Routing issues for a network novice



  • Hi all.

    I'm having some problems with routing - I have searched high and low and nothing so far has helped. Hoping I might find a silver bullet here.

    So, some detail on my setup. I have a home network, tied up to a pfSense whitebox. WAN/LAN ports, WAN goes out via my ADSL modem over PPPoE and LAN connects into my GigE switch. Nice and simple, all working.

    I'm in the process of building out a virtual environment to demo some multi-site Active Directory configs and have deployed a virtual pfSense router to connect everything together. So, with the virtual infrastructure in play, I now have two additional vNetworks using standard vSwitch in ESX.

    I have 3 NICs connected to the virtual pfSense system, 1 connected my home network, 1 to the 'London' vNetwork and 1 to the 'Newcastle' vNetwork. The subnets are defined below:

    WAN - 10.0.0.0/24 - Home network.
    LAN - 172.30.1.0/24 - London network.
    OPT1 - 172.40.1.0/24 - Newcastle network.

    I have assigned the WAN interface a static IP in the 10.0.0.0/24 range and have configured routes to both London and Newcastle networks on my home network pfSense box so that I can RDP through to the virtual servers in each of the two fake vNetworks. Now this is where things seem to go a little wrong.

    The RDP connection works - initially - then every minute or so, it hangs, displays the 'Remote Desktop is trying to reconnect' message and then reconnects. The drop is approx. 20 seconds every minute or so. The firewall logs show me nothing on either pfSense device. I believe I have opened everything to both networks, as evident by the fact I can ping/RDP between my vNetworks and my home network.

    Now - to add to the confusion, I had this issue a year ago, and overcame it. Trouble is, I can't for the life of me remember how. It was most likely a fluke of a fix anyway and I would really love to know the root cause of the issue.

    Am I doing something fundamentally wrong with the routing? I may well be, networking is not my bag but I rely so heavily on it for everything else I do so it would be nice to get some pointers.

    Thanks for looking - and congrats if you made it this far… Hopefully I have provided enough info to at least start up a discussion.

    Kind regards.

    Tom.



  • you are using a public network as your "newcastle" network. the private range you intend to use is shorter then what you are using (ie: 172.16.0.0 - 172.31.255.255 )

    it's rather unlikely that this is the cause of your issue, but you should change it anyways and if it still does not work provide us with some details (traceroutes/screenshot of firewall rules/static routes / …)



  • Thanks heper.

    Good point on the ranges. I just threw those address in today to rule out the 10.x addresses I normally use. Needless to say the issue still occured, just haven't reverted back yet.

    As for traces, I'm not sure if this is normal:

    tracert 172.30.1.1 from my laptop on Home network to vPC in 'London' network:
    1 - 10.0.0.254 (GW of Home pfSense box)
    2 - 10.0.0.240 (WAN interface of virtual pf)
    3 - 172.30.1.1 (vPC in 'London')

    This seems to be correct. Now if I do a reverse:

    tracert 10.0.0.100 from vPC in 'London' to laptop on Home network:
    1 - 172.30.1.254 (The London interface on virtual pf)
    2 - 10.0.0.100 (the laptop on my home network).

    So it doesnt seem to go out the way it came in. Might be nothing, but I do seem to recall this was part of the issue last time. I think I solved it by adding a Static Route to the WAN interface that was back to the 10.0.0.0 Home network, but in this new version of pfSense, It does not let me do this as it knows I already have an interface in that network.

    t.



  • @heper:

    you are using a public network as your "newcastle" network. the private range you intend to use is shorter then what you are using (ie: 172.16.0.0 - 172.31.255.255 )

    it's rather unlikely that this is the cause of your issue, but you should change it anyways and if it still does not work provide us with some details (traceroutes/screenshot of firewall rules/static routes / …)

    OK - I've reset the router, and I have adjusted the IP ranges as described above. Same thing. RDP works, but just keeps dropping out.

    Here are my firewall rules on my virtual pfSense system.

    No static routes in place. No gateways in use.

    t.










  • I don't think this is a routing problem, if it was it wouldn't work at all.

    In order to start troubleshooting this I would do a packet capture on both ends, and compare them to see if packets are being dropped, where and why



  • I did run a Wireshark capture but to be honest, I have no idea what I'm looking for in the trace. Is this the method you'd recommend for performing a capture? Anything in particular I should look out for?

    t.



  • First thing would be to realize where the packets are dropping, so you would have to capture simultaneously on the diferent hops of your network (client side, both pfSense interfaces, server side), and then compare them



  • Thanks for the advice georgeman. If I perform packet captures, is there anything in particular I should look out for with regards to RDP dropping? Will Wireshark be intelligent enough to highlight drops/errors?

    t.



  • OK - took some captures. The only one that seemed to look maybe odd (to my untrained eye!) is the one shown attached which was captured on my laptop in the HOME network on 10.0.0.100 which I am using to connect the RDP to the 172.16 'London' network. This happened about the time I got frozen and reconnected!

    Can anyone tell what is wrong simply from this? Starting to pull my hair out!!

    Thanks everyone so far!




  • I thought I would post my resolution in case anyone else experiences similar problems.

    It looks like it is nothing to do with the routing after all and seems like it was all to do with my client. Executing the following command looks to have cured the error completely!

    netsh interface tcp set global autotuninglevel=disabled

    Since running this command on my system, I have yet to see the dreaded reconnect in Remote Desktop! Fingers crossed it lasts! Thank you all for trying to help. Much appreciated!

    t.



  • are you seeing alot of Blocked entries on your firewall log ?  Especially with proto: TCP-RA or TCP-A ?
    If yes: are you natting the connection between one router to the next ? if yes: don't ;)



  • Ah, thanks heper! Unfortunately I just noticed the issue re-occuring so I think I may have spoken too soon!

    I did see entries like that now you mention it. I have not touched NAT on the virtual router so it is running pretty much as default (except FW rules etc) but I had set my home network pfsense to Manual Outbound NAT but have nothing configured in there for the LAN interface. Any pointers for things to check on?

    Cheers.

    t.



  • By default you will be NATting anything going from internal to WAN. Turn on manual outbound NAT on your 10.0.0.0/24 pfSense box, and delete the rules. You will likely need to add static routes on your physical LAN side, but this sounds like a NAT issue to me.



  • NAT is configured as described but still the problem persists :(

    Any more suggestions?