Losing inter-VLAN connection after 30 seconds with one gateway and multiple NICs

viragomann

@User6buinf43 said in Losing inter-VLAN connection after 30 seconds with one gateway and multiple NICs:

You can only access the VLAN 8 IP of C from A with doing masquerading (S-NAT) on pfSense

Thank you, I will look into how to do this.

Firewall > NAT > Outbound

Enable the hybrid mode.
Add a rule:
Interface: VLAN8
source: 192.168.7.2
destination: 192.168.8.3 (or an alias for multiple devices if needed)
translation: VLAN8 address

johnpoz

@User6buinf43 said in Losing inter-VLAN connection after 30 seconds with one gateway and multiple NICs:

I like to keep a management network (VLAN 8) separate from other networks to be used just for managing servers with SSH

huh? So you plan on putting all of your devices in multiple vlans? This defeats the whole purpose of a firewall..

Multihoming devices is almost always going to lead to asymmetrical traffic flow. Unless you are very careful and don't cross connections..

So for example I isolated 2.5ge network between my pc and nas.. This is used for transfer of files.. But there is never a scenario where the source of traffic to the nas from pc would be different network..

When you create a connection from something in your 8 vlan to a vlan 7 IP on a box that also has an IP in van 8 this is going to create asymmetrical flow - because he says oh a vlan 8 IP is talking to me, I will just answer with my vlan 8 IP..

User6buinf43

@viragomann said in Losing inter-VLAN connection after 30 seconds with one gateway and multiple NICs:

Enable the hybrid mode.
Add a rule:
Interface: VLAN8
source: 192.168.7.2
destination: 192.168.8.3 (or an alias for multiple devices if needed)
translation: VLAN8 address

I've tried adding this Outbound NAT rule, choosing 192.168.8.88 as the NAT translation address, but the SSH initial connection times out. It seems partially working in that the address that reaches ComputerC is 192.168.8.88, and the iptables firewall on ComputerC is allowing the connection, but its sshd doesn't log any requests with the highest log level and doesn't respond.

When running Wireshark on ComputerC I can see that 192.168.8.88 attempts to connect to 192.168.8.3 once with the SYN flag followed by four TCP Retransmissions.

I tried changing "NAT Reflection mode for port forwards" from "disabled" to "Pure NAT" and enabling "Enable automatic outbound NAT for Reflection" but it didn't help.

The pfSense Firewall logs only mention the traffic being allowed to Pass with a SYN flag. When trying the connection, that States page shows two results for a 192.168.8.3 search:

Interface: VLAN 7
Protocol: tcp
Source (Original Source) -> Destination (Original Destination): 192.168.7.2:37545 -> 192.168.8.3:22
State: CLOSED:SYN_SENT
Packets: 2 / 0
Bytes: 104 B / 0 B

Interface: VLAN 8
Protocol: tcp
Source (Original Source) -> Destination (Original Destination): 192.168.8.88:49493 (192.168.7.2:37545) -> 192.168.8.3:22
State: SYN_SENT:CLOSED
Packets: 2 / 0
Bytes: 104 B / 0 B

User6buinf43

@johnpoz said in Losing inter-VLAN connection after 30 seconds with one gateway and multiple NICs:

huh? So you plan on putting all of your devices in multiple vlans? This defeats the whole purpose of a firewall..

Most devices will only be on a single VLAN (VLAN 7), but some servers are connected to a second VLAN (VLAN 8) to be used for management only (SSH, iDRAC, backups, etc.). The servers have multiple NICs, one for each VLAN. This way, a server can be communicating at full link speed on both VLANs simultaneously.

@johnpoz said in Losing inter-VLAN connection after 30 seconds with one gateway and multiple NICs:

Multihoming devices is almost always going to lead to asymmetrical traffic flow. Unless you are very careful and don't cross connections..

So for example I isolated 2.5ge network between my pc and nas.. This is used for transfer of files.. But there is never a scenario where the source of traffic to the nas from pc would be different network..

Yes, it seems so. But I would like to learn how to be careful and not cross those connections.

@johnpoz said in Losing inter-VLAN connection after 30 seconds with one gateway and multiple NICs:

When you create a connection from something in your 8 vlan to a vlan 7 IP on a box that also has an IP in van 8 this is going to create asymmetrical flow - because he says oh a vlan 8 IP is talking to me, I will just answer with my vlan 8 IP..

Yes, this is occurring, but I'd like to find a way to route this.

johnpoz

@User6buinf43 said in Losing inter-VLAN connection after 30 seconds with one gateway and multiple NICs:

I tried changing "NAT Reflection mode for port forwards" from "disabled" to "Pure NAT"

Why would you think you need to create a port forward? This is a simple nat.. You do not need to port forward anything.

User6buinf43

@johnpoz said in Losing inter-VLAN connection after 30 seconds with one gateway and multiple NICs:

@User6buinf43 said in Losing inter-VLAN connection after 30 seconds with one gateway and multiple NICs:

I tried changing "NAT Reflection mode for port forwards" from "disabled" to "Pure NAT"

Why would you think you need to create a port forward? This is a simple nat.. You do not need to port forward anything.

I wasn't clear on how these options fit together so I was just trying anything that seems like it could affect this.

User6buinf43

I've also tried disabling the Outbound NAT rule and creating a 1:1 NAT rule:

Interface: VLAN 8
Address Family: IPv4
External subnet IP: 192.168.8.88
Internal IP: 192.168.7.2
Destination: 192.168.8.3

But the result is the same as with the Outbound NAT rule, the connection enters ComputerC as 192.168.8.88, but disappears from there.

johnpoz

@User6buinf43

If you sniff on this device and see traffic coming from pfsense IP address on this network, and this device does not send an answer back - that is not on pfsense, that is on the device..

Here.. I created an outbound nat to my linux box running on my 192.168.2 network (wlan). from my lan network 192.168.9

You can see when I ssh from my 192.168.9.100 box to 192.168.2.13, it is natted to my pfsense IP on the 192.168.2 network 192.168.2.253

Here is the wireshark of the above packet capture

you can see the syn, and the box sending syn,ack back to 192.168.2.253 (pfsense ip on this wlan network as I call it).. And then starting the ssh conversation figuring out what cipher to use, etc.

But if you see pfsense send the syn, to the correct IP and mac.. And you don't get a syn,ack back - that is on the box your sshing too..

edit: I know remove the nat, and when I talk to that 2.13 device from my 9.100 device, you can see its answer to 192.168.9.100 is actually sent to pfsense mac of its 192.168.2.253 IP.. ie its gateway to get off the 2 network..

User6buinf43

Thank you @johnpoz and @viragomann! I changed the Outbound NAT rule Translation Address from 192.168.8.88 to VLAN 8 address and this worked! ComputerC sees the connection as coming from the pfSense IP 192.168.8.1. I didn't understand that the address had to be the address of pfSense, not some arbitrarily chosen address.

viragomann

@User6buinf43
You can use any free IP for masquerading in fact, but you have to assign it to the respective pfSense interface. Otherwise ARP will not work for it.

I advised you to select VLAN 8 address before, however. There is no plausible reason to use any other.