No rdp between subnets
-
Make a transit network between the 3560 and each pfSense. The default gateway for all hosts should be the switch/router.
Don't put routers on the same segments with other hosts.
Why are you obfuscating the private IP addresses? Zero reason to do so.
-
Hello,
Why are you obfuscating the private IP addresses? Zero reason to do so.
sorry. The real addresses are: 192.168.0.30 for pfsense lan and the same on the static route inside the cisco 3560; the domain controller on vlan 20 has 192.168.20.21 while the dc on vlan 200 is 192.168.200.11.
Marco
-
Hi,
Make a transit network between the 3560 and each pfSense. The default gateway for all hosts should be the switch/router.
first thanks. So you suggest that the dc on vlan 200, 192.168.200.11 may has 192.168.200.254 as gateway and not 192.168.200.2? I have done so because I want to resemble my real network (say that the network is not growth organically).
What is the meaning of "transit network"?Don't put routers on the same segments with other hosts.
The routers and other cisco switches are in the default management, vlan 1: effectively the ASA has no management network; same pfsense.
Marco
-
Hello,
Why are you obfuscating the private IP addresses? Zero reason to do so.
sorry. The real addresses are: 192.168.0.30 for pfsense lan and the same on the static route inside the cisco 3560; the domain controller on vlan 20 has 192.168.20.21 while the dc on vlan 200 is 192.168.200.11.
Marco
And what are their default gateways? How about re-doing your drawing in a completed manner?
-
Hello,
Why are you obfuscating the private IP addresses? Zero reason to do so.
sorry. The real addresses are: 192.168.0.30 for pfsense lan and the same on the static route inside the cisco 3560; the domain controller on vlan 20 has 192.168.20.21 while the dc on vlan 200 is 192.168.200.11.
Marco
And what are their default gateways? How about re-doing your drawing in a completed manner?
I updated the draw with gw. I have 2 cisco 3560 with hsrp and the vlan are defined like:
interface Vlan500
ip address 192.168.0.3 255.255.255.0
standby 255 ip 192.168.0.1
standby 255 priority 110
standby 255 preempt
!interface Vlan20
ip address 192.168.20.3 255.255.255.0
standby 20 ip 192.168.20.1
standby 20 priority 110
standby 20 preempt
!interface Vlan200
ip address 192.168.200.7 255.255.255.0
standby 200 ip 192.168.200.254
standby 200 priority 110
standby 200 preempt
!
The original vlan 7 is configured like vlan 200 on the cisco side, while in the ASA (that in this not in the diagram but is the network that the vlan 200 with pfsense want to resemble) isinterface Vlan1
nameif inside
security-level 100
ip address 192.168.7.1 255.255.255.0 standby 192.168.7.2
!access-list NONAT extended permit ip 192.168.7.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list state_bypass extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
As said, I created the vlan200 and installed a pfsense only to resemble the vlan7 with ASA, and it seems that the rdp is the only service/port not usable from vlan500 (network 0) and vlan20.
I also added the screenshots for the first and second pfsense, rules and static route.
Marco
 -
You still have asymmetrical mess..
Follow your traffic flow.. when dc vlan 200 wants to talk to dc vlan 20
You need to use transit networks when your going to have downstream routers..
-
You still have asymmetrical mess..
Follow your traffic flow.. when dc vlan 200 wants to talk to dc vlan 20
You need to use transit networks when your going to have downstream routers..
I don't understand well: sorry, maybe is my understanding of English and/or my knowledge in networking is not so deep.
Obviously, if I change the in dc vlan 200 the router to point to 192.168.200.254 I have no problem to rdp.
Marco
-
You still have asymmetrical mess..
Follow your traffic flow.. when dc vlan 200 wants to talk to dc vlan 20
You need to use transit networks when your going to have downstream routers..
I read you reply on this post https://forum.pfsense.org/index.php?topic=136730.msg748580#msg748580 when you talk about transit network and maybe I understand basically what you mean.
Maybe use transit network is also a good suggestion to make an update to my network to make it better.
Only to try to clarify, and sorry for English: we have first a vlan 500 (network 0), then we decided to create the vlan 7 where to install some servers with services to the public; the design was that the vlan 7 was isolated from our network and use Cisco ASA to go to internet (so as gateway): the only communication between the networks is that on vlan 7 are 2 dc that are child in the forest and hvan't dns, so thet use dc in vlan 500 ad parent domain and also as dns.
The dc are old windows server 2003, so I created the vlan 20 and 200 to resemble this configuration to test the possibility to add indipendent dns in the vlan dc servers and make the vlan 7 more indipendent; I use the second pfsense as simulation asa; maybe I can create a second vlan on ASA and use that as experimentation but it is in production environment and I do not want to create mess.I can create, like you suggest, a transit network or I can use as gateway for vlan 200 the 192.168.200.254, but it is not as real and so maybe my test it is not so complete or near the reality: only this. Also, I'd like to understand at this point why I can rdp from vlan 200 to vlan 20 and 500 and not viceversa: it' to learn something that I don't know/understand so well.
Marco
-
question for you is the cloud in your drawing the same connection or 2 different connections?
Doesn't really matter but trying to make sure that we are talking about 2 different pfsense here and 2 different internet connections connected with your 3560.. Be happy to draw how the network should be setup with transit networks and allow you for complete control of traffic between your segments, and allow for failover over or load balancing to your what I assume is two different internet connections with your clouds in your drawing?
-
question for you is the cloud in your drawing the same connection or 2 different connections?
