No connection LAN -> DMZ after some time

icanton

Hello Guys!

By the way: great work. I like pfsense - it's stable, PPTP is working, configuration is fine, Webgui intuitive.
But the only problem i have is:
Sometimes (once a month or something) there is no connection from LAN -> DMZ anymore. The firewall from PFSENSE won't let anything out. There's a rule allowing LAN -> DMZ: all and some Port from DMZ -> LAN. LAN ist 192.168.0.* and DMZ is 192.168.100.*.

To make it work again i have to "refresh" the Firewallsettings (deactivete a rule, activate it again and "Apply Settings"). After that it work's again for some weeks. Any hints?

icanton

GruensFroeschli

Version? Hardware?

If you visit the firewall tab in the logs do you see anything blocked?
Any other entries in the system-logs that indicate a problem?

icanton

Version: 1.0.1
Hardware: dmesg is too much i think :-) Normal PC with 3x 1GBit ETH, CPU 3.5GhZ, 1GB RAM

Logs has been okay. The next time the problem occurs I'll take a closer look.

icanton

icanton

It happened again.

Systemlog

Sep 21 08:17:18 	mpd: [pt0] IFACE: Up event
Sep 21 08:17:18 	mpd: [pt0] exec: /usr/local/sbin/vpn-linkup ng1 inet 192.168.100.90 192.168.0.245 vpn.userxyz
Sep 21 08:17:18 	mpd: [pt0] exec: /sbin/route add 192.168.100.90 -iface lo0
Sep 21 08:17:18 	mpd: [pt0] exec: /usr/sbin/arp -s 192.168.0.245 0:c:46:46:81:ab pub
Sep 21 08:17:18 	mpd: [pt0] exec: /sbin/ifconfig ng1 192.168.100.90 192.168.0.245 netmask 0xffffffff -link0
Sep 21 08:17:18 	mpd: [pt0] setting interface ng1 MTU to 1396 bytes
Sep 21 08:17:18 	mpd: [pt0] IFACE: Up event
Sep 21 08:17:18 	mpd: 192.168.100.90 -> 192.168.0.245
Sep 21 08:17:18 	mpd: [pt0] IPCP: LayerUp
Sep 21 08:17:18 	mpd: [pt0] IPCP: state change Ack-Rcvd --> Opened
Sep 21 08:17:18 	mpd: SECDNS 192.168.0.14
Sep 21 08:17:18 	mpd: PRIDNS 192.168.0.1
Sep 21 08:17:18 	mpd: IPADDR 192.168.0.245
Sep 21 08:17:18 	mpd: [pt0] IPCP: SendConfigAck #8
Sep 21 08:17:18 	mpd: SECDNS 192.168.0.14
Sep 21 08:17:18 	mpd: PRIDNS 192.168.0.1
Sep 21 08:17:18 	mpd: 192.168.0.245 is OK
Sep 21 08:17:18 	mpd: IPADDR 192.168.0.245
Sep 21 08:17:18 	mpd: [pt0] IPCP: rec'd Configure Request #8 link 0 (Ack-Rcvd)
Sep 21 08:17:18 	mpd: [pt0] IPCP: state change Req-Sent --> Ack-Rcvd
Sep 21 08:17:18 	mpd: IPADDR 192.168.100.90
Sep 21 08:17:18 	mpd: [pt0] IPCP: rec'd Configure Ack #62 link 0 (Req-Sent)
Sep 21 08:17:18 	mpd: SECDNS 192.168.0.14
Sep 21 08:17:18 	mpd: PRIDNS 192.168.0.1
Sep 21 08:17:18 	mpd: IPADDR 192.168.0.245
Sep 21 08:17:18 	mpd: [pt0] IPCP: SendConfigNak #7
Sep 21 08:17:18 	mpd: NAKing with 192.168.0.14
Sep 21 08:17:18 	mpd: SECDNS 0.0.0.0
Sep 21 08:17:18 	mpd: NAKing with 192.168.0.1
Sep 21 08:17:18 	mpd: PRIDNS 0.0.0.0
Sep 21 08:17:18 	mpd: NAKing with 192.168.0.245
Sep 21 08:17:18 	mpd: IPADDR 0.0.0.0
Sep 21 08:17:18 	mpd: [pt0] IPCP: rec'd Configure Request #7 link 0 (Req-Sent)
Sep 21 08:17:18 	mpd: [pt0] setting interface ng1 MTU to 1396 bytes
Sep 21 08:17:18 	mpd: Decompress using: MPPE, 128 bit, stateless
Sep 21 08:17:18 	mpd: Compress using: MPPE, 128 bit, stateless
Sep 21 08:17:18 	mpd: [pt0] CCP: LayerUp
Sep 21 08:17:18 	mpd: [pt0] CCP: state change Ack-Rcvd --> Opened
Sep 21 08:17:18 	mpd: 0x01000040: MPPE, 128 bit, stateless
Sep 21 08:17:18 	mpd: MPPC
Sep 21 08:17:18 	mpd: [pt0] CCP: SendConfigAck #6
Sep 21 08:17:18 	mpd: [pt0] CCP: Checking whether 128 bits are acceptable -> yes
Sep 21 08:17:18 	mpd: 0x01000040: MPPE, 128 bit, stateless
Sep 21 08:17:18 	mpd: MPPC
Sep 21 08:17:18 	mpd: [pt0] CCP: rec'd Configure Request #6 link 0 (Ack-Rcvd)
Sep 21 08:17:18 	mpd: [pt0] CCP: state change Req-Sent --> Ack-Rcvd
Sep 21 08:17:18 	mpd: 0x01000040: MPPE, 128 bit, stateless
Sep 21 08:17:18 	mpd: MPPC
Sep 21 08:17:18 	mpd: [pt0] CCP: rec'd Configure Ack #32 link 0 (Req-Sent)
Sep 21 08:17:18 	mpd: IPADDR 192.168.100.90

