Bridging 2 Lans both sides have DHCP and are on different ip ranges.
-
I was given this project when the last person who worked here left the company so I am basically working in the dark with reguards to pfsense and dual lan bridging. I do use and have been using pfsense at home for a router for quite a while now and I can set that up just fine. I am having trouble placing it into bridging mode and setting the rules to make it basically act as a dmz on both sides of the pfsense box with a local firewall, dhcp,traffic shaping, squid proxying on the local lan.
Here is what I have and its mostly working but I am having a terrible time with shared printing and windows network share connections dropping and it seems that no matter what rules I have in place I cannot keep the dhcp info form crossing over onto the main office lan whether I use floating rules or interface direct rules. I'm sure its something silly I missed.
I have a pfsense box at another location that is acting as a router and it is working perfectly but this is the first box I have tried to use in bridge mode and its causing me pains. I can access the internet and log into citrix and remote desktops with no issues whatsoever but when someone tries to open a windows network share that is on the main office lan from the remote lan they will constantly get disconnected and they are unable to print from the main office to the remote office and even from the remote office to remote lan local xerox copiers direcly. The copiers have static ip's and are using the local lan dhcp/dns settings.
The pfsense box has 2 Intel Pro/1000 MT PCI-E cards and is a core2duo E6600 4GB Ram.
I would be willing to pay for assistance but I cannot afford $600 at the moment until at least the beginning of next year when I can try to put it in my budget.
Setup.
Main Office Lan
WAN=Main Office Gateway DHCP Server Provides IP Addresses to main office lan. 128.x.x.x
LAN2Remote WAN IN=Remote Office Side 128.x.x.xRemote Office Lan
WAN=Main Office Side 128.x.x.x
LAN=Remote Office Side= 10.4.100.1 Pfsense IP. Provides DHCP Range 10.4.100.100-10.4.100.250I have pfsense set up in bridge mode I followed the instructions from these 2 posts.
Here http://pfsense.trendchiller.com/transparent_firewall.pdf and http://forum.pfsense.org/index.php?topic=835.0
I originally had it set up for transparent bridge mode and used the main office dhcp server and it was working fine using the dhcp server from the main office
but then I wanted the ability to block non authorized devices as well as traffic shaping and squid proxying at the remote location without modifing the main office setup.So I then converted the transparent bridge to a non transparent bridge with a dhcp server set up on the local lan at the remote location.
I have the main office lan connected through a metro ethernet vpn tunnel to the wan side of the pfsense box and I have the remote lan connected to the lan ethernet card in the box.
I have the Outbound nat set to manual advanced nat rule generation. I have tried the default rules and also I have tried deleting the rules as I saw it suggested in a post on this site. I have even rebooted the box after each major change with the same result. I did change the advanced tuneing rules from filtering on both in/out to 0 and then filtering on the bridge device to 1 and I even tried it the other way and even with both on and off with the same results.
It will work for a while after a reboot then people start getting constantly disconnected when trying to connect to network shares located on the main office lan. HTTP and RDP/Citrix connections do not disconnect.
I will update with pictures of the rules and lan when I get back to the office as I do not have he login info handy for my remote storage to upload pictures where I am now.
As a test for Rules I placed.
As the first rule on top I placed a block TCP/UDP from ports 66-69 to block dhcp from crossing over the wan port so that the main office dhcp does not cross into the remote lan and the remote lan dhcp does not cross over onto the main office lan.
Floating Rule
Block DHCP OPT1/WAN 66-69Direct Card Rule
WAN=Block DHCP Out 66-69
WAN=Block DHCP In 66-69
WAN to OPT1 as any/any.LAN to OPT1 as any/any.
Bridge Interface
OPT1=Block DHCP Out 66-69
OPT1=Block DHCP In 66-69
OPT1 to any/any.Even with the dhcp blocks as the first rule at the top of all the others I can still pull a remote ip from the 10.x.x.x subnet from the main office lan which is confusing me.
If you could help me out here I would greatly appreciate it. I'm sure I missed some crucial step or misconfiguration.
I have a test box at my main office that I use to test rules/configs and it works perfectly at my office but with the same configs at the remote location everything goes haywire. I even tried swapping boxes from my main office test box to the remote location and the same effects happen when it worked at my main office. It seems when more than 10 or so users go through the connection is when the disconnections happen. When I look at the cpu usage it is always at 5% or less and memory usage is less than 45%
Sorry in advance if it seems a little rushed in the explanations above as I am the only one from my department at work today and i'm overly swamped at the moment. I do thank you in advance for any info that can help me resolve this issue!
-
A diagram would go a long way here.
The term 'non transparent bridge' is a bit of a misnomer. Reading through this is seem like you are just routing between the two offices/subnets?
Steve
-
I doubt a transparent 'bridge' is the way to go here. If both offices are on different subnets to begin with, just route the subnets accordingly. If you are using IPsec, then you will need to set the configuration on each site to tell each router which remote subnet is accessible through the link.
You should also provide more details on the setup type. i.e. VPN type
A diagram as stephenw10 asked would help too. You basically need to provide the lan subnets & VPN details in the diagram. If using IPsec tunnelling, then the IPsec configuration for both sites (mask the appropriate octets where required) would also help with troubleshooting.
