Can't connect two computers through pfsense router



  • Hi :)

    Just now I wanted to run jperf to measure the throughput of my pfsense router that will replace my asus wl500gx.
    Now for some reason the jperf's can't connect and pings between pfsense and the computer on the wan side fails.

    Setup:
    Laptop with Gb expresscard NIC.
    IP 192.168.1.222, subnet 255.255.255.0
    Windows XP Pro, no firewall enabled.

    Pfsense 1.2.3 embedded/nanobsd router (MSI IM-945GSE-A board with two onboard Intel Gb NIC's) with static IP's on both wan and lan.
    LAN: 192.168.1.45/24
    WAN: 192.168.1.46/24

    Desktop computer with Gb pci NIC.
    IP 192.168.1.5, subnet 255.255.255.0
    Windows XP Pro, no firewall enabled.

    Already tried switching the desktop and laptop, but no result.
    Both the laptop and desktop can't get successfull ping answers from pfsense when hooked up to the wan-port, pfsense pinging the computer at wan port fails too, however, connected to the lan ping's go succesfully. The laptop pinging the desktop and the other way around, through pfsense, fails too.

    I'm guessing it's a firewall issue.
    O, and uhm, as for jperf, the port has been forwarded ;)

    Any idea's?
    I think I'm probably missing something very simple.

    Bart Grefte



  • You have the same subnet on the LAN and the WAN.



  • Ah :) , guess I forgot those can't be the same, thanks ;)
    That solved the connection problem between pfsense and the computer connected to the wan port.
    Pfsense can now ping it successfully. The computer pinging pfsense still fails, guess that's being blocked?

    Anyway, jperf still can't connect…

    edit: disableing "Block private networks" didn't help.



  • If you want to ping the pfSense you need to create a firewall rule allowing this.
    First you need to make sure you dont have the "block RFC1918 subnets" option active.
    Then create a rule like this: "allow, ICMP, *, *, WAN address, *, *



  • Okay :)

    Hmm, jperf is getting weirder.
    If I select the udp protocol, it can connect, but not with tcp, time-out.

    If  Proto        Ext. port range  NAT IP                Int. port range
    WAN  TCP/UDP  5001      192.168.1.222              5001
                                                    (ext.: 192.168.1.46)

    That should be fine, should it?



  • Your NAT rule is still from within on subnet to the same subnet.
    (from 192.168.1.x/24 to 192.168.1.x/24)

    You need different subnets on the WAN and the LAN for routing to work.



  • Uhm, I thould I had different subnets:
    lan: 192.168.1.45 /24
    wan: 192.168.1.46 /26

    Or is that not different enough ???



  • They are still the same subnet.
    Please read up how CIDR notation works.
    http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing

    192.168.1.45/24 –> 192.168.1.0 to 192.168.1.255
    192.168.1.46/26 --> 192.168.1.0 to 192.168.1.63



  • Hmm, now I am realising that I should have payed a little more attention at the Cisco classes… :P

    Anyway, so if I use a completely different IP range+subnetmask it should work?
    Gonna try that tomorrow.



  • Well you can have the same submask.
    You just need to be in a different range.
    (like 192.168.0.0/24 and 192.168.1.0/24)



  • Just tried that, still no go.

    UDP works, TCP not, plus the jperf server (on lan port) says this:

    –----------------------------------------------------------
    Server listening on TCP port 5001
    TCP window size: 0.00 GByte (default)

    [1872] local 0.0.0.0 port 5001 connected with 192.168.0.5 port 1098
    [ ID] Interval      Transfer    Bandwidth

    Iperf thread stopped [CAUSE=For input string: "1.#J"]

    Client still says connection timed out.

    Switched those two, server on wan and client on lan, still timed out but not that input string error on server, in fact, no error at all. It's still waiting for connection.



  • Just ruled out the cables, used them both (one at a time) to hook up the laptop and desktop directly -> iperf/jperf works fine.

    Uhm, damn, now I'm emberrassed. Forgot to change the gateway on my laptop ::)
    So it works ;D

    But now, the throughput is lower than a direct connection.
    Direct connection: around 670Mbit maximum, this with 6 simaltaneous connections in jperf.
    pFsense throughput: 380Mbit, also with 6 and 3 connections.

