No rdp between subnets



  • Hello,

    I'm trying to reproduce part of my network for testing to do on domain controller and dns; I normally have 2 networks, 192.168.0.x/24 and 192.168.7.0/24 (vlan 7).

    The first network is linked to a Cisco 3560 that offers layer 3 and on this I have the vlan for the 2 networks; the first has as gateway 192.168.0.1 while the second has 192.168.7.254 (this on the cisco switch); on the switch there is a route like this:

    0.0.0.0 0.0.0.0 192.168.0.xx

    where that address is the nic on a pfsense firewall.

    The network on vlan 7 is behind another firewall, a Cisco ASA, and on that there is the gateway address to go to internet and it is 192.168.7.1: so every machine in vlan 7 point this gateway to "surf" on internet but uses 192.168.7.254 to communicate with net 0.

    Now, I'd like to create a similar network but haven't another Cisco ASA so I used another pfsense to impersonate the ASA.

    I created 2 simple vlans, 20 (192.168.20.x/24) and 200 (192.168.200.x): the first is "attached" to the 3560 switch and has as gateway 192.168.20.1, the second has on cisco the address 192.168.200.254 and as gateway for internet 192.168.200.2, that is the nic address of the lan on the second pfsense.
    For the test, the vlan 20 resemble the network 0 while the vlan 200 resemble the vlan 7.

    On the second pfsense, I created a static route for 192.168.20.x and also for 192.168.0.x: these point as gateway to 192.168.200.254.
    I create the rules on the 2 pfsense that let the comminication between networks.

    for testing, I have a dc on vlan 20 (192.168.20.21) and the server on vlan 200 (192.168.200.11) has the 192.168.20.21 as dns.

    At this point, I can:

    1. ping from 192.168.0.x to 192.168.20.x and to 192.168.200.x and viceversa, so all networks are pingable
    2. I can also rdp from 192.168.0 to 192.168.20.x and viceversa
    3. I can access the web ui of the second pfsense, so from 192.168.0.x and 192.168.20.x I can load the site at 192.168.200.2 and I can also do viceversa
    4. I can rdp from 192.168.200.x to 192.168.0.x and 192.168.20.x
    5. I can navigate in internet with the server in the vlan200 using as dns that in vlan 20

    I can't:

    1. rdp from 192.168.0.x to 192.168.200.x
    2. rdp from 192.168.20.x to 192.168.200.x

    Any suggestion? I attached a simple schema of my network.

    Marco

    ![network test.png](/public/imported_attachments/1/network test.png)
    ![network test.png_thumb](/public/imported_attachments/1/network test.png_thumb)


  • LAYER 8 Netgate

    Make a transit network between the 3560 and each pfSense. The default gateway for all hosts should be the switch/router.

    Don't put routers on the same segments with other hosts.

    Why are you obfuscating the private IP addresses? Zero reason to do so.



  • Hello,

    @Derelict:

    Why are you obfuscating the private IP addresses? Zero reason to do so.

    sorry. The real addresses are: 192.168.0.30 for pfsense lan and the same on the static route inside the cisco 3560; the domain controller on vlan 20 has 192.168.20.21 while the dc on vlan 200 is 192.168.200.11.

    Marco



  • Hi,

    @Derelict:

    Make a transit network between the 3560 and each pfSense. The default gateway for all hosts should be the switch/router.

    first thanks. So you suggest that the dc on vlan 200, 192.168.200.11 may has 192.168.200.254 as gateway and not 192.168.200.2? I have done so because I want to resemble my real network (say that the network is not growth organically).
    What is the meaning of "transit network"?

    Don't put routers on the same segments with other hosts.

    The routers and other cisco switches are in the default management, vlan 1: effectively the ASA has no management network; same pfsense.

    Marco


  • LAYER 8 Netgate

    @mmangiante:

    Hello,

    @Derelict:

    Why are you obfuscating the private IP addresses? Zero reason to do so.

    sorry. The real addresses are: 192.168.0.30 for pfsense lan and the same on the static route inside the cisco 3560; the domain controller on vlan 20 has 192.168.20.21 while the dc on vlan 200 is 192.168.200.11.

    Marco

    And what are their default gateways? How about re-doing your drawing in a completed manner?



  • @Derelict:

    @mmangiante:

    Hello,

    @Derelict:

    Why are you obfuscating the private IP addresses? Zero reason to do so.

    sorry. The real addresses are: 192.168.0.30 for pfsense lan and the same on the static route inside the cisco 3560; the domain controller on vlan 20 has 192.168.20.21 while the dc on vlan 200 is 192.168.200.11.

