Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Adding a new subnet to server almost stops file transfers - why?

    Scheduled Pinned Locked Moved General pfSense Questions
    35 Posts 5 Posters 4.2k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S Offline
      stephenw10 Netgate Administrator
      last edited by

      It does seem like there is a high possibility of asymmetric routing here. However you would not expect that between clients and the server in the same subnet unless something is misconfigured there.
      Some packet captures of the transfer should show whats happening.

      I would probably disconnect the home automation subnet from the server directly and just add a static route to it through pfSense.

      Steve

      1 Reply Last reply Reply Quote 0
      • johnpozJ Online
        johnpoz LAYER 8 Global Moderator @Mastiff
        last edited by johnpoz

        @mastiff said in Adding a new subnet to server almost stops file transfers - why?:

        It's taking 192.168.1.x from the pfSense box in as a WAN and is then serving the internal network with the 192.168.0.x segment and nothing else

        Then 192.168.0/24 can not get to the internet? Or any other segment..

        If your "server" nats this traffic or routes this traffic then it is acting a router/firewall? be it you think it is or not..

        If you want to use a "server" as a downstream router have at it... But you also have this other VM on the left multihomed in every segment?? Why?? Makes zero sense.

        You have a very powerful router and firewall with pfsense... Have at and segment up your network into how ever many you want/need.. I am currently running 9 different segments. All routed and firewall thru pfsense.. And also have a downstream copy of pfsense running as VM testing when users have messes and they need help in how to do a downstream router via transit network... Which is the ONLY proper way to do a downstream router, or your going to run into asymmetrical problems..

        Devices your going to multihome, ie put in more than 1 network should only have a default gateway on the network that gets them out to other networks (other than the one they are directly attached too).. When you start doing multihomed with multiple gateways it gets complicated really quickly... Which unless you really really have a reason for this and your different gateways can both get to any other network that your box might need to get to its going to run you into problems. If you need to use a gateway on some other network of these multihomed box then you need to create routes on that box and it should only have 1 default gateway, etc.

        Again - makes no sense to do such a complicated setup with what amounts to a very basic network with 3 vlans.. All of which can be done on pfsense and a simple cheap vlan capable switch.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

        1 Reply Last reply Reply Quote 0
        • M Offline
          Mastiff
          last edited by

          Stephenw10, thanks! No, it confused the heck out of me too. I just can't figure out why it affects the wrong subnet. But I will try to remember how I use WireShark (I think it's been ten years since I needed to do a packet capture, and then I found out that there was a bad switch in the house I had then).

          The problem with using the same subnet is AirPlay, which I want to move to another net than everything else (except for the MQTT messages, which are so small that they don't affect anything) because surfing and gaming makes AirPlay stutter at times.

          Johnpoz, I understood the splitting of subnets to mean that he thought I used the Windows server to split 192.168.1.x and 192.168.10.x, which I don't. But yes, I take 192.168.1.x into the server as WAN, and I use the Routing and remote access, DNS server and DHCP Windows Server roles to give the internal network clients access to Internet. But almost without NAT or firewalling, I think the only thing I have NAT'ed is the FTP server. The rest that should be accessible from outside is on VM's, with the NAT in the pfSense box.

          The VM is for home automation and has some parts available directly from the Internet 192.168.1.x (which I don't want to carry over to the internal network 192.168.0.x), some parts controlling stuff on the home automation network 192.168.10.x and some parts that are only available from the internal network 192.168.0.x (like home secuerity control). That's why it has so many connections (it actually has six more, but they are from VM pfSense for very special purposes, I remember that you really loved that setup when I asked for a few advices some months ago... ๐Ÿ˜ˆ And surprise, surprise... It has worked completely without a hitch with the six VM pfSense feeding different DynDNS web hops into the correct part of the VM home automation (which is necessary because the only way the home automation software can separate isolated web pages is to have them come from separate IP's).

          But nothing of this can easily be done the way you suggest because my home automation setup has very specific requirements. And it works extremely stable, I only reboot for updates, and everything's available from where it should be and nowhere else.

          As for my pfSense box I'm using that to split into three regular segments and one VPN for watching Netflix like an american. ;)

          But I will set up wireshark and see if I can see something wonky here.

          1 Reply Last reply Reply Quote 0
          • johnpozJ Online
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            @mastiff said in Adding a new subnet to server almost stops file transfers - why?:

            ut nothing of this can easily be done the way you suggest because my home automation setup has very specific requirements.

            So... Pfsense is a ROUTER and a firewall.. Any sort of segmentation you need can be done with a couple of clicks and a 30$ switch that understands vlans... Or if you want a bunch of dumb switches..

