Hello,
I setup pfsense to be my gateway/firewall for my office network. It
is a rather simple network: 2 networks: Orange (192.168.2.0/24) for
the servers and green (192.168.0.0/24) for the office. I am running
into problems when browsing windows/SMB shares across networks:
- Browsing windows shares on the Orange network from the Green
network works fine at first but after opening a few random
directories on the share, it takes longer and longer to open a
directory until it eventually is unusable or sometimes it times out.
Browsing the SAME shares from the Orange networks works flawlessly.
The shares are also available on the green network (the servers are
attached to both networks) when accessing the (same) shares on the
green network from the Green network it also works flawlessly.
After a lot of troubleshooting, i narrowed the problem down to the
gateway. When browsing shares directly it works well, when accessing
the shares thru the gateway (pfsense) the browsing slows down quickly
to eventually time out.
My setup is pretty simple and i'm assuming pretty common as well. I
am surprised that no one has reported having the same problem (to my
knowledge). Or maybe i'm just missing something.
I attached the xml config file for pfsense if you want to take a look
at it (i only censored the passwords).
Can i get your help / advise on this.
Thank you
Alex
<?xml version="1.0"?>
<pfsense>
<version>2.3</version>
<lastchange/>
<theme>metallic</theme>
<system>
<optimization>normal</optimization>
<hostname>pfsense</hostname>
<domain>ingrooves.com</domain>
<username>admin</username>
<password>***********************</password>
<timezone>PST8PDT</timezone>
<time-update-interval/>
<timeservers>pool.ntp.org</timeservers>
<webgui>
<protocol>https</protocol>
<port/>
<certificate/>
<private-key/>
</webgui>
<ssh>
<port/>
</ssh>
<maximumstates/>
<dnsserver>192.168.0.230</dnsserver>
</system>
<interfaces>
<lan>
<if>re0</if>
<ipaddr>192.168.0.2</ipaddr>
<subnet>24</subnet>
<media/>
<mediaopt/>
<bandwidth>100</bandwidth>
<bandwidthtype>Mb</bandwidthtype>
<bridge/>
<disableftpproxy/>
</lan>
<wan>
<if>rl0</if>
<mtu/>
<blockpriv>on</blockpriv>
<media>100baseTX</media>
<mediaopt>full-duplex</mediaopt>
<bandwidth>100</bandwidth>
<bandwidthtype>Mb</bandwidthtype>
<spoofmac/>
<disableftpproxy/>
<ipaddr>206.80.2.2</ipaddr>
<subnet>26</subnet>
<gateway>206.80.2.1</gateway>
<dhcphostname/>
</wan>
<opt1>
<descr>ORANGE</descr>
<if>rl4</if>
<bridge/>
<enable/>
<ipaddr>192.168.2.2</ipaddr>
<subnet>24</subnet>
<gateway/>
<spoofmac/>
<mtu/>
</opt1>
</interfaces>
<staticroutes/>
<pppoe>
<username/>
<password/>
</pppoe>
<pptp>
<username/>
<password/>
<local/>
<subnet/>
<remote/>
</pptp>
<bigpond>
<username/>
<password/>
<authserver/>
<authdomain/>
<minheartbeatinterval/>
</bigpond>
<dyndns>
<type>dyndns</type>
<username/>
<password/>
<host/>
<mx/>
</dyndns>
<dhcpd>
<lan>
<range>
<from>192.168.0.40</from>
<to>192.168.0.199</to>
</range>
<defaultleasetime/>
<maxleasetime/>
<netmask/>
<failover_peerip/>
<gateway>192.168.0.1</gateway>
<winsserver>192.168.0.232</winsserver>
</lan>
</dhcpd>
<pptpd>
<redir>192.168.0.232</redir>
<localip>206.80.2.2</localip>
<remoteip>192.168.0.16</remoteip>
<radius>
<server/>
<secret/>
</radius>
<wins>192.168.0.232</wins>
<user>
<name>admin</name>
<ip/>
<password>*******</password>
</user>
<user>
<name>ben</name>
<ip/>
<password>*********</password>
</user>
<user>
<name>cliff</name>
<ip/>
<password>**********</password>
</user>
<user>
<name>cody</name>
<ip/>
<password>**************</password>
</user>
<user>
<name>david</name>
<ip/>
<password>************</password>
</user>
<user>
<name>jonathan</name>
<ip/>
<password>*********</password>
</user>
<user>