The downside to routing subnets is that you won't be able to establish SMB file sharing through the hostname but would be using the remote LAN IP address (unless you configure the hosts file on each client to resolve the IP manually).
-
Hello, Sorry was out of town with the family and just got back in today. Maybe I should not have mentioned transparent bridge thats just what was tested first before different ip ranges and a dhcp server were chosen for that remote location. There are no firewalls between the remote location and the main office lan except the pfsense box in question.
The the vpn links are the metro ethernet connections which are routed through cisco hardware endpoints and are not configurable by us it is transparent to the system end to end no config options to make and is managed by centurylink.
I will draw a diagram out but basically it is bridging 2 separate lans with one lan (Main office) on IP range 128.x.x.x and the Remote office at 10.4.100.x Both Offices have dhcp. The pfsense box is routing between the 2 lans and each server at the main office is routed to the 10.4.100.0 range through the 128.x.x.x ip address of the pfsense wan named ethernet card.
"Internet" –---<-> Gateway/Netscreen (Cox Optical Internet) ----<->--- Main Office (DHCP,DNS,File Servers) --------- <->Transparent Metro Ethernet (Centurylink)<-> ---------- (Wan) Pfsense Box (Lan) ------- Remote Lan/Workstations
The remote LAN can access the internet just fine but is having issues with connecting to windows shares on the Main office LAN. I did add all of the main office server machines to the pfsense DNS Forwarder Host Overrides section and can ping and connect to the main office servers just fine. The issue arises when someone opens a windows file shared from a main office server it shows up lists the files and directories then the files/directories disappear as if the connection has been disconnected and then a few seconds later the shares/files reappear and then the same thing happens again over and over. Internet connections as well as remote desktop/citrix connections do not seem to be affected. I will post pfsens config screenshots in the next part.
Basically I am trying to set it up so that I can have DHCP on the new remote lan ip range, Firewall capability, Squid Proxying, and Bandwidth traffic shaping at the remote location.
-
Here are the screenshots of the pfsense configs. If you need a screenshot that is not provided below let me know and I will update this post with the required info. I placed the images as hyperlinks instead of embedded images as they are quite large.
Advanced Firewall Nat http://siliconfiles.com/images/AdvancedFirewallNAT.jpg
Advanced System Tunables http://siliconfiles.com/images/AdvancedSystemTunables.jpg
System Gateway http://siliconfiles.com/images/SystemGateway.jpg
System General Setup http://siliconfiles.com/images/SystemGeneralSetup.jpg
DNS Forwarder http://siliconfiles.com/images/DNSforwarder.jpg
Firewall NAT Outbound http://siliconfiles.com/images/FirewallNAToutbound.jpg
Firewall Floating Rules http://siliconfiles.com/images/FirewallFloating.jpg
Firewall Rules http://siliconfiles.com/images/FirewallRules.jpgChris
-
Hello, Sorry was out of town with the family and just got back in today. Maybe I should not have mentioned transparent bridge thats just what was tested first before different ip ranges and a dhcp server were chosen for that remote location. There are no firewalls between the remote location and the main office lan except the pfsense box in question.
The the vpn links are the metro ethernet connections which are routed through cisco hardware endpoints and are not configurable by us it is transparent to the system end to end no config options to make and is managed by centurylink.
I will draw a diagram out but basically it is bridging 2 separate lans with one lan (Main office) on IP range 128.x.x.x and the Remote office at 10.4.100.x Both Offices have dhcp. The pfsense box is routing between the 2 lans and each server at the main office is routed to the 10.4.100.0 range through the 128.x.x.x ip address of the pfsense wan named ethernet card.
"Internet" –---<-> Gateway/Netscreen (Cox Optical Internet) ----<->--- Main Office (DHCP,DNS,File Servers) --------- <->Transparent Metro Ethernet (Centurylink)<-> ---------- (Wan) Pfsense Box (Lan) ------- Remote Lan/Workstations
The remote LAN can access the internet just fine but is having issues with connecting to windows shares on the Main office LAN. I did add all of the main office server machines to the pfsense DNS Forwarder Host Overrides section and can ping and connect to the main office servers just fine. The issue arises when someone opens a windows file shared from a main office server it shows up lists the files and directories then the files/directories disappear as if the connection has been disconnected and then a few seconds later the shares/files reappear and then the same thing happens again over and over. Internet connections as well as remote desktop/citrix connections do not seem to be affected. I will post pfsens config screenshots in the next part.
Basically I am trying to set it up so that I can have DHCP on the new remote lan ip range, Firewall capability, Squid Proxying, and Bandwidth traffic shaping at the remote location.
Ok. So you basically have a Metro Ethernet link.
For all intents and purposes, this would be considered a 'network cable' that links your 2 offices.
In this case, I presume you use up a public IP for the pfSense WAN link? i.e. The servers subnet at the main office is actually a routed public IP subnet.
In that case, you shouldn't need to actually block any services on WAN.
You probably need to adjust the office firewall/ router to add a static route to direct all traffic bound for the 10.4.100.x subnet to the pfSense WAN IP (128.x.x.x address) as the next-hop gateway.
Adding a rule on the WAN interface of pfSense to allow any traffic with source subnet of the main office (128.x.x.x subnet) and destination as LAN subnet should do the trick.
Depending on how the VPN is configured by comcast, you might want to enable 'Clear DF bit' and disable 'Scrubbing' to see if the issue persists.