    Marco

    And what are their default gateways? How about re-doing your drawing in a completed manner?

    I updated the draw with gw. I have 2 cisco 3560 with hsrp and the vlan are defined like:

    interface Vlan500
    ip address 192.168.0.3 255.255.255.0
    standby 255 ip 192.168.0.1
    standby 255 priority 110
    standby 255 preempt
    !

    interface Vlan20
    ip address 192.168.20.3 255.255.255.0
    standby 20 ip 192.168.20.1
    standby 20 priority 110
    standby 20 preempt
    !

    interface Vlan200
    ip address 192.168.200.7 255.255.255.0
    standby 200 ip 192.168.200.254
    standby 200 priority 110
    standby 200 preempt
    !
    The original vlan 7 is configured like vlan 200 on the cisco side, while in the ASA (that in this not in the diagram but is the network that the vlan 200 with pfsense want to resemble) is

    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.7.1 255.255.255.0 standby 192.168.7.2
    !

    access-list NONAT extended permit ip 192.168.7.0 255.255.255.0 192.168.0.0 255.255.0.0

    access-list state_bypass extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

    As said, I created the vlan200 and installed a pfsense only to resemble the vlan7 with ASA, and it seems that the rdp is the only service/port not usable from vlan500 (network 0) and vlan20.

    I also added the screenshots for the first and second pfsense, rules and static route.

    Marco

    ![pfsense rules #1.png](/public/imported_attachments/1/pfsense rules #1.png)
    ![pfsense rules #1.png_thumb](/public/imported_attachments/1/pfsense rules #1.png_thumb)
    ![pfsense rules #2.png](/public/imported_attachments/1/pfsense rules #2.png)
    ![pfsense rules #2.png_thumb](/public/imported_attachments/1/pfsense rules #2.png_thumb)
    ![pfsense rules #3.png](/public/imported_attachments/1/pfsense rules #3.png)
    ![pfsense rules #3.png_thumb](/public/imported_attachments/1/pfsense rules #3.png_thumb)
    ![pfsense rules #4.png](/public/imported_attachments/1/pfsense rules #4.png)
    ![pfsense rules #4.png_thumb](/public/imported_attachments/1/pfsense rules #4.png_thumb)
    ![network test.png](/public/imported_attachments/1/network test.png)
    ![network test.png_thumb](/public/imported_attachments/1/network test.png_thumb)


  • LAYER 8 Global Moderator

    You still have asymmetrical mess..

    Follow your traffic flow.. when dc vlan 200 wants to talk to dc vlan 20

    You need to use transit networks when your going to have downstream routers..



  • @johnpoz:

    You still have asymmetrical mess..

    Follow your traffic flow.. when dc vlan 200 wants to talk to dc vlan 20

    You need to use transit networks when your going to have downstream routers..

    I don't understand well: sorry, maybe is my understanding of English and/or my knowledge in networking is not so deep.

    Obviously, if I change the in dc vlan 200 the router to point to 192.168.200.254 I have no problem to rdp.

    Marco



  • @johnpoz:

    You still have asymmetrical mess..

    Follow your traffic flow.. when dc vlan 200 wants to talk to dc vlan 20

    You need to use transit networks when your going to have downstream routers..

    I read you reply on this post https://forum.pfsense.org/index.php?topic=136730.msg748580#msg748580 when you talk about transit network and maybe I understand basically what you mean.

    Maybe use transit network is also a good suggestion to make an update to my network to make it better.

    Only to try to clarify, and sorry for English: we have first a vlan 500 (network 0), then we decided to create the vlan 7 where to install some servers with services to the public; the design was that the vlan 7 was isolated from our network and use Cisco ASA to go to internet (so as gateway): the only communication between the networks is that on vlan 7 are 2 dc that are child in the forest and hvan't dns, so thet use dc in vlan 500 ad parent domain and also as dns.
    The dc are old windows server 2003, so I created the vlan 20 and 200 to resemble this configuration to test the possibility to add indipendent dns in the vlan dc servers and make the vlan 7 more indipendent; I use the second pfsense as simulation asa; maybe I can create a second vlan on ASA and use that as experimentation but it is in production environment and I do not want to create mess.