            Needing things on the same layer 2 for stuff like airplay could all be solved with the avhai package since all airplay needs the multicast discovery to be passed from 1 layer 2 to the other... Multihome stuff so airplay works is just nonsense sorry..

            When I see such messes I just scream inside my head... I do this for a living and such nonsense is freaking painful!! You do understand you could do simple policy route for your devices to access whatever you want via vpn to circumvent geoip restrictions.. OMG this thread just makes my head hurt..

            Where did I ever say I loved such a mess - point me to this thread... There is NO Possible way I would of said anything nice about such a setup.. Yes I like segmentation of network for security and control - not multihomed nonsense..

            Are you talking about the proxy and url nonsense thread where your interface looks like a dancing baby should be in the corner its so horrific looking?? That thread - nowhere did I ever say anything was done right.. It was like pulling teeth with a pair of tweezers even getting any info from you...

            I have to call it quits that thread was bad enough I can not go through another one of those nightmares stephen can have fun with this one if he wants... Im done - sorry... But I can only deal with so much crazy..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

            1 Reply Last reply Reply Quote 1
            • M Offline
              Mastiff
              last edited by

              Sorry, I thought you would understand the sarcasm when I put your brother after the sentence. I was obviously wrong. Of course you hated it. But it works for me. And it seems like you have an unhealthy amount of feelings attached to networking, even when it's somebody else's network. For me this does exactly what I want to do, and it's 100 % stable. So why does it bother you so much?

              1 Reply Last reply Reply Quote 0
              • M Offline
                Mastiff
                last edited by

                Yep, according to Wireshark it's trying to copy the file from the interface 192.168.10.4 even if I use the server's IP 192.168.0.1 to access the shares. So it's something strange happening inside the Windows server. Because when I check the routes (route print) on the client I'm trying to copy the files to, there's no mentioning of the 192.168.10.x network at all there.

                1 Reply Last reply Reply Quote 0
                • stephenw10S Offline
                  stephenw10 Netgate Administrator
                  last edited by

                  The problem with this sort of setup, in general, is that it's far too easy to introduce some small config error that causes loops or asymmetry or worse, bypasses security.

                  Anyway it looks like some Windows routing issue given it's sending internet traffic the wrong way and the problem only happens when that interface is connected. I don't think this is a pfSense config issue from what we've seen so far.

                  Steve

                  1 Reply Last reply Reply Quote 1
                  • M Offline
                    Mastiff
                    last edited by

                    No, me neither. I think it's all Windows. Oh, and it's not even internet traffic, it's local file copies from files hosted on the server to the client. I'll just drop looking at it from the pfSense point of view and try to limit the NIC as much as I can with Routing and Remote Access, DHCP and DNS, perhaps I'll stumble over something. Thanks for trying to help, Steve! :)

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ Online
                      johnpoz LAYER 8 Global Moderator
                      last edited by johnpoz

                      @mastiff said in Adding a new subnet to server almost stops file transfers - why?:

                      perhaps I'll stumble over something.

                      OMG - that is not how you setup a network... Or for that matter troubleshoot something --- Arrrggghhhh..

                      0_1542131861255_pkXIb81.jpg

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                      1 Reply Last reply Reply Quote 0
                      • M Offline
                        Mastiff
                        last edited by Mastiff

                        As I said, too much feelings for networking, but I guess you're the angry chef in Hell's Kitchen, while I'm the naked chef. More experimenting, but usually the final result is edible. ๐Ÿ˜‚ Anyway I came back to say that I managed to stumble over it (by stumble over I mean methodically testing setting after setting until something changes, but since I don't actually know what setting will do it I call it stumble over) and fixed it.

                        Turned out that it came from Routing and Remote Access on the server, which I found out by turning that off. That fixed it, so then it was only a matter of finding out how to block the card from RAS. After a bunch of tries I found that too: I had to add the card under IPv4, General, open the properties and then Enable IP router manager on the interface and set up filters that blocked everything from the 192.168.0.x network from being routed. So now it works as it should, and I am now listening to Galactic Empire's second album, of course called "Episode II", over AirPlay and there are no dropouts.

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S Offline
                          stephenw10 Netgate Administrator
                          last edited by

                          Good result in the end then. Just don't look behind the curtain! ๐Ÿ˜‰

                          Steve

                          1 Reply Last reply Reply Quote 0
                          • M Offline
                            Mastiff
                            last edited by

                            Exactly! If the cat catches mice, then who cares what it looks like!

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.