RDP keeps dropping

HunterAG · Mar 21, 2015, 5:31 PM

Hi all! I'm a long time pfSense user but this is my first time posting. In fact, I'm typically not one to need help so please be gentle.

I'm banging my head against an issue with RDP that I don't fully understand. Basically, I can attach to the remote host with no problem but roughly every 30 seconds my connection is dropped and then reestablished. I see the firewall logs dropping packets related to this traffic when IMO the firewall rules should be passing them. I have even added 'Easy-Rules' based off the blocked entries but still had no luck. I've also tried moving my default allow all LAN to ANY rule to the top of the list on my hardware pfSense.

I am not traveling across a WAN link belonging to my ISP to get to the remote network/host. All devices are able to reach both the internet and each other.

A text version of my setup looks like this - HardwarePC -> Hardware pfSense -> ESXi -> Virtual pfSense -> VirtualPC.
A graphical stripped down version of my network is in the attached document labeled diagram.jpg.

From my Hardware pfSense I am attaching a screen grab of…

Firewall Log showing traffic being dropped.
Firewall Rules for the LAN interface
Firewall Gateways tab showing the second pfSense box
Firewall Routes tab showing the second LAN where PC2 resides.

Please, help me figure out why this traffic is being dropped at my hardware pfSense. The virtual pfSense isn't recording dropped traffic related to this problem but I'd happily post those screen grabs if needed.

phil.davis · Mar 21, 2015, 7:04 PM

but roughly every 30 seconds my connection is dropped and then reestablished

Without even looking at a network diagram, when I read this sentence the problem is asymmetric routing.
After looking at your diagram, Physical PC1 has gateway physical pfSense. It always sends off-LAN packets there.
physical pfSense then sends "internal network" packets to Cisco s300, which delivers them in to the virtual systems.
The return packets get to Cisco s300, which delivers them directly to Physical PC1.
physical pfSense does not see the return traffic, and so the states time out every 30 seconds.

If you have another hardware interface in physical pfSense, or a VLAN switch available on physical pfSense, then add another OPT subnet and put the virtual network on that. Then everything to and from the virtual network will route both ways through pfSense. And you can probably remove Cisco s300 in the process.

Otherwise you can do Outbound NAT on LAN for traffic from LAN to virtual networks. That will force the return traffic back through pfSense.

HunterAG · Mar 21, 2015, 8:04 PM

Phil.Davis, my man! Your explanation makes perfect sense and I'll go ahead and VLAN that side off. I'll check back if I've got anything to add when I'm done. Thanks a lot!

johnpoz · Mar 23, 2015, 3:31 PM

Another option is to just move that physical to the esxi box and have just virtual pfsense, how many nics you have in the esxi box?

HunterAG · Mar 24, 2015, 1:44 AM

Hey Johnpoz, thanks for the extra brain storming. At this point the VLANs are up and running and I'm good with the way things are.

Out of curiosity, what benefits would having the ESXi box serving a virtual pfsense machine as the edge device bring? There are four nics in the hardware pfsense and four in the esxi host. The hardware fw is an atom d525 in a 1u half case with 4GiB ram and an SSD. The esxi host has dual proc e5650 2.66GHZ six core 12mb cache with 128GiB ram and 10k HDs on hardware raid in a 1u case. This is my home lab so my esxi software is through the VMUG advantage evaluation which is a 1 year license.

The esxi server is mainly for me to lab some microsoft products I dont get to touch at work. Looking at you exchange. a

johnpoz · Mar 24, 2015, 4:10 AM

Just make it easier if you ask me, blurs the line between physical and virtual.

So my edge router is on my esxi box, my esxi host has 4 nics - one connected to modem (wan), next phy nic on lan vswitch (lan), then another phy nic on vswitch connected (wlan), then another nic for my vmkern. I break this out on its own vswitch because when I shared it with lan I had slow performance to and from the datastore, etc.. I have vlan running on the vlan for guest wlan. And then there is a vswitch connected to dmz that is just some vms.

So I have vms on all 3 of my segments, lan, wlan and dmz. while i Have physical devices on lan and wlan segments.

pfsense just has virtual nic connected to the different vswitches.

With my router being virtual, I can update to say 2.2.1 when it came out without a care in the world - click snapshot, oh shit the upgraded took a big dump.. Revert to my snapshot. Oh I want to play with untangle today as my edge router, click click new vm replaces my edge pfsense box. Oh I wan to play with sophos UTM today on my edge, click click.

There are loads of advantages to it - makes your mess go away because all the different segments you want to play with no just connect to pfsense and you can firewall between them be they are physical boxes or virtual boxes.