    I can create, like you suggest, a transit network or I can use as gateway for vlan 200 the 192.168.200.254, but it is not as real and so maybe my test it is not so complete or near the reality: only this. Also, I'd like to understand at this point why I can rdp from vlan 200 to vlan 20 and 500 and not viceversa: it' to learn something that I don't know/understand so well.

    Marco


  • LAYER 8 Global Moderator

    question for you is the cloud in your drawing the same connection or 2 different connections?

    Doesn't really matter but trying to make sure that we are talking about 2 different pfsense here and 2 different internet connections connected with your 3560.. Be happy to draw how the network should be setup with transit networks and allow you for complete control of traffic between your segments, and allow for failover over or load balancing to your what I assume is two different internet connections with your clouds in your drawing?



  • @johnpoz:

    question for you is the cloud in your drawing the same connection or 2 different connections?

    Hello,

    we have 2 different internet connections both in real setup and in test case. In the real network, in the ASA arrives one ISP cable and I have the 192.168.7.1 as ip of the nic and it is the gateway of the network 192.168.7.x/24, defined on ASA, to navigate in internet, while the 192.168.7.254 is on cisco 3560 and we use it to navigate from 192.168.7.x/24 inside our internal network; for vlan 500 and other internal networks we have as gateway 192.168.0.1 defined on cisco and from there the static route to pfsense 192.168.0.30 that is connected to another provider.

    For the test case, the internal networks have the same setup as described while vlan 200 has the same setup as that described for vlan 7 but instead of ASA there is another pfsense.

    Marco


  • LAYER 8 Netgate

    If you want to keep it designed as you have it, then everything on the 192.168.200.0/24 network (pfsense test, DC vlan 200) will need routes for everything behind the 3560 from their perspective with 192.168.200.254 as the gateway. DC vlan 200 can then have its default gateway set to 192.168.200.2.

    If you make another transit network between the 3560 and pfSense test then the 3560 will need to be the one that makes the policy routing decision as to which pfSense to use based on the source address of the connection (multi wan).



  • @Derelict:

    If you want to keep it designed as you have it, then everything on the 192.168.200.0/24 network (pfsense test, DC vlan 200) will need routes for everything behind the 3560 from their perspective with 192.168.200.254 as the gateway. DC vlan 200 can then have its default gateway set to 192.168.200.2.

    Hello,

    thanks even to you for the time dedicated. Could you explain well, maybe is my understanding of English that doesn't help :-) I have a static route to vlan 500 (192.168.0.0/24) via 192.168.200.254 in the test pfsense: do you say that I have to set the same for other networks? I've done the same for vlan (192.168.20.0/24) but not for the other networks on cisco because I don't use it in the test.

    Marco


  • LAYER 8 Netgate

    You need the route on the DC vlan 200 too or the pfsense has to hairpin the traffic in and back out its LAN.

    Look at your diagram. What happens when DC vlan 200 has traffic for 192.168.0.X? Where is it sent based on that host's routing table? What happens when it gets there?

    That's why you don't put hosts on a segment with two routers. Those hosts need their own routing tables to make things flow correctly.



  • @Derelict:

    You need the route on the DC vlan 200 too or the pfsense has to hairpin the traffic in and back out its LAN.

    Look at your diagram. What happens when DC vlan 200 has traffic for 192.168.0.X? Where is it sent based on that host's routing table? What happens when it gets there?

    That's why you don't put hosts on a segment with two routers. Those hosts need their own routing tables to make things flow correctly.

    Sorry,

    but why I can rdp from 192.168.200.11 to vlan 500 and vlan 20 hosts? And I can also load the pfsense dashboard (192.168.200.2:80) from an host on vlan 500? And also the ping is ok from vlan 500 to vlan 200.

    Thanks,

    Marco


  • LAYER 8 Netgate

    @mmangiante:

    Sorry,

    but why I can rdp from 192.168.200.11 to vlan 500 and vlan 20 hosts?

    Hard to say. Probably because you haven't told us everything there is to know about what you have there?

    And I can also load the pfsense dashboard (192.168.200.2:80) from an host on vlan 500?

    Because you have added static routes on pfSense Test telling it that traffic for vlan 500 is to be sent to the 3560?

    And also the ping is ok from vlan 500 to vlan 200.

    Ping can succeed in many asymmetrical routing scenarios where UDP and, particularly TCP will fail. The statefulness of ICMP is completely different.



  • @Derelict:

    @mmangiante:

    Because you have added static routes on pfSense Test telling it that traffic for vlan 500 is to be sent to the 3560?

