Mind Numbing RDP issue, 2 LANs



  • So communication in between subnets are perfect.  The two I set up are 10.1.201.0/24 and 10.1.202/24 subnets respectfully.  I can ping tracert fine on each side I can Putty into the esxi box, vsphere client to see every VM all through the 10.1.201 subnet reaching the 10.1.202 subnet.  Also I may be using terminology wrong so apologies before going into it more.  Anyways the biggest question is why can I remote from 202 to 201 subnet, but not the other way.  I've allowed all communication in firewall LAN rules.  I am running out of options, and I still am getting blocked via pfsense.  I will post logs.

    ![pfsense issue.png](/public/imported_attachments/1/pfsense issue.png)
    ![pfsense issue.png_thumb](/public/imported_attachments/1/pfsense issue.png_thumb)


  • Rebel Alliance Global Moderator

    Looks like you have a asymmetrical issue.. those are blocks with SA, so the Syn,Ack that came into pfsense was blocked because there was no state.  Can you draw up your network so we can figure out where you have an asymmetrical issue



  • Do you actually mean literally draw it?  :o


  • Rebel Alliance Global Moderator

    Yeah - break out the crayons if you want ;)  Or ms paint and some boxes.. Do you actually have 2 layer 3 networks on the same layer 2?  Do you have some downstream router and 1 of these networks is a transit..

    Your firewall block is out of state.. the SA.. If pfsense was blocking the traffic as it entered it would just be the S (syn) so that your seeing blocks of SA points to asymmetrical traffic flow.  Understanding how you have the network actually connected will help us find the reason for that.  Are your devices pointing to other gateways other than pfsense.  Do your devices have connections into both networks, etc. etc.

    From your firewall log.. Your RDP box saw the SYN from somewhere other than pfsense, but its sent its answer (syn,ack) back to pfsense.. Pfsense said WTF I don't know anything about this state, when the client sent the syn to you - I didn't see it to be able to setup the state.



  • Very good.  I will make it as pretty as I can.  I'm still pretty new to networking so I will explain as well as I can.  Wish me luck

    Cheers. :)


  • Rebel Alliance Global Moderator

    there are few free online tools (free) for network drawings.. https://www.gliffy.com/ comes to mind off the top.  If you want to make it "pretty" and don't have visio for example

    But a napkin and some crayons work too - take a picture of the napkin with your phone if you have too ;)

    edit:  If this is vm.. keep in mind that vswitches are just like real switches with the physical nic being an uplink.  So you can draw the vswitches as just normal switches.  Port groups are like setting vlan on access ports, etc.  I am assuming your VMs are on esxi, or is it hyper-v or something else, etc..

    Here is link to pfsense doc about out of state blocks.
    https://doc.pfsense.org/index.php/Why_do_my_logs_show_"blocked"_for_traffic_from_a_legitimate_connection



  • Okay.  So virtually the LAN can communicate with physical and all that.  RDP and all.  Just thought I'd mark that.  So now let's walk through the very A+ artist drawing.  So I am going to mention that both networks are their own MINUS being plugged into the same WAN switch that gives them different public IPs, but I believe they have the same WAN Gateway.  Feel free to ignore that if that has nothing to do with this issue (Fingers crossed on it doesn't).  So that said MX100 is the main office hub.  Giving 10.1.201 subnet.  Plugged into that is all our switch WAPs etc etc for the office.  My network is directly plugged into the MX100 through my Netgear switch.  Very carefully depicted in my drawing.  Also I just tested something that I can putty into my ESXi 5.5 Host, but not the linux inside my virtual machines.  Are we getting warmer? :D

    ![Virtual Network.png](/public/imported_attachments/1/Virtual Network.png)
    ![Virtual Network.png_thumb](/public/imported_attachments/1/Virtual Network.png_thumb)
    ![Bad Drawing.png](/public/imported_attachments/1/Bad Drawing.png)
    ![Bad Drawing.png_thumb](/public/imported_attachments/1/Bad Drawing.png_thumb)



  • Hey!  Fixed it :)  I always feel dumb when it's super simple.  For those any having same issues as mine.  Check mark this option under System>Advanced and under the Firewall & NAT tab you will find this.  Thank you for your replies John.  You pointed me to the solution with your responses.

    Cheers Mate!

    ![Press this.png](/public/imported_attachments/1/Press this.png)
    ![Press this.png_thumb](/public/imported_attachments/1/Press this.png_thumb)


  • Rebel Alliance Global Moderator

    "both networks are their own MINUS being plugged into the same WAN switch that gives them different public IPs"

    Huh??

    So mx100 is a firewall.. Your wan for pfsense via the wan vswitch and is plugged into what exactly.. But pfsense wan interface gets a 63.x.x.A address lets call it.. And your mx100 wan interface gets a 63.x.x.B address..  Then you have this 10.1.201/24 hanging off your mx100, and then also hanging off the mx100 connected to your esxi lan vswitch and your lan vms through your netgear (taking this is dumb - what model number?)

    either way you have a downstream router setup from your mx100 which is pfsense.  So when something on 201 wants to talk to something in 202 it hits your mx100, mx100 says oh yeah I have that attached and send the traffic on (syn).. The VM sees this traffic from 10.1.201, and says yeah that is a different network and then sends it to pfsense lan interface (the vm gateway) and this would be the SA your seeing blocked..

