Some external hosts can connect through WAN, others can't



  • Hello,

    I've recently switched over from a Cisco Pix box to PFsense 1.2.1. Right now I'm a bit stumped. We have our mail server hosted internally and when we switched over some webmail users noted they could not connect. They would get a timeout error. However, this was only some users, and other people at different locations could connect to webmail just fine.

    Thinking it might be related to the mail server, I temporarily setup MS RDP to pass and forward to our terminal server. This time I had users key in our static IP to rdp in. Same results - some users could connect, others would get a timeout.

    What's odd is that for the users who timout and can't connect, there is nothing in the firewall log indicating a block. Actually, at the time that they try to connect, nothing gets logged at all. For users that do connect, then there are items in the firewall log.

    Any ideas on how I can troubleshoot this matter would be appreciated, thanks.



  • Sounds like a problem outside your LAN.

    Do you run your webmail on port 80/TCP or port 443/TCP?  Doe the locations that people can't connect from have anything in common (ie, are they all places of work, wireless hot-spots, etc)?


  • Banned

    If it is LAN users that cannot connect, it is because Pfsense cannot do packet inspection with Layer7 over the same interface….In short, it cannot analyze the packets and send them back to the mailserver.

    You can overcome that, by either using VLAN enabled switch, optional NIC or find Layer7 capable firewall... :)



  • @Cry:

    Sounds like a problem outside your LAN.

    Do you run your webmail on port 80/TCP or port 443/TCP?  Doe the locations that people can't connect from have anything in common (ie, are they all places of work, wireless hot-spots, etc)?

    Internally across the LAN, everyone can connect fine. It's outside access that is problematic. Webmail runs across port 443. The places that seem to have problems are people who work from home and use residential DSL/Cable. We have a co-location server and that server can access everything fine. We also have a satellite office that can access everything as well.



  • Firewall and NAT settings if this helps any. Disabling the RFC1918 and Bogon rule did not solve the issue either. We also have load balancing with failover on opt1 with cable; could that cause this problem?





  • Banned

    That depends on the external IP and DNS settings for the loadbalancer….



  • Time for a network diagram too I think, you've mentioned important details in a later post that you overlooked at the beginning ;)



  • Here's a quick diagram, will this work?

    T1 - Static IP–----- WAN-----|
                                              |
                                                Load balance & Failover --- LAN Subnet
                                              |
    Cable - DHCP------- OPT1----



  • So:

    1. Where's your server - on the LAN?
    2. What connection to people use to connect to the server - T1 or Cable?
    3. If you run a packet capture on that interface, do you see the packets that don't reach the pfSense host?


  • @Cry:

    So:

    1. Where's your server - on the LAN?
    2. What connection to people use to connect to the server - T1 or Cable?
    3. If you run a packet capture on that interface, do you see the packets that don't reach the pfSense host?

    1.) Yes, all servers are within the LAN, no DMZ. I can detail the network diagram when I have some spare time later today.
    2.) From the outside, people connect to the server via the T1. I setup the NAT and firewall rules accordingly (see the NAT/Firewall images in my previous post)
    3.) I'll have to switch back in PFsense and run capture over the weekend, as of right now our Pix is in and using the T1.

    Thanks for your help so far Cry and Supermule!


  • Banned

    You will not be able to copnnect to the servers if a failover scenario occurs….. The configures WAN IP is only applied via DNS to the static IP T1 connection...

    If you should run CARP(redundancy), you need 3 external IP addr.

    One of them, is the shared IP for both machines with CARP and failover....



  • I had the same problem once but it was related to bogon networks, my file with non-allocated reanges was not uptodate. Packets dump would definitely help here.


Log in to reply