Hello,
we have 2 different internet connections both in real setup and in test case. In the real network, in the ASA arrives one ISP cable and I have the 192.168.7.1 as ip of the nic and it is the gateway of the network 192.168.7.x/24, defined on ASA, to navigate in internet, while the 192.168.7.254 is on cisco 3560 and we use it to navigate from 192.168.7.x/24 inside our internal network; for vlan 500 and other internal networks we have as gateway 192.168.0.1 defined on cisco and from there the static route to pfsense 192.168.0.30 that is connected to another provider.
For the test case, the internal networks have the same setup as described while vlan 200 has the same setup as that described for vlan 7 but instead of ASA there is another pfsense.
Marco
-
If you want to keep it designed as you have it, then everything on the 192.168.200.0/24 network (pfsense test, DC vlan 200) will need routes for everything behind the 3560 from their perspective with 192.168.200.254 as the gateway. DC vlan 200 can then have its default gateway set to 192.168.200.2.
If you make another transit network between the 3560 and pfSense test then the 3560 will need to be the one that makes the policy routing decision as to which pfSense to use based on the source address of the connection (multi wan).
-
If you want to keep it designed as you have it, then everything on the 192.168.200.0/24 network (pfsense test, DC vlan 200) will need routes for everything behind the 3560 from their perspective with 192.168.200.254 as the gateway. DC vlan 200 can then have its default gateway set to 192.168.200.2.
Hello,
thanks even to you for the time dedicated. Could you explain well, maybe is my understanding of English that doesn't help :-) I have a static route to vlan 500 (192.168.0.0/24) via 192.168.200.254 in the test pfsense: do you say that I have to set the same for other networks? I've done the same for vlan (192.168.20.0/24) but not for the other networks on cisco because I don't use it in the test.
Marco
-
You need the route on the DC vlan 200 too or the pfsense has to hairpin the traffic in and back out its LAN.
Look at your diagram. What happens when DC vlan 200 has traffic for 192.168.0.X? Where is it sent based on that host's routing table? What happens when it gets there?
That's why you don't put hosts on a segment with two routers. Those hosts need their own routing tables to make things flow correctly.
-
You need the route on the DC vlan 200 too or the pfsense has to hairpin the traffic in and back out its LAN.
Look at your diagram. What happens when DC vlan 200 has traffic for 192.168.0.X? Where is it sent based on that host's routing table? What happens when it gets there?
That's why you don't put hosts on a segment with two routers. Those hosts need their own routing tables to make things flow correctly.
Sorry,
but why I can rdp from 192.168.200.11 to vlan 500 and vlan 20 hosts? And I can also load the pfsense dashboard (192.168.200.2:80) from an host on vlan 500? And also the ping is ok from vlan 500 to vlan 200.
Thanks,
Marco
-
Sorry,
but why I can rdp from 192.168.200.11 to vlan 500 and vlan 20 hosts?
Hard to say. Probably because you haven't told us everything there is to know about what you have there?
And I can also load the pfsense dashboard (192.168.200.2:80) from an host on vlan 500?
Because you have added static routes on pfSense Test telling it that traffic for vlan 500 is to be sent to the 3560?
And also the ping is ok from vlan 500 to vlan 200.
Ping can succeed in many asymmetrical routing scenarios where UDP and, particularly TCP will fail. The statefulness of ICMP is completely different.
-
Because you have added static routes on pfSense Test telling it that traffic for vlan 500 is to be sent to the 3560?
Yes, as I said in previous posts I have set on pfsense test a static route to vlan 500 with 192.168.200.254 as gateway: it is in one of the images uploaded.
Marco
-
Then that is why that is working. Instead of saying you have a static route to "vlan 500" please use a cidr as the route destination such as 192.168.0.0/24. You don't route to a VLAN. You route to a Layer 3 network.
-
Then that is why that is working.
Ok, I understand this, I created on the pfsense on 192.168.0.30/24 a static route to 192.168.0.0/24 with gateway 192.168.0.1 but it is not working: as said, it works if I load pfsense dashboard page and so contact 192.168.200.2:80.
Instead of saying you have a static route to "vlan 500" please use a cidr as the route destination such as 192.168.0.0/24. You don't route to a VLAN. You route to a Layer 3 network.
Ok, sorry, I'll do it.
Marco
-
"I created on the pfsense on 192.168.0.30/24 a static route to 192.168.0.0/24 with gateway 192.168.0.1 but it is not working"
huh.. That is bad design out of the box.. You fix your whole problem if you use transit networks.. This is networking 101..
As Derelict stated if your going to use your cisco 3560 as the box to route all your internal networks, then you would connect it to your different pfsense with transit networks (No hosts on these networks) they are transit used to get from network(s) A,B,C to other networks, etc. This is all they are used for.
You can hang as many or as few networks you want off your 3560, but this is the box that will determine where traffic goes if not destined for a network hanging off it it - be it one of your pfsense boxes that have internet connections or other networks hanging off of them, etc.. You could use 2 different transit networks for your different pfsense or you could put them on a common transit.
See attached example - follow the flow of any network to any network.. It is symmetrical.. Ie the same path is taken to or from, and there are no hairpins. The 3560 would have routes that let networks a,b or c go to pfsense 1 or 2 depending on the destination network. No now you have no hairpins either.
You can use either a common transit or you could use 2 different transit connected to your cisco 3560.
-
Hello,
so you suggest to do a revision to the entire network and use transit network.
I'd like to do this, also to learn new thing, because I haven't designed the network initially and I haven't networking 101 (even it seems that who designed the network has it, too :-) ).
But in your opinion, why with the real network I have no problem to rdp and with pfsense yes? I can do a packet tracing to understand where the packets are lost?
I appreciate your effort to help me and to have the possibility to learn from you new and better technique to better design my network.
Marco