    CPU (Atom N270) usage of the pFsense router is around 90% during the test, so guess 380Mbit is about the maximum it can do?
    Also noticed something in the firewall log. The desktop (on wan) is sending something via UDP through port 138 to 192.168.0.255, beneath action is shows a white x in red box.
    I know that port is used for NETBIOS Datagram Service, but eventhough I forwarded it, the packages are still being dropped. Not sure if that's a bad thing.



  • If your CPU is (almost) pegged, I'd guess you are not going to get much more than that.



  • Hmm…

    But why can the desktop transfer a lot faster? That one also has a singlecore Atom (230), same as the motherboard of the pfsense router.


  • Rebel Alliance Developer Netgate

    If you are seeing 380Mbit through pfSense, then you are really seeing that * 2 = 760Mbit of throughput. 380 in, 380 out.


  • Rebel Alliance Developer Netgate

    Also…

    Also noticed something in the firewall log. The desktop (on wan) is sending something via UDP through port 138 to 192.168.0.255, beneath action is shows a white x in red box.

    That's standard Windows NetBIOS broadcasts. It must not be allowed by any rules you have specified if it's showing up in the firewall log as blocked.



  • Uhm, so I have to delete the NAT and firewall rule that I made and that is supposed to let them get through?
    O wait, just realized, I forwarded that port to the IP of the laptop, while they are directed to 192.168.0.255.

    Should I even let those packages get through?

    @jimp:

    If you are seeing 380Mbit through pfSense, then you are really seeing that * 2 = 760Mbit of throughput. 380 in, 380 out.

    It wasn't in and out simultaneously, one direction only with Iperf.

    The singlecore Atom of the Desktop had no problem with 670MBit, I think the PCI bus of the Gb NIC was the limitation there when it was directly hooked up to my laptop.
    Laptop has a T7600 + an expresscard Gb NIC, so no limitations there I guess.


  • Rebel Alliance Developer Netgate

    If the desktop and laptop were on different interfaces of pfSense, then you were still getting 380 in and 380 out, they were just on different NICs.

    Desktop -> nic1 | pfsense | nic2 -> Laptop

    A 380Mbit transfer from Desktop to Laptop is 380 in nic1, 380 out nic2, 760Mbit total traffic being handled at the router.

    As for the NetBIOS traffic, that's up to you if you want it allowed. That's really just local broadcast traffic to its own subnet, it doesn't hurt anything on pfSense and isn't trying to route out to the Internet.



  • They where, the desktop on the wan NIC and the laptop on the lan NIC, so 380Mbit is the maximum?
    I think that will do for the next couple of years, till ISP's go further than that :P

    Hmm, okay.

    Now I only have to figure out why "halt system" isn't always able to completely shutdown the system.
    Most of the time it works, but sometimes I have to hold the powerbutton to have it turn off completely.
    But that's not really an issue though, since it will be up 24/7 soon.


  • Rebel Alliance Developer Netgate

    It may be the maximum for that particular set of hardware.

    As for the power-off deal, that sounds like what could be an ACPI BIOS issue.

    I saw that once or twice on an Atom system I had here but could never reproduce it. As you said, they were intended to be up 24/7 so it wasn't a big deal to figure that one out.



  • Okay.
    Well, if/when upgrading becomes necessary, maybe pfsense will be supporting* dualcore cpu's by then?
    (*Vaguely remember reading somewhere it doesn't, but could be wrong.)

    That's what I thought, but most of the time the shutdown goes normally, so why every now and then it doesn't…


  • Rebel Alliance Developer Netgate

    pfSense has supported dual core CPUs for some time. The OS just sees it as two processors. When doing a full install, make sure you select the "Symmetric Multiprocessing Kernel" (SMP) and it will use all detected cores, and if you have hyperthreading enabled, it will show cores*2 CPUs. (It showed 4 on my Atom 330 until I disabled hyperthreading)



  • Hmm, okay. :)


Log in to reply