Firewall (but nothing seems blocked from 192.168.0.* (LAN) even if i Ping to the DMZ):

	Sep 21 08:43:47 	LAN 	192.168.92.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:43:47 	LAN 	192.168.186.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:43:31 	LAN 	192.168.92.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:43:31 	LAN 	192.168.186.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:43:15 	LAN 	192.168.92.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:43:15 	LAN 	192.168.186.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:42:59 	LAN 	192.168.92.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:42:59 	LAN 	192.168.186.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:42:43 	LAN 	192.168.92.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:42:43 	LAN 	192.168.186.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:42:34 	DMZ 	192.168.100.7:110 	192.168.0.39:4098 	TCP
	Sep 21 08:42:27 	LAN 	192.168.92.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:42:27 	LAN 	192.168.186.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:42:11 	LAN 	192.168.92.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:42:11 	LAN 	192.168.186.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:41:55 	LAN 	192.168.92.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:41:55 	LAN 	192.168.186.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:41:46 	DMZ 	192.168.100.7:110 	192.168.0.39:4098 	TCP
	Sep 21 08:41:39 	LAN 	192.168.92.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:41:39 	LAN 	192.168.186.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:41:23 	LAN 	192.168.92.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:41:23 	LAN 	192.168.186.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:41:07 	LAN 	192.168.92.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:41:07 	LAN 	192.168.186.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:40:51 	LAN 	192.168.92.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:40:51 	LAN 	192.168.186.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:40:35 	LAN 	192.168.92.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:40:35 	LAN 	192.168.186.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:40:19 	LAN 	192.168.92.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:40:19 	LAN 	192.168.186.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:40:12 	LAN 	130.11.7.118:138 	130.11.7.255:138 	UDP
	Sep 21 08:40:03 	LAN 	192.168.92.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:39:47 	LAN 	192.168.92.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:39:47 	LAN 	192.168.186.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:39:31 	LAN 	192.168.92.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:39:31 	LAN 	192.168.186.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:39:15 	LAN 	192.168.92.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:39:15 	LAN 	192.168.186.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:39:05 	WAN 	76.190.225.55:15571 	194.8.192.2:18912 	TCP
	Sep 21 08:39:04 	DMZ 	192.168.100.7:110 	192.168.0.39:4095 	TCP
	Sep 21 08:38:59 	LAN 	192.168.92.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:38:59 	LAN 	192.168.186.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:38:43 	LAN 	192.168.92.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:38:43 	LAN 	192.168.186.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:38:27 	LAN 	192.168.92.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:38:27 	LAN 	192.168.186.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:38:15 	DMZ 	192.168.100.7:110 	192.168.0.39:4095 	TCP
	Sep 21 08:38:11 	LAN 	192.168.92.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:38:11 	LAN 	192.168.186.1:123 	80.237.128.148:123 	TCP
	Sep 21 08:37:55 	LAN 	192.168.92.1:123 	80.237.128.148:123 	TCP

I can't see anything unusual within the logfiles. After reloading the firewall (deactivate/active a rule and "apply settings") it work's again. Any ideas?

icanton

cmb

what are you trying that doesn't work?  i.e. is it just one thing that stops, like HTTP maybe, or do pings not work, or does everything stop, or?  You can still get from LAN -> Internet and DMZ -> Internet when this happens?

1.0.1 isn't the recommended version anymore. I would definitely recommend upgrading to 1.2rc2 since you're having problems.

icanton

Nothing is working, not even ping LAN -> DMZ. WAN -> DMZ is working.

So i should upgrade you think? I'm unsure which package to use from ftp://reflection.ncsa.uiuc.edu/pub/pfSense/updates :-)
This one using the WEB Gui Upgrade function? pfSense-Full-And-Embedded-Update-1.2-BETA-2.tgz? Never upgraded before…

icanton