SSH to LAN disconnects
-
-
192.168.2.0/24 - LAN
-
192.168.3.0/29 - ADMIN
-
192.168.6.0/24 - home wifi
-
(192.168.7.0 and up to 192.168.9.0/24)
EDIT: don't know if this is relevant, but the AP is bridging wireless clients to each vlan (and is bridging wifi inerface to lan also). I just wanted the AP to be as dumb as possible, so to control everything centrally from pfsense.
EDIT2: after 15 minutes I can see firewall logs blocking traffic to the AP (192.168.2.9) from ADMIN network (192.168.3.3) - my machine from ADMIN network tries to send tcp ack, but it's rejected by default deny rule ipv4. How come?
-
-
Do you have a layer3 switch? It may be doing the routing in one of the directions.
-
I have a managed switch. Thanks for the lead - it now all makes sense :D
-
I have a managed switch. Thanks for the lead - it now all makes sense :D
Managed does not necessarily mean layer 3. It just means the switch can be configured for VLANs, etc.
-
This has something definitely to do with vlans - when I enabled ssh to be on same vlan as I connect the problem is gone even if I set firewall to aggressively remove idle connections. The problem now is gone, but I lack knowledge how to debug such issue. Should I see that return route is different by taking pcap dumps on both ends of the connection (intuitively - I don't think so)?
-
Correct me if I'm wrong - the issue might look like this: I'm connecting to admin network and land in vlan5. From vlan5 I'm setting up an ssh connection to vlan1 (default tag, untagged). My packets are routed to AP (both APs below are the same access point) like this:
PC –> AP (vlan5) --> pfSense (vlan5) --> AP (vlan1)
But the return route is from AP directly to PC and pfsense is seeing only half the packets, hence treats them as idle/broken connection and removes it after a while? So running a packed dump on pfsense should tell me if this really is the case, right?