<name>maia</name>
<ip/>
<password>**********</password>
</user>
<user>
<name>manny</name>
<ip/>
<password>**********</password>
</user>
<user>
<name>remi</name>
<ip/>
<password>**********</password>
</user>
<user>
<name>terry</name>
<ip/>
<password>*************</password>
</user>
<user>
<name>till</name>
<ip/>
<password>************</password>
</user>
<user>
<name>treavor</name>
<ip/>
<password>******</password>
</user>
<req128/>
<mode>server</mode>
</pptpd>
<ovpn/>
<dnsmasq/>
<snmpd>
<syslocation/>
<syscontact/>
<rocommunity>public</rocommunity>
</snmpd>
<diag>
<ipv6nat/>
</diag>
<bridge/>
<syslog/>
<nat>
<ipsecpassthru/>
<advancedoutbound>
<rule>
<source>
<network>192.168.2.0/24</network>
</source>
<sourceport/>
<descr>ORANGE > WAN</descr>
<target/>
<interface>wan</interface>
<destination>
<any/>
</destination>
<natport/>
<dstport/>
</rule>
<rule>
<source>
<network>192.168.0.0/24</network>
</source>
<sourceport/>
<descr>LAN > WAN</descr>
<target/>
<interface>wan</interface>
<destination>
<any/>
</destination>
<natport/>
<dstport/>
</rule>
<enable/>
</advancedoutbound>
<rule>
<external-address>206.80.2.11</external-address>
<protocol>tcp</protocol>
<external-port>INDMAports</external-port>
<target>CORPORATE</target>
<local-port>INDMAports</local-port>
<interface>wan</interface>
<descr/>
</rule>
<rule>
<external-address>206.80.2.12</external-address>
<protocol>tcp</protocol>
<external-port>INDMAports</external-port>
<target>CORPORATE2</target>
<local-port>INDMAports</local-port>
<interface>wan</interface>
<descr/>
</rule>
<rule>
<external-address>206.80.2.13</external-address>
<protocol>tcp</protocol>
<external-port>INDMAports</external-port>
<target>ALPHA1</target>
<local-port>INDMAports</local-port>
<interface>wan</interface>
<descr/>
</rule>
<rule>
<external-address>206.80.2.14</external-address>
<protocol>tcp</protocol>
<external-port>INDMAports</external-port>
<target>CORPORATE4</target>
<local-port>INDMAports</local-port>
<interface>wan</interface>
<descr/>
</rule>
<rule>
<external-address>206.80.2.15</external-address>
<protocol>tcp</protocol>
<external-port>INDMAports</external-port>
<target>CORPORATE5</target>
<local-port>INDMAports</local-port>
<interface>wan</interface>
<descr/>
</rule>
<rule>
<external-address>206.80.2.16</external-address>
<protocol>tcp</protocol>
<external-port>INDMAports</external-port>
<target>CORPORATE6</target>
<local-port>INDMAports</local-port>
<interface>wan</interface>
<descr/>
</rule>
<rule>
<external-address>206.80.2.17</external-address>
<protocol>tcp</protocol>
<external-port>INDMAports</external-port>
<target>CORPORATE7</target>
<local-port>INDMAports</local-port>
<interface>wan</interface>
<descr/>
</rule>
<rule>
<external-address>206.80.2.31</external-address>
<protocol>tcp</protocol>
<external-port>INDMAports</external-port>
<target>INDMA1</target>
<local-port>INDMAports</local-port>
<interface>wan</interface>
<descr/>
</rule>
<rule>
<external-address>206.80.2.32</external-address>
<protocol>tcp</protocol>
<external-port>INDMAports</external-port>
<target>INDMA2</target>
<local-port>INDMAports</local-port>
<interface>wan</interface>
<descr/>
</rule>
<rule>
<external-address>206.80.2.11</external-address>
<protocol>tcp</protocol>
<external-port>21</external-port>
<target>CORPORATE</target>
<local-port>21</local-port>
<interface>wan</interface>
<descr/>
</rule>
<rule>
<external-address>206.80.2.11</external-address>
<protocol>tcp</protocol>
<external-port>8000</external-port>
<target>CORPORATE</target>
<local-port>8000</local-port>
<interface>wan</interface>
<descr/>
</rule>
<rule>
<external-address>206.80.2.11</external-address>
<protocol>tcp</protocol>
<external-port>50000-55000</external-port>