    Yes, as I said in previous posts I have set on pfsense test a static route to vlan 500 with 192.168.200.254 as gateway: it is in one of the images uploaded.

    Marco


  • LAYER 8 Netgate

    Then that is why that is working. Instead of saying you have a static route to "vlan 500" please use a cidr as the route destination such as 192.168.0.0/24. You don't route to a VLAN. You route to a Layer 3 network.



  • @Derelict:

    Then that is why that is working.

    Ok, I understand this, I created on the pfsense on 192.168.0.30/24 a static route to 192.168.0.0/24 with gateway 192.168.0.1 but it is not working: as said, it works if I load pfsense dashboard page and so contact 192.168.200.2:80.

    Instead of saying you have a static route to "vlan 500" please use a cidr as the route destination such as 192.168.0.0/24. You don't route to a VLAN. You route to a Layer 3 network.

    Ok, sorry, I'll do it.

    Marco


  • LAYER 8 Global Moderator

    "I created on the pfsense on 192.168.0.30/24 a static route to 192.168.0.0/24 with gateway 192.168.0.1 but it is not working"

    huh.. That is bad design out of the box..  You fix your whole problem if you use transit networks.. This is networking 101..

    As Derelict stated if your going to use your cisco 3560 as the box to route all your internal networks, then you would connect it to your different pfsense with transit networks (No hosts on these networks) they are transit used to get from network(s) A,B,C to other networks, etc.  This is all they are used for.

    You can hang as many or as few networks you want off your 3560, but this is the box that will determine where traffic goes if not destined for a network hanging off it it - be it one of your pfsense boxes that have internet connections or other networks hanging off of them, etc..  You could use 2 different transit networks for your different pfsense or you could put them on a common transit.

    See attached example - follow the flow of any network to any network.. It is symmetrical.. Ie the same path is taken to or from, and there are no hairpins.  The 3560 would have routes that let networks a,b or c go to pfsense 1 or 2 depending on the destination network.  No now you have no hairpins either.

    You can use either a common transit or you could use 2 different transit connected to your cisco 3560.




  • Hello,

    so you suggest to do a revision to the entire network and use transit network.

    I'd like to do this, also to learn new thing, because I haven't designed the network initially and I haven't networking 101 (even it seems that who designed the network has it, too :-) ).

    But in your opinion, why with the real network I have no problem to rdp and with pfsense yes? I can do a packet tracing to understand where the packets are lost?

    I appreciate your effort to help me and to have the possibility to learn from you new and better technique to better design my network.

    Marco


  • LAYER 8 Global Moderator

    "so you suggest to do a revision to the entire network and use transit network. "

    Its not really a revision of the whole network.. Its just to break the pfsense out to their own transit networks so you remove the asymmetrical routing.. All of your vlans hanging off your 3560 can stay there. No changes need more then likely..

    but yes this is what I suggest because the best you can do with your current asymmetrical mess is work arounds with either host routing on the boxes sitting on what amounts to the transit and or source natting stuff, etc.  Or bypassing rules for traffic that enters and leaves the same interface, etc.

    Don't look at as a revision but a correction to the mess that was there.

    To be honest if I was going to revise the network I would prob get rid of your 3560 as router and just use as switch at layer 2 and just hang all the networks off pfsense - this allows for much easier control of traffic between segments.  And would prob leverage your 2 different internet connections into a failover setup with your 2 pfsense in a carp.  But without fully understanding your whole network it hard to say how much work that would be, etc.  Nor do we understand the amount of traffic flow you have between vlans.  Maybe your current pfsense boxes could not handle it at wire speed?  I could be a hit to your speed between vlans?

    But for now just move the devices off your current transit networks. Or bring up new transit(s) to connect your 2 pfsense to your 3560.



  • HEllo,

    I know that the question that I have is "off-topic" here, but how to start to revise the network? I can do it vlan after vlan in your opinion? And what about, for example, the vlans that have hsrp on cisco? I have to define on both pfsense and cisco?

    Could you give me a starting guidance?

    Marco


  • LAYER 8 Global Moderator

    More than happy to throw my advice at you, if there was an actual drawing of your network with enough details so wouldn't be guessing.  For example you mention hsrp - no where previous did that come up..

    So your 3560 is actually a stack?  Are you going to run a lag to this stack so you have 1 physical connection to each switch in the stack.  Is there some other switch between pfsense and that?  Are you going to run pfsense in a carp setup?

    If you would draw out your current network with enough details, then could make suggestions on what I would change, etc..


Log in to reply