On Thu, Nov 24, 2011 at 10:21 AM, Ron Lemon <[email protected]> wrote: > > Your possibilities gave me the missing clue. We have no dual homed hosts and > technically we only have 1 router but we do have a load > balancer and for these machines (and only these machines) it is acting as a > router as well as a load balancer. So essentially we did have a > man in the middle scenario. So now that I know what is wrong I can see if we > still need this functionality (funny it used to work under 1.3 and > as far as I know has been working under 2.0 for the last couple of weeks > since the upgrade) and if so will work on the changes needed to make > it > follow all the rules. >
Generally if that behavior changes it was between 1.2.2 or earlier and 1.2.3, as that's when the newer PF that set flags S/SA by default was introduced. Prior to that it was less strict on such scenarios. There are differences in the underlying PF between 1.2.3 and 2.0 as well though, it may be more strict in a way that impacts this particular scenario (which is different from the usual scenario I described to some extent, but the same problem) differently. > So to go with your "ugly network" comment, and I am not disagreeing, I have > machines in the 10.0.0.0 and 10.0.4.0 subnet that need to access > machines > in the 10.0.1.0 subnet which is why (in addition to not knowing any better > way at the time) it was setup this way with FW rules > allowing the required network paths to touch where required. If I go with > VLANs (which will be a brand new experience I have wanted to try, but > we have the ugly 4 letter word "time" that is needed to learn how) can I > segregate these networks, still have them all on a single interface and > still allow them to touch where needed? Can you suggest any beginning > reading for setting up VLANs? I now have to support this network > layout (which keeps growing) with Hyper-V machines, Blade servers, and > physical boxes just so you have an idea of what kind of a layout I am > in. I always look forward to learning something new. > http://pfsense.org/book details info for setting up VLANs both on the firewall and switch side, and describes their functionality, concepts and terminology in general. You can pick up a lot of the same stuff just by Googling 802.1Q and reading your switch's manual, depending on the vendor. Some of them are good (HP, Cisco, others) and some seem like they were written by people who haven't the slightest idea how to use VLANs, so that may be hit or miss. We wrote walk throughs for VLANs on several different switch vendors in our book, and at least one (Netgear) is far better than what they have in their own manuals. For those with more money than time, having us help with the deployment via support (see portal.pfsense.org) has been of great value for customers. We're glad to walk through setting up VLANs both on their switches and firewall (usually via Gotomeeting or similar), and providing explanations along the way that gets you up to speed on how it all works. That's generally something where we can get the deployment done, and get you up to speed on everything, in just a couple hours where it would take far longer to go through on your own the first time. _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