<target>CORPORATE</target>
<local-port>50000</local-port>
<interface>wan</interface>
<descr>FTP data connections</descr>
</rule>
<rule>
<external-address>206.80.2.4</external-address>
<protocol>tcp</protocol>
<external-port>80</external-port>
<target>G5SERVER</target>
<local-port>80</local-port>
<interface>wan</interface>
<descr/>
</rule>
<rule>
<external-address>206.80.2.18</external-address>
<protocol>tcp</protocol>
<external-port>INDMAports</external-port>
<target>CORPORATE8</target>
<local-port>INDMAports</local-port>
<interface>wan</interface>
<descr/>
</rule>
<rule>
<external-address>206.80.2.3</external-address>
<protocol>tcp</protocol>
<external-port>50000-59999</external-port>
<target>FTPSERVER</target>
<local-port>50000</local-port>
<interface>wan</interface>
<descr>FTP data connections</descr>
</rule>
<rule>
<external-address>206.80.2.3</external-address>
<protocol>tcp</protocol>
<external-port>21</external-port>
<target>FTPSERVER</target>
<local-port>21</local-port>
<interface>wan</interface>
<descr/>
</rule>
<rule>
<external-address>206.80.2.3</external-address>
<protocol>tcp</protocol>
<external-port>80</external-port>
<target>FTPSERVER</target>
<local-port>80</local-port>
<interface>wan</interface>
<descr/>
</rule>
<rule>
<external-address>206.80.2.4</external-address>
<protocol>tcp</protocol>
<external-port>22</external-port>
<target>G5SERVER</target>
<local-port>22</local-port>
<interface>wan</interface>
<descr/>
</rule>
<rule>
<external-address>206.80.2.19</external-address>
<protocol>tcp</protocol>
<external-port>INDMAports</external-port>
<target>CORPORATE9</target>
<local-port>INDMAports</local-port>
<interface>wan</interface>
<descr/>
</rule>
<rule>
<external-address>206.80.2.20</external-address>
<protocol>tcp</protocol>
<external-port>INDMAports</external-port>
<target>CORPORATE10</target>
<local-port>INDMAports</local-port>
<interface>wan</interface>
<descr/>
</rule>
</nat>
<filter>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>CORPORATE</address>
<port>INDMAports</port>
</destination>
<descr>NAT </descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>CORPORATE2</address>
<port>INDMAports</port>
</destination>
<descr>NAT </descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>ALPHA1</address>
<port>INDMAports</port>
</destination>
<descr>NAT </descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>CORPORATE4</address>
<port>INDMAports</port>
</destination>
<descr>NAT </descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>CORPORATE5</address>
<port>INDMAports</port>
</destination>
<descr>NAT </descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>CORPORATE6</address>
<port>INDMAports</port>
</destination>
<descr>NAT </descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>CORPORATE7</address>
<port>INDMAports</port>
</destination>
<descr>NAT </descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>INDMA1</address>
<port>INDMAports</port>
</destination>
<descr>NAT </descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>INDMA2</address>
<port>INDMAports</port>
</destination>
<descr>NAT </descr>
</rule>
<rule>
<type>pass</type>
<interface>wan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>G5SERVER</address>
<port>INDMAports</port>
</destination>
<descr>NAT </descr>
</rule>
<rule>
<type>pass</type>
<interface>wan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>CORPORATE</address>
<port>21</port>
</destination>
<descr>NAT </descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>CORPORATE</address>
<port>50000-55000</port>
</destination>
<descr>NAT FTP data connections</descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>CORPORATE</address>
<port>8000</port>
</destination>
