Internal Network LAN to WAN intermittent (disconnection)



  • Hi,

    I had just implemented pfSense for my company with the idea that all Servers seat in WAN, and all user computers seat in LAN.
    Purpose is use of Captive Portal to authorise user no matter connected WiFi or cable when they are accessing servers.

    I had tested forward all traffic by firewall rules for WAN and LAN. All features running as per expected.

    But a big issue killing me  :'( -  connnection intermittent, especially happen on Windows XP and Windows Server 2003. And I not able to found any logs for troubleshooting.

    –----------------------------------
    Test scenario - Bad Result

    • Windows XP (LAN), send print job to Windows Server 2012 or 2003 shared printer (WAN), always have connection problem. Print for 5 times, may be 1 time success. Access printer properties also error if connection intermittent.

    • Copy file from Windows 7 or XP (LAN) to Windows Server 2003 (WAN), cannot complete copy oeperation, always prompt "Network Error - There is a problem accessing …" (However, copy to Server 2008 completed without error)

    • For network error as item 2, I realise that when open a Server 2003 shared folder on user PC, the files inside the folder can disappear after few seconds or few minutes, result as "This folder is empty". You can found those missing files by refersh the shared folder. This is to telling us, the connection is intermittent, file is disappear when disconnected server. Refresh will bring back the connection.

    • This is not the major issue I want to fix now: Windows 7 users feedback that access to shared folder (server 2008), slow or some time the opened file was hanging.

    –----------------------------------
    Test scenario - Good Result

    • Copy file from Server 2003 (WAN) to Windows XP (LAN) completed successfully

    • Copy file from Windows 8 (LAN) to Server 2008 (WAN) completed successfully

    *I found that when copy file from LAN to WAN, pfSense CPU useage will getting high, actually I don't need it to "scan" the file/packet.

    Rules are open without restriction:

    –----------------------------------
    For WAN

    Proto Source Port Destination Port Gateway Queue Schedule Description
    IPv4 ICMP * * * * * none
    IPv4 IGMP * * * * * none
    IPv4 UDP * * * * * none
    IPv4 TCP * * * * * none Allow Inter WAN to Inter LAN


    For LAN

    Proto Source Port Destination Port Gateway Queue Schedule Description
    IPv4 ICMP * * * * * none
    IPv4 IGMP * * * * * none
    IPv4 UDP STAFF net * 192.168.2.4 53 (DNS) * none
    IPv4 UDP STAFF net * 192.168.2.5 53 (DNS) * none
    IPv4 UDP STAFF net * 18.18.0.1 53 (DNS) * none
    IPv4 TCP * * * * * none
    IPv4 UDP * * * * * none
    IPv4 UDP * * * * * none



  • It's really terrible!
    Even thought I change the structure but I get exactly same result.

    Now, no more WAN, all servers connect to LAN A, users connect to LAN B.

    All computer with Windows XP having a same problem, they cannot complete file copy operation.

    The windows always prompt "The specified network name is not longer available" when copy file from server's shared folder, delete file on shared folder, copy file to shared folder.
    It also effected print operation if the printer shared on server.


  • Banned

    This very obviously has nothing to do with firewall and everything to do with poorly compatible SMB implementations. (Dude, you just shouldn't run any XP/2003 crap at all…)



  • This sound like not a solution but just skip the issue which is really happening.
    It is not easy for me scrap 50+ unit of Windows XP in one shoot.

    You should know without the firewall, Windows xp and server 2003 still running well at this moment.



  • For troubleshooting I'd suggest simplifying the firewall / gateway to one rule that passes everything, disable apinger gateway monitoring, etc.  KISS.  If it works, then add the components desired one at a time to find the culprit.



  • Will do as you suggested. At least I receive a little daylight  :)



  • What's using the CPU when you copy files? How "high" is it getting?



  • @Harvy66:

    What's using the CPU when you copy files? How "high" is it getting?

    It is a virtualbox, I tried copy a 200MB file, system use about 36% CPU.

    This is the spec of CPU in virtualbox: 
    Intel(R) Xeon(R) CPU E5-2620 v3 @ 2.40GHz
    2 CPUs: 1 package(s) x 2 core(s)

    After I change the structure use of two LANs instead of WAN, I can see a little bit improvement like retry few times able to complete file copy operation  :-\



  • It seems to have some clue

    After some changes made, I can now completely copy a 25GB file from server 2008 to XP, provided that access with IP address:

    \192.168.1.123\test\testfile.xxx  –> completed without error

    \ServerABC\test\testfile.xxx  --> copy few percent will then prompt "the specified network name is no longer available"

    • Copy file is just for verification of network stability, the issue is not about can or cannot copy large file over network.

  • LAYER 8 Global Moderator

    How do you expect to find serverABC??  when your on different network segments.. That is not a fqdn, are you machines members of windows active directory?  Are you running wins?  You can not broadcast for the name when on different segments.

    So your pfsense is running in a VM?  On what hardware?  And you want to run work network in a virtualbox VM???

    As to running 2k3 and XP.. Both of those are no longer supported.. You should of been moving off of them long freaking time ago..  That you didn't yeah makes your work harder migrating to actually supported software, etc..

    So you do understand that when you had your server in wan and clients.. Did you disable NAT?? What do you think pfsense would be scanning???

    "actually I don't need it to "scan" the file/packet."



  • All your questions with a similar answer which is "Yes"

    And you should not have question about the Server 2003 and Windows XP if you found that many manufacturer factory still use them for minimum assignment before the machine dead.

    Actually your question is my question "What do you think pfsense would be scanning"

    However, I have mentioned that I do not configure WAN any more, I changed them with two LANs instead.

    To answer your question, I'm able to ping the hostname and IP, I'm also able to access the folder with hostname or IP as well.
    Back to my issue, the problem is connection intermittent (not a physical disconnection) and it did not have any track for me to troubleshoot. But you will found this issue very clearly happen when you copy file over the network.

    Some information from google, it could be network card issue, or change freeBSD configuration may help. I had follow those suggestion, the condition now seems improve a lot, but not yet 100% fix.

    What I expect is whether anyone having this similar issue please share with me, or share to everybody in case they want to setup internal network in future, don't need to experience the same situation.


  • LAYER 8 Global Moderator

    "But you will found this issue very clearly happen when you copy file over the network."

    Not on my network using pfsense on virtual host..



  • @jeffvfren:

    It seems to have some clue

    After some changes made, I can now completely copy a 25GB file from server 2008 to XP, provided that access with IP address:

    \192.168.1.123\test\testfile.xxx  –> completed without error

    \ServerABC\test\testfile.xxx  --> copy few percent will then prompt "the specified network name is no longer available"

    • Copy file is just for verification of network stability, the issue is not about can or cannot copy large file over network.

    Are you using pfSense as the DNS server for the clients? If so, go add a domain override on your DNS forwarder/ resolver (depending on which version of pfSense you are using) and point to the DC running DNS server service.

    If you are not using AD, then add your servers as host override overrides.

    Alternatively, just point your clients in DHCP to use the appropriate server as DNS. You might do well to enable WINS service on the server and add the WINS entry in DHCP to cater for the older clients as well.



  • Thank you, will do as you suggested. Today is a working day, should schedule for further testing  :o


Log in to reply