Hi guys, I have a weird problem going on in one of my PFsense boxes, I would really appreciate you insight into the problem. To give you a heads up, when I run the box for a couple of days with VLAN trunking, there comes a moment when the machine starts closing up access and eventually prohibits all traffic through it. What I mean by prohibiting is that although I have permit any/any rules on an interface, I can only ping from the PFSense to the client machine, but I can't ping from the client machine to the PFSense. I can even reboot the machine and everything will stay the same from the moment that access was blocked.
Now for the story: I've been setting up a new PFSense box with 5 interfaces, two wans and 3 lans, in such a way that I can send traffic out the two providers, and maintain control between the LANs. One lan is for admin staff, one is for guests and the other is for guests over a wireless connection, with a captive portal for access control. The machine I was given to accomplish the task actually only has 3 pci slots, so if I use the onboard ethernet controller, I have only 4 network interfaces. The first solution I tried was using a USB network card but that proved too unstable, and you guys helped me by recommending to stick to 3Com and Intel for production purposes. What I decided to do, since I was putting in new switches that support trunking, was to use that feature in the PFSense box and use only a couple of interfaces. Since the onboard interface uses de "vr" network driver that doesn't support trunking, I installed a 3Com 509 SOHO board (xl driver) to accomplish the trunking. The way I set up the VLANs was like this: VLAN1: Administrative Network VLAN2: Guests Wired Network VLAN3: Guests Wireless Network VLAN10: Provider 1 VLAN11: Provider 2 I used the onboard NIC for the admin network, and the 3Com NIC for all the other networks, both connected to the same switch, but the onboard nic was connected to an "access" or "untagged" port while the 3Com NIC was connected to a trunk or tagged port. I was having problems getting the box to accept any traffic and I was seeing some of the VLAN traffic come in through the xl0 interface (the 3Com card) which was being blocked so I decided to add VLAN1 to the 3Com NIC. After I did that, everything worked fine, I could ping the firewall from the clients and vice-versa and route the traffic as expected. I did not configure the two providers as that was part of the next step of the project, but I did enable advanced NAT and set up the rules for each subnet. I proceeded to configure all the firewall rules, captive portal, dynamic dns update client, pptp server and dhcp server and did some tests and everything worked fine, I rebooted the firewall just to make sure and everything kept on working. After about 4 or 5 days, the system blocked access just like when I had the VLAN1 problem and there was no way of getting it to work again, rebooting the PFSense box or changing rules led to no change, I eventually had to remove the box from production. Seeing the symptoms I have several hypothesis that I wanted to share with you: +The firewall is seeing duplicate frames coming in from interface vr0 and VLAN1 and it's confusing PF or looking like a DoS or something. I have no way of blocking VLAN1 traffic from appearing on the switch trunk port connected to the 3Com NIC so my next test, if you think it's worthwhile is to disconnect the vr0 nic and try routing all traffic through the 3Com card. +There is something going on with the NAT, seeing as I can only ping firewall->client and not client->firewall, I thought this might have something to do with NAT or maybe I have used advanced nat inapropiately, currently my mappings are: VLAN1: 192.168.1.0/24 -> outbound NAT out default interface VLAN2: 10.1.25.0/24 -> outbound NAT out default interface VLAN3: 10.1.26.0/24 -> outbound NAT out default interface VLAN4: this is the default interface for nat, gets it's address via DHCP VLAN5: this is the alternate WAN connection, hasn't been set up but works via static IP, there aren't any rules that use it yet. +Maybe there is something in the switch that is seeing traffic come back from the PFSense box that it considers a loop and it shuts down some forwarding considering it's a spanning tree loop +There might be a bug in the vr driver which is causing the instability I can send you the config backups if you'd like to take a look at them. I would also like to help if I can with the VLAN documentation, I have a lot of experience with the switch side of the connections but not the PFSense/BSD side. I really appreciate you taking the time to read this, any insight or suggestions are super welcome! Thank you all! Esteban Zarikian --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