<descr>NAT </descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>G5SERVER</address>
<port>80</port>
</destination>
<descr>NAT </descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>CORPORATE8</address>
<port>INDMAports</port>
</destination>
<descr>NAT </descr>
</rule>
<rule>
<type>pass</type>
<interface>wan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>FTPSERVER</address>
<port>21</port>
</destination>
<descr>NAT FTP</descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>FTPSERVER</address>
<port>50000-59999</port>
</destination>
<descr>NAT FTP data connections</descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>FTPSERVER</address>
<port>80</port>
</destination>
<descr>NAT </descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>G5SERVER</address>
<port>22</port>
</destination>
<descr>NAT </descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>CORPORATE9</address>
<port>INDMAports</port>
</destination>
<descr>NAT </descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>CORPORATE10</address>
<port>INDMAports</port>
</destination>
<descr>NAT </descr>
</rule>
<rule>
<type>pass</type>
<interface>pptp</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<source>
<any/>
</source>
<destination>
<any/>
</destination>
<descr/>
</rule>
<rule>
<type>pass</type>
<interface>opt2</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>192.168.0.211</address>
</destination>
<descr>NAT </descr>
</rule>
<rule>
<type>pass</type>
<interface>opt1</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<source>
<network>opt1</network>
</source>
<destination>
<any/>
</destination>
<descr>ORANGE -> any</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<source>
<network>lan</network>
</source>
<destination>
<network>opt1</network>
<not/>
</destination>
<descr>LAN > WAN</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<source>
<network>lan</network>
</source>
<destination>
<network>opt1</network>
</destination>
<descr>LAN -> ORANGE</descr>
</rule>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>CORPORATE</address>
<port>4040</port>
</destination>
<descr>NAT </descr>
</rule>
</filter>
<ipsec>
<preferredoldsa/>
</ipsec>
<aliases>
<alias>
<name>ALPHA1</name>
<address>192.168.2.203</address>
<descr/>
</alias>
<alias>
<name>CORPORATE</name>
<address>192.168.2.201</address>
<descr/>
</alias>
<alias>
<name>CORPORATE10</name>
<address>192.168.2.210</address>
<descr/>
</alias>
<alias>
<name>CORPORATE2</name>
<address>192.168.2.202</address>
<descr/>
</alias>
<alias>
<name>CORPORATE4</name>
<address>192.168.2.204</address>
<descr/>
</alias>
<alias>
<name>CORPORATE5</name>
<address>192.168.2.205</address>
<descr/>
</alias>
<alias>
<name>CORPORATE6</name>
<address>192.168.2.206</address>
<descr/>
</alias>
<alias>
<name>CORPORATE7</name>
<address>192.168.2.207</address>
<descr/>
</alias>
<alias>
<name>CORPORATE8</name>
<address>192.168.2.208</address>
<descr/>
</alias>
<alias>
<name>CORPORATE9</name>
<address>192.168.2.209</address>
<descr/>
</alias>
<alias>
<name>FTPSERVER</name>
<address>192.168.2.232</address>
<descr/>
</alias>
<alias>
<name>G5SERVER</name>
<address>192.168.0.230</address>
<descr/>
</alias>
<alias>
<name>INDMA1</name>
<address>192.168.2.221</address>
<descr/>
</alias>
<alias>
<name>INDMA2</name>
<address>192.168.2.222</address>
<descr/>
</alias>
<alias>
<name>INDMAports</name>
<address>80 443 3389 22 4040</address>
<descr/>
</alias>
</aliases>
<proxyarp/>
<wol/>
<installedpackages>
<package>
<name>iperf</name>
<website>http://dast.nlanr.net/Projects/Iperf/</website>
<descr>Iperf is a tool for measuring maximum TCP and UDP bandwidth, reminiscent of ttcp and nettest. It has been written to overcome the shortcomings of those aging tools. Iperf can also test UDP bandwidth, loss, and jitter.</descr>
