Strange connection losses



  • hi!

    i have the following setup

    WAN
    OPT1 (bridged to WAN)
    LAN (192.168.1.1)

    the following is happenig:

    on my lan i am using pf as gateway. for some reasons the connections are dropped an 192.168.1.1 is not pingable anymore. all other local ip's are still pingable.when i deactivate and reactivate the nic on the windows box, 192.168.1.1 is pingable again.

    OPT1 and LAN are shareing the same physical network, cause there are 5 machines with official ip's.one of this machines has also an internal and external ip. when i connect to this machine during pf not pingable and make a ping to e.g. www.inode.at, i can see that the connection is alive, so its not a problem relating to the internet connection.

    it seems, that for some reasons the lan interface blocks any requests from my windows box, until i deactivate and ractivate the nic on the windows box.

    the system log shows only some strange dhcp entries:

    Mar 6 15:08:24 dhcpd: uid lease 192.168.1.170 for client 00:1d:60:a7:10:4e is duplicate on 192.168.1/24
    Mar 6 15:08:24 dhcpd: uid lease 192.168.1.170 for client 00:1d:60:a7:10:4e is duplicate on 192.168.1/24
    Mar 6 14:39:45 dhcpd: uid lease 192.168.1.170 for client 00:1d:60:a7:10:4e is duplicate on 192.168.1/24
    Mar 6 14:23:42 dhcpd: uid lease 192.168.1.167 for client 00:e0:18:fb:cb:f5 is duplicate on 192.168.1/24
    Mar 6 13:39:45 dhcpd: uid lease 192.168.1.170 for client 00:1d:60:a7:10:4e is duplicate on 192.168.1/24

    when i take a look at diagnsotic:dhcp leases it reads:
    192.168.1.167  00:e0:18:fb:cb:f5    2008/03/02 19:45:52  2008/03/02 19:55:21  offline  expired
    192.168.1.170  00:1d:60:a7:10:4e    2008/03/05 17:11:04  2008/03/05 17:12:50  offline  expired
    192.168.1.8  00:e0:18:fb:cb:f5  Viki  2008/03/06 15:23:32  2008/03/06 15:28:32  offline  static
    192.168.1.52  00:1d:60:a7:10:4e  quadcore  2008/03/06 15:23:32  2008/03/06 15:28:32  online  static

    does anyone has had such an issue?

    regards

    cc



  • OPT1 and LAN are shareing the same physical network

    Bad!
    I dont really see why you need that.
    I wouldnt bridge OPT1 to WAN, but use VIP's on the WAN and forward the needed ports to the DMZ (OPT1)



  • @GruensFroeschli:

    OPT1 and LAN are shareing the same physical network

    Bad!
    I dont really see why you need that.
    I wouldnt bridge OPT1 to WAN, but use VIP's on the WAN and forward the needed ports to the DMZ (OPT1)

    yeap i know, but then i will have to use private ip's on my servers and that would cause that some services on that servers wont run correctly



  • I just dont find it but there was a thread around that described how you can have DMZ bridged to WAN and the LAN can still reach the DMZ via NATing.
    I think this is what you want, just with the difference that you dont share the physical medium of LAN and DMZ.

    As far as i remember you need to set some kind of static route/AoN rule so that requests for the public IP's in DMZ go out the right interface.

    I'll try to find this thread.

    Also: how many public IP's do you have?
    If it's a whole subnet you could route these IP's
    –> you loose one public IP, since you would need one for the DMZ side of the pfSense.

    EDIT: found something but not what i was looking for:
    @http://forum.pfsense.org/index.php/topic:

    The easiest way to do this is probably having a bridged DMZ Interface and a bunch of other interfaces (or maybe vlans) for the other internal networks. in This scenario one of the public IPs will be assigned to the pfSense WAN and will be used for natting the other private subnets behind it and the other IPs can be used for the Servers in the DMZ.



  • thanx for the hints. i will dig into it on the weekend.

    actually i was wondering, cause the problems started to rise after upgrading to pf 1.2rc3.

    i will play a bit around and post the results

    greets

    cc


Locked