    So you need to either source nat on your mx100 so that traffic that comes from 201 to 202 looks like it came from the mx100 interface IP in the 202..  Or you need to connect your mx to pfsense via a transit network.. You could do this via a vlan or another connection if you have another nic in your esxi host and another nic on your mx100.

    Here is a simplified drawing of your network.. See the flow of traffic from your 202 to your 201 is asymmetrical (see attached)

    How you would fix that is with a transit network..  So now when the network off your mx100 wants to talk to a VM, it would go through the transit network to get to pfsense.  Pfsense would see the SYN, look in firewall rules.  Oh yeah that is allowed and send it on to the vms.  VM would answer back to pfsense.  Pfsense says oh yeah I let that traffic in from transit, I have a state for it I will send your answer back.. And now your devices can talk all day long, etc..

    edit; oh shoot looks like I reversed your 201 and 202 networks.  But you get the idea I hope..





  • Netgate

    Hey!  Fixed it :)  I always feel dumb when it's super simple.  For those any having same issues as mine.  Check mark this option under System>Advanced and under the Firewall & NAT tab you will find this.  Thank you for your replies John.  You pointed me to the solution with your responses.

    Yeah that's sort of a hacky checkbox to get traffic flowing again. You really should get rid of the asymmetry as @johnpoz described.


  • Rebel Alliance Global Moderator

    You borked it up doing that.. it might work - but it is a BORKED solution.. The correct fix is via transit network..

    @Derelict the asymmetrical threads are multiplying.. Maybe we need to teach a class on how not to setup a network ;)  And what a transit network is!


  • Netgate

    They won't listen. Just like NAT reflection.



  • "So I am going to mention that both networks are their own MINUS being plugged into the same WAN switch that gives them different public IPs, but I believe they have the same WAN Gateway."

    You can scratch that bit entirely.

    But very good i will take a peek on getting the transit up and going.  Only issue is this is the network at my office and I don't think I'm allowed to make too many changes.  But yes that makes sense to me.  I definitely enjoy figuring this out.  As puzzling as it may be sometimes it is enjoyable.  Just to make sure the tubing in the diagram is the layer 1 correct?  Hopefully I'm getting all the terminology correct.  Been researching a bunch as of this morning  ::)


  • Rebel Alliance Global Moderator

    Cant you just turn that 202 into a transit… Put your vms on a different network, and then don't put any devices on the 202..

    Well the tubing more reflects layer 2 with the layer 3 running on it.  When you say layer 1, to me that is the actual physical layer.. Be it ethernet or fiber, etc.  The wire itself and what it connects into.. So for example you could have a problem at layer 1 if you go through a patch panel and there is something wrong with the jack on the panel, or something physically wrong with the wire.. This physical problem at layer 1 can be seen with issues at both layer 2 and 3..

    Layer 2 now we are talking the protocol that make up the transmission - layer 2 is FRAME.. while when you talk about layer 3 your talking about TCP/IP normally -- this is where routing happens, etc.

    You can use such a tube to reflect all 3 layers if you want.  To me I was not showing you the layer 1 because I did not include the nics of of your hosts or your vmnics, etc.  Those that would make up the physical aspects of the connection between 2 boxes..

    When you hear someone say at layer 2.. They are talking the the wire or broadcast domain where MACS come into play.  Once you are talking Layer 3 your talking about the IP addresses.

    Is that clear as mud ;)



  • Sorry for such a late reply.  But yes that does make sense.  I think I understand the diagram as well.  So as of now my netgear switch and the meraki are connected via ethernet to create the route.  Would that single port on my netgear be the "transit" in this sense?

    Also side note.  I noticed my DHCP and DNS server comes from this new default gateway I created to complete the route to the other network.  So I'm thinking this asymmetrical network is the cause no?

    Thanks for the help so far I do appreciate it.


  • Rebel Alliance Global Moderator

    There should not be any hosts on transit network.. The 10.1.200/30 in my drawing..  If you are going to put hosts on a transit then they will need specific routes to know what to talk to, to get to a specific network.  Rarely would you run a dhcp server on a transit network.



  • @johnpoz:

    There should not be any hosts on transit network.. The 10.1.200/30 in my drawing..  If you are going to put hosts on a transit then they will need specific routes to know what to talk to, to get to a specific network.  Rarely would you run a dhcp server on a transit network.

    Right I don't mean having the host on the transit network, apologies for not being super fluent in networking.  I mean the transit network is its own entity, but I guess I'm more asking how to accomplish this with the devices I have if that's possible.

    Starting from the top on my list below will be going from left to right on the diagram I found.
    112 = "Switching Device A"
    114 = "Switching Device B"
    Switching Device A will be the virtual switch?
    Will my Netgear itself be the "Transit Network"?
    Switching Device B will be the Meraki MX100?

    I feel like I'm understanding a bit more, but hey you're the judge here not me  ::)


  • Rebel Alliance Global Moderator

    When you talk about a switching device you mean a L3 switch doing routing?

    Your transit network would be an interface on pfsense in its own network, and then another interface on your mx100 which is a firewall/router.. While it might have "switch" ports on it its an actual router/firewall just like pfsense.

    The transit network would be from an interface on your pfsense router to an interface on your mx100.  How that gets switch would be at L2.. So you could either have a connection going from pfsense directly to the mx100 or over switch (with nothing else on it dumb switch) or over a L2 switch via a vlan (smart/managed switch).