• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Can't connect two computers through pfsense router

Scheduled Pinned Locked Moved Firewalling
23 Posts 4 Posters 11.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    bartgrefte
    last edited by Dec 18, 2009, 1:09 PM Dec 18, 2009, 1:07 PM

    Hi :)

    Just now I wanted to run jperf to measure the throughput of my pfsense router that will replace my asus wl500gx.
    Now for some reason the jperf's can't connect and pings between pfsense and the computer on the wan side fails.

    Setup:
    Laptop with Gb expresscard NIC.
    IP 192.168.1.222, subnet 255.255.255.0
    Windows XP Pro, no firewall enabled.

    Pfsense 1.2.3 embedded/nanobsd router (MSI IM-945GSE-A board with two onboard Intel Gb NIC's) with static IP's on both wan and lan.
    LAN: 192.168.1.45/24
    WAN: 192.168.1.46/24

    Desktop computer with Gb pci NIC.
    IP 192.168.1.5, subnet 255.255.255.0
    Windows XP Pro, no firewall enabled.

    Already tried switching the desktop and laptop, but no result.
    Both the laptop and desktop can't get successfull ping answers from pfsense when hooked up to the wan-port, pfsense pinging the computer at wan port fails too, however, connected to the lan ping's go succesfully. The laptop pinging the desktop and the other way around, through pfsense, fails too.

    I'm guessing it's a firewall issue.
    O, and uhm, as for jperf, the port has been forwarded ;)

    Any idea's?
    I think I'm probably missing something very simple.

    Bart Grefte

    1 Reply Last reply Reply Quote 0
    • G
      GruensFroeschli
      last edited by Dec 18, 2009, 1:26 PM

      You have the same subnet on the LAN and the WAN.

      We do what we must, because we can.

      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

      1 Reply Last reply Reply Quote 0
      • B
        bartgrefte
        last edited by Dec 18, 2009, 2:53 PM Dec 18, 2009, 1:38 PM

        Ah :) , guess I forgot those can't be the same, thanks ;)
        That solved the connection problem between pfsense and the computer connected to the wan port.
        Pfsense can now ping it successfully. The computer pinging pfsense still fails, guess that's being blocked?

        Anyway, jperf still can't connect…

        edit: disableing "Block private networks" didn't help.

        1 Reply Last reply Reply Quote 0
        • G
          GruensFroeschli
          last edited by Dec 18, 2009, 4:17 PM

          If you want to ping the pfSense you need to create a firewall rule allowing this.
          First you need to make sure you dont have the "block RFC1918 subnets" option active.
          Then create a rule like this: "allow, ICMP, *, *, WAN address, *, *

          We do what we must, because we can.

          Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

          1 Reply Last reply Reply Quote 0
          • B
            bartgrefte
            last edited by Dec 18, 2009, 6:10 PM

            Okay :)

            Hmm, jperf is getting weirder.
            If I select the udp protocol, it can connect, but not with tcp, time-out.

            If  Proto        Ext. port range  NAT IP                Int. port range
            WAN  TCP/UDP  5001      192.168.1.222              5001
                                                            (ext.: 192.168.1.46)

            That should be fine, should it?

            1 Reply Last reply Reply Quote 0
            • G
              GruensFroeschli
              last edited by Dec 18, 2009, 6:48 PM

              Your NAT rule is still from within on subnet to the same subnet.
              (from 192.168.1.x/24 to 192.168.1.x/24)

              You need different subnets on the WAN and the LAN for routing to work.

              We do what we must, because we can.

              Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

              1 Reply Last reply Reply Quote 0
              • B
                bartgrefte
                last edited by Dec 18, 2009, 6:56 PM

                Uhm, I thould I had different subnets:
                lan: 192.168.1.45 /24
                wan: 192.168.1.46 /26

                Or is that not different enough ???

                1 Reply Last reply Reply Quote 0
                • G
                  GruensFroeschli
                  last edited by Dec 18, 2009, 7:05 PM

                  They are still the same subnet.
                  Please read up how CIDR notation works.
                  http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing

                  192.168.1.45/24 –> 192.168.1.0 to 192.168.1.255
                  192.168.1.46/26 --> 192.168.1.0 to 192.168.1.63

                  We do what we must, because we can.

                  Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                  1 Reply Last reply Reply Quote 0
                  • B
                    bartgrefte
                    last edited by Dec 18, 2009, 7:40 PM

                    Hmm, now I am realising that I should have payed a little more attention at the Cisco classes… :P

                    Anyway, so if I use a completely different IP range+subnetmask it should work?
                    Gonna try that tomorrow.

                    1 Reply Last reply Reply Quote 0
                    • G
                      GruensFroeschli
                      last edited by Dec 18, 2009, 7:54 PM

                      Well you can have the same submask.
                      You just need to be in a different range.
                      (like 192.168.0.0/24 and 192.168.1.0/24)

                      We do what we must, because we can.

                      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                      1 Reply Last reply Reply Quote 0
                      • B
                        bartgrefte
                        last edited by Dec 20, 2009, 11:53 AM Dec 20, 2009, 11:48 AM

                        Just tried that, still no go.

                        UDP works, TCP not, plus the jperf server (on lan port) says this:

                        –----------------------------------------------------------
                        Server listening on TCP port 5001
                        TCP window size: 0.00 GByte (default)

                        [1872] local 0.0.0.0 port 5001 connected with 192.168.0.5 port 1098
                        [ ID] Interval      Transfer    Bandwidth

                        Iperf thread stopped [CAUSE=For input string: "1.#J"]

                        Client still says connection timed out.