<category>Network Management</category>
<config_file>http://www.pfsense.com/packages/config/iperf.xml</config_file>
<depends_on_package_base_url>http://ftp13.freebsd.org/pub/FreeBSD/ports/i386/packages-6-stable/All</depends_on_package_base_url>
<depends_on_package>iperf-2.0.2.tbz</depends_on_package>
<version>2.0.2</version>
<status>ALPHA</status>
<required_version>1.0</required_version>
<configurationfile>iperf.xml</configurationfile>
</package>
<menu>
<name>iperf</name>
<tooltiptext>Run iperf in client or server mode.</tooltiptext>
<section>Diagnostics</section>
<configfile>iperf.xml</configfile>
</menu>
<service>
<name>iperf</name>
<executable>iperf</executable>
</service>
</installedpackages>
<revision>
<description>/interfaces_assign.php made unknown change</description>
<time>1165903205</time>
</revision>
<virtualip>
<vip>
<mode>proxyarp</mode>
<interface>wan</interface>
<descr>FTPSERVERtwt</descr>
<type>single</type>
<subnet_bits>32</subnet_bits>
<subnet>206.80.2.3</subnet>
</vip>
<vip>
<mode>proxyarp</mode>
<interface>opt2</interface>
<descr>FTPSERVERtowerstream</descr>
<type>single</type>
<subnet_bits>32</subnet_bits>
<subnet>69.38.209.141</subnet>
</vip>
<vip>
<mode>proxyarp</mode>
<interface>wan</interface>
<descr>CORPORATEtwt</descr>
<type>single</type>
<subnet_bits>32</subnet_bits>
<subnet>206.80.2.11</subnet>
</vip>
<vip>
<mode>proxyarp</mode>
<interface>wan</interface>
<descr>CORPORATE2twt</descr>
<type>single</type>
<subnet_bits>32</subnet_bits>
<subnet>206.80.2.12</subnet>
</vip>
<vip>
<mode>proxyarp</mode>
<interface>wan</interface>
<descr>ALPHA1twt</descr>
<type>single</type>
<subnet_bits>32</subnet_bits>
<subnet>206.80.2.13</subnet>
</vip>
<vip>
<mode>proxyarp</mode>
<interface>wan</interface>
<descr>CORPORATE4twt</descr>
<type>single</type>
<subnet_bits>32</subnet_bits>
<subnet>206.80.2.14</subnet>
</vip>
<vip>
<mode>proxyarp</mode>
<interface>wan</interface>
<descr>CORPORATE5twt</descr>
<type>single</type>
<subnet_bits>32</subnet_bits>
<subnet>206.80.2.15</subnet>
</vip>
<vip>
<mode>proxyarp</mode>
<interface>wan</interface>
<descr>CORPORATE7twt</descr>
<type>single</type>
<subnet_bits>32</subnet_bits>
<subnet>206.80.2.17</subnet>
</vip>
<vip>
<mode>proxyarp</mode>
<interface>wan</interface>
<descr>INDMA1twt</descr>
<type>single</type>
<subnet_bits>32</subnet_bits>
<subnet>206.80.2.31</subnet>
</vip>
<vip>
<mode>proxyarp</mode>
<interface>wan</interface>
<descr>INDMA2twt</descr>
<type>single</type>
<subnet_bits>32</subnet_bits>
<subnet>206.80.2.32</subnet>
</vip>
<vip>
<mode>proxyarp</mode>
<interface>wan</interface>
<descr>G5SERVERtwt</descr>
<type>single</type>
<subnet_bits>32</subnet_bits>
<subnet>206.80.2.4</subnet>
</vip>
<vip>
<mode>proxyarp</mode>
<interface>wan</interface>
<descr>CORPORATE6twt</descr>
<type>single</type>
<subnet_bits>32</subnet_bits>
<subnet>206.80.2.16</subnet>
</vip>
<vip>
<mode>proxyarp</mode>
<interface>wan</interface>
<descr>oldIPtwt</descr>
<type>single</type>
<subnet_bits>32</subnet_bits>
<subnet>206.80.2.76</subnet>
</vip>
<vip>
<mode>proxyarp</mode>
<interface>wan</interface>
<descr>CORPORATE8twt</descr>
<type>single</type>
<subnet_bits>32</subnet_bits>
<subnet>206.80.2.18</subnet>
</vip>
<vip>
<mode>proxyarp</mode>
<interface>wan</interface>
<descr>CORPORATE9twt</descr>
<type>single</type>
<subnet_bits>32</subnet_bits>
<subnet>206.80.2.19</subnet>
</vip>
<vip>
<mode>proxyarp</mode>
<interface>wan</interface>
<descr>CORPORATE10twt</descr>
<type>single</type>
<subnet_bits>32</subnet_bits>
<subnet>206.80.2.20</subnet>
</vip>
</virtualip>
</pfsense>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
