Communication between Lan interface and Opt1,2,3,4 etc.

codemonkey76

Hi,

I have a 2 x firewall setup with carp, I have my WAN interface, and then 6 other interfaces, 2 for private IP ranges, and 4 x /28 public IP ranges on the other interfaces.

I am having an issue accessing some servers on one of the other interfaces from the lan IP.

I have a server with 2 IP addresses, 10.10.0.245 and 60.241.215.125
My computer is on 10.10.0.33
if i connect to the server using RDP to the 60.241.215.125 address, it only connects for a couple of seconds and then gives me "An Internal Error Occurred", if i connect to the 10.10.0.245 IP then the connection is stable.

If i connect from outside my network (through the WAN interface), the connection is stable. So it seems to be an issue connecting from one non-wan interface to another non-wan interface.

viragomann

So you try to connect to an internal server with a public IP address assigned to the WAN interface and forwarded to an internal host. Yes, it's true, that this only functions when the connection comes in over WAN. You might have set the port forwarding only on WAN.

Why won't you use the internal address for internal connections?

Best practice is to use host names (FQDNs) for connecting to a server. That requires a DNS, of course.
For internal using you should set up an internal DNS with overrides for the FQDNs with their internal IP addresses.

codemonkey76

My computer is on a the 10.10.0.0/24 range, and the server is on a 60.241.215.112/28 range. I don't want to add a 10.10.0.0/24 address to the servers because they need to be isolated. Shouldn't the pfsense just route the traffic between the 2 interfaces. It must be allowing it through because i can connect for a few seconds at least.

Derelict

@codemonkey76:

My computer is on a the 10.10.0.0/24 range, and the server is on a 60.241.215.112/28 range. I don't want to add a 10.10.0.0/24 address to the servers because they need to be isolated. Shouldn't the pfsense just route the traffic between the 2 interfaces. It must be allowing it through because i can connect for a few seconds at least.

If 60.241.215.112/28 is actually an inside interface and not addresses on WAN, then yes.

You are trying to ping-pong your traffic out to the WAN then back into the same interface it arrived on. When the server has reply traffic, that traffic is same-subnet so it doesn't even send it to the firewall at all so you have pretty much the worst kind of asymmetric routing.

I have a server with 2 IP addresses, 10.10.0.245 and 60.241.215.125

I don't want to add a 10.10.0.0/24 address to the servers because they need to be isolated.

Which is it?

Diagram your network. Detail where all the addresses are and where your 1:1 NAT and port forwards are.

codemonkey76

Thanks for your reply.

The firewall is set up as follows:

Firewall 1
WAN 60.241.215.194/29
SYNC 192.168.2.1/24
LAN 10.10.0.2/24
RANGE1 60.241.215.82/28
RANGE2 60.241.215.98/28
RANGE3 60.241.215.114/28
RANGE4 60.241.215.130/28
RANGE5 192.168.25.100/24

Firewall 2
WAN 60.241.215.195/29
SYNC 192.168.2.2/24
LAN 10.10.0.3/24
RANGE1 60.241.215.83/28
RANGE2 60.241.215.99/28
RANGE3 60.241.215.115/28
RANGE4 60.241.215.131/28
RANGE5 192.168.25.101/24

Virtual IP's shared by both firewalls
WAN 60.241.215.197/29
LAN 10.10.0.1/24
RANGE1 60.241.215.81/28
RANGE2 60.241.215.97/28
RANGE3 60.241.215.113/28
RANGE4 60.241.215.129/28
RANGE5 192.168.25.99/24

I don't have any Port forwards, I have outbound natting of the LAN range and the RANGE5 to use the CARP Virtual IP, Range1-4 have outbound NAT disabled.

Derelict

OK so that should just work.

Please be specific in describing what is not working.

And please include netmasks. They matter.

Something like, "When host ip.address, default gateway ip.address, tries to access hostname x.y.com that it resolves to ip.address on port X, this happens."

That said,

Your problem almost certainly stems from having a server with a public interface and an interface on the subnet that the connection is coming from.

That is REALLY HARD to get right.

Question: When host 10.10.0.33/24 accesses 60.241.215.125 and 60.241.215.125 also has an interface on 10.10.0.245/24, how is the reply traffic from 60.241.215.125 to 10.10.0.33/24 going to be routed?

Answer: directly from 10.10.0.245 to 10.10.0.33 on the same subnet - the firewall never sees it. So the firewall state will not receive any service and it will die.

codemonkey76

OK, I have added subnets to the above post.

When host 10.10.0.33/24 with g/w 10.10.0.1 tries to access 60.241.215.125 on port 3389 using remote desktop client, the connection succeeds, but after a few seconds is dropped with "An internal error occurred". machine at 60.241.215.125/28 also has a second IP address of 10.10.0.245/24.

I think you have described the problem correctly, the question is how to fix it… Do i just have to remove the 10.10.0.245/24 address from the machine to force its traffic to go back via the firewall?

Or add some static route on the machine or something?

Derelict

Yeah. Remove/disable that interface.

Or tell 10.10.0.33 to connect directly to 10.10.0.245 via a DNS host override or something. There is no reason to go through the firewall in that case.

Or add some static route on the machine or something?

You can't do that because it's a connected route.

The only other option is to add some outbound NAT that makes the connections coming from 10.10.0.33 appear to come from the pfSense interface address so the reply traffic goes to the right place.

I would fix the design so you don't have to fight this forever and ever.

codemonkey76

Shouldn't outbound NAT on the lan addressses fix this, by making all the traffic from the 10.10.0.0/24 network come from the WAN interface of pfSense?

Derelict

No.