                        Switched those two, server on wan and client on lan, still timed out but not that input string error on server, in fact, no error at all. It's still waiting for connection.

                        1 Reply Last reply Reply Quote 0
                        • B
                          bartgrefte
                          last edited by Dec 21, 2009, 2:05 PM

                          Just ruled out the cables, used them both (one at a time) to hook up the laptop and desktop directly -> iperf/jperf works fine.
                          …
                          Uhm, damn, now I'm emberrassed. Forgot to change the gateway on my laptop ::)
                          So it works ;D

                          But now, the throughput is lower than a direct connection.
                          Direct connection: around 670Mbit maximum, this with 6 simaltaneous connections in jperf.
                          pFsense throughput: 380Mbit, also with 6 and 3 connections.

                          CPU (Atom N270) usage of the pFsense router is around 90% during the test, so guess 380Mbit is about the maximum it can do?
                          Also noticed something in the firewall log. The desktop (on wan) is sending something via UDP through port 138 to 192.168.0.255, beneath action is shows a white x in red box.
                          I know that port is used for NETBIOS Datagram Service, but eventhough I forwarded it, the packages are still being dropped. Not sure if that's a bad thing.

                          1 Reply Last reply Reply Quote 0
                          • D
                            danswartz
                            last edited by Dec 21, 2009, 3:56 PM

                            If your CPU is (almost) pegged, I'd guess you are not going to get much more than that.

                            1 Reply Last reply Reply Quote 0
                            • B
                              bartgrefte
                              last edited by Dec 21, 2009, 5:51 PM

                              Hmm…

                              But why can the desktop transfer a lot faster? That one also has a singlecore Atom (230), same as the motherboard of the pfsense router.

                              1 Reply Last reply Reply Quote 0
                              • J
                                jimp Rebel Alliance Developer Netgate
                                last edited by Dec 21, 2009, 6:02 PM

                                If you are seeing 380Mbit through pfSense, then you are really seeing that * 2 = 760Mbit of throughput. 380 in, 380 out.

                                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                1 Reply Last reply Reply Quote 0
                                • J
                                  jimp Rebel Alliance Developer Netgate
                                  last edited by Dec 21, 2009, 6:05 PM

                                  Also…

                                  Also noticed something in the firewall log. The desktop (on wan) is sending something via UDP through port 138 to 192.168.0.255, beneath action is shows a white x in red box.

                                  That's standard Windows NetBIOS broadcasts. It must not be allowed by any rules you have specified if it's showing up in the firewall log as blocked.

                                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                  Need help fast? Netgate Global Support!

                                  Do not Chat/PM for help!

                                  1 Reply Last reply Reply Quote 0
                                  • B
                                    bartgrefte
                                    last edited by Dec 21, 2009, 6:32 PM Dec 21, 2009, 6:28 PM

                                    Uhm, so I have to delete the NAT and firewall rule that I made and that is supposed to let them get through?
                                    O wait, just realized, I forwarded that port to the IP of the laptop, while they are directed to 192.168.0.255.

                                    Should I even let those packages get through?

                                    @jimp:

                                    If you are seeing 380Mbit through pfSense, then you are really seeing that * 2 = 760Mbit of throughput. 380 in, 380 out.

                                    It wasn't in and out simultaneously, one direction only with Iperf.

                                    The singlecore Atom of the Desktop had no problem with 670MBit, I think the PCI bus of the Gb NIC was the limitation there when it was directly hooked up to my laptop.
                                    Laptop has a T7600 + an expresscard Gb NIC, so no limitations there I guess.

                                    1 Reply Last reply Reply Quote 0
                                    • J
                                      jimp Rebel Alliance Developer Netgate
                                      last edited by Dec 21, 2009, 6:53 PM

                                      If the desktop and laptop were on different interfaces of pfSense, then you were still getting 380 in and 380 out, they were just on different NICs.

                                      Desktop -> nic1 | pfsense | nic2 -> Laptop

                                      A 380Mbit transfer from Desktop to Laptop is 380 in nic1, 380 out nic2, 760Mbit total traffic being handled at the router.

                                      As for the NetBIOS traffic, that's up to you if you want it allowed. That's really just local broadcast traffic to its own subnet, it doesn't hurt anything on pfSense and isn't trying to route out to the Internet.

                                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                      Need help fast? Netgate Global Support!

                                      Do not Chat/PM for help!

                                      1 Reply Last reply Reply Quote 0
                                      • B
                                        bartgrefte
                                        last edited by Dec 22, 2009, 2:37 PM

                                        They where, the desktop on the wan NIC and the laptop on the lan NIC, so 380Mbit is the maximum?
                                        I think that will do for the next couple of years, till ISP's go further than that :P

                                        Hmm, okay.

                                        Now I only have to figure out why "halt system" isn't always able to completely shutdown the system.
                                        Most of the time it works, but sometimes I have to hold the powerbutton to have it turn off completely.
                                        But that's not really an issue though, since it will be up 24/7 soon.

                                        1 Reply Last reply Reply Quote 0
                                        • J
                                          jimp Rebel Alliance Developer Netgate
                                          last edited by Dec 22, 2009, 2:55 PM

                                          It may be the maximum for that particular set of hardware.

                                          As for the power-off deal, that sounds like what could be an ACPI BIOS issue.

                                          I saw that once or twice on an Atom system I had here but could never reproduce it. As you said, they were intended to be up 24/7 so it wasn't a big deal to figure that one out.

                                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                          Need help fast? Netgate Global Support!

                                          Do not Chat/PM for help!

                                          1 Reply Last reply Reply Quote 0
                                          1 out of 23
                                          • First post
                                            1/23
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received