First of all, we have a horrible network setup atm, but I can not do it properly just yet, without interrupting services that dare not be interrupted.

    We have a WAN link, and 3 connected LAN's. I've setup allow rules from each LAN to the other LAN, aside from the default 'allow everything out' rule.
    From LAN to WAN works like a charm, no network hickups, nothing that seems odd, it just works.

    From LAN to LAN works, but truckloads of packets are dropped, and I do not understand why.

    The snack in this story is the setup:

    LAN1 192.168.50.0/24  (Old network that I cannot shut down yet) (CLIENTNET)
    LAN2 172.16.0.0/16      (servers are here, including hypervisor and couple of VM's) (SERVERNET)
    (LAN3 192.168.5.0/24)  (not used atm)

    My logging is drowning in blocks from my CLIENTNET ip to my Hypervisor with a SERVERNET ip. This is all web traffic.
    I already turned on IP options to check if that might be it.

    I am not blocking pricate networks on these interfaces.

    Attached are the screenshots of my configuration, any help would be greatly appreciated!!

    Now, as for the snack: we are using one (l3) switch with routing ENABLED. It serves 3 VLANS, mentioned above. For most of our clients, the switch is the default gateway at the moment. The switch will route all 0.0.0.0 traffic to a DIFFERENT firewall with its own WAN address.

    Switch IP's are: 192.168.50.254, 172.16.0.1, 192.168.5.1
    Other firewall LAN IP: 192.168.50.1

    PFSense IP's: 192.168.50.253, 172.16.0.254, 192.168.5.254

    Everything on the SERVERNET subnet, is using the PFSense as default gateway. My own computer (192.168.50.5) is using the PFSense as gateway.
    All other clients are using the Switch/other FW.

    The two firewalls are connected with a smartswitch to the WAN-link.

    I realise this is far from ideal, and I am about to get rid of this, but I cant as long as the PFSense is giving me these mistery logs.

    Thanks a lot for any help here!!

    ![2017-02-07 09_28_59-FW01 - Firewall_ Rules_ CLIENTNET.png](/public/imported_attachments/1/2017-02-07 09_28_59-FW01 - Firewall_ Rules_ CLIENTNET.png)
    ![2017-02-07 09_28_59-FW01 - Firewall_ Rules_ CLIENTNET.png_thumb](/public/imported_attachments/1/2017-02-07 09_28_59-FW01 - Firewall_ Rules_ CLIENTNET.png_thumb)
    ![2017-02-07 09_30_00-FW01 - Firewall_ Rules_ SERVERNET.png](/public/imported_attachments/1/2017-02-07 09_30_00-FW01 - Firewall_ Rules_ SERVERNET.png)
    ![2017-02-07 09_30_00-FW01 - Firewall_ Rules_ SERVERNET.png_thumb](/public/imported_attachments/1/2017-02-07 09_30_00-FW01 - Firewall_ Rules_ SERVERNET.png_thumb)
    ![2017-02-07 09_30_30-FW01 - System_ Advanced_ Firewall & NAT.png](/public/imported_attachments/1/2017-02-07 09_30_30-FW01 - System_ Advanced_ Firewall & NAT.png)
    ![2017-02-07 09_30_30-FW01 - System_ Advanced_ Firewall & NAT.png_thumb](/public/imported_attachments/1/2017-02-07 09_30_30-FW01 - System_ Advanced_ Firewall & NAT.png_thumb)
    ![2017-02-07 09_31_06-FW01 - Status_ System Logs_ Firewall_ Normal View.png](/public/imported_attachments/1/2017-02-07 09_31_06-FW01 - Status_ System Logs_ Firewall_ Normal View.png)
    ![2017-02-07 09_31_06-FW01 - Status_ System Logs_ Firewall_ Normal View.png_thumb](/public/imported_attachments/1/2017-02-07 09_31_06-FW01 - Status_ System Logs_ Firewall_ Normal View.png_thumb)



  • I forgot to mention how this issue manifests:

    I am using a browser to go to my proxmox hypervisor, and start a VNC console to one of my clients, this connection works .. then hickups, reconnects, and works for a few minutes again. reconnects, etc. it's quite annoying.



  • Just cin case this issue ever arises again: this was caused by the hypervisor and the vm's being on different network configurations.
    The hypervisor was using the old setup, while the vm's where using the pfsense route.

    Once both where configured to use the pfsense route, the log started to behave.

    Sorry for wasting time, you can laugh now  :P :o