Having another issue with the lab setup below. The pfSense firewall in Lab 8 was the only one in my environment that I didn't personally set up. I configured it - but the lab system admins in lab 8 did the initial install.
I've set up a matrix of firewall rules so that any traffic is allowed from any of the internal subnets to any of the other internal subnets... ie. any protocol allowed from subnet 1 to subnet 2, subnet 3 to subnet 2, subnet 4 to subnet 2, subnet 2 to subnet 1, subnet 3 to subnet 1, etc. etc. Each subnet can see the backbone fine - and the firewall can ping hosts in each of the subnets - but hosts in one subnet cannot ping hosts in any of the other subnets. The firewall rules are all straightforward and look fine but traffic is not passing between any of the internal zones. It's almost as if routing were not functioning. I don't see anything related in the logs. Could the lab admins have done something during the initial install to cause this? Is there any way to correct it short of re-installing everything? Thanks, Eric ----- "Eric Baenen" <[EMAIL PROTECTED]> wrote: > Given the setup described below - the 8th lab has an unusual set up. > There are six NIC's in their pfSense firewall - one for WAN and five > for five separate laboratory subnets. Each of the lab subnets is on > an odd IP space that cannot be changed because of some old legacy > applications that are hard coded. > > Lab 8 - example > internal subnet 1 (LAN): 192.168.100.x > internal subnet 2 (Optional 1): 65.0.100.x > internal subnet 3 (Optional 2): 65.0.200.x > internal subnet 4 (Optional 3): 65.0.100.x > internal subnet 5 (Optional 4): 100.100.100.x > > I need to create IPSEC VPN's so that each of these subnets can see the > 'services core' and the reverse, the core can see each of these > subnets. > > I originally tried setting up five separate IPSEC VPN channels between > the core firewall and the lab 8 firewall - each one assigned to a > separate subnet in Lab 8 - but none of them worked. Based on the > IPSEC VPN log entries it seemed the firewall was getting confused > about which key to use with which channel. All of the VPN links had > the same local and remote gateways. > > When I disabled all but the VPN channel between the core subnet and > 192.168.100.x - that link came up and works fine. Activate a second > and neither works. > > Any suggestions? What about creating additional virtual addresses on > the WAN adapter and assigning each VPN channel to its own virtual > address? or create a single VPN to 192.168.100.x and then create > static routes in the core and lab 8... core gets to lab 8 subnet 2, 3, > 4, etc. by going through the link to 192.168.100.x? > > Thanks, > > Eric > > > ----- "Eric Baenen" wrote: > > Hello, > > > > I'm very new to pfSense, but I am very impressed. I've installed it > in my > > environment and everything is working except I'm getting less > network > > throughput than I would have expected and was just wondering if > anyone > > might have some insight into why. > > > > My setup and use of pfSense is admittedly out of the ordinary but it > does > > seem to be working fine. > > > > I have 8 laboratory facilities on a campus interconnected with a > flat gigabit > > ethernet standalone backbone (ie. no external access). Each of the > > laboratories is firewalled off from each other (pfSense firewalls) > but > > maintains a permanent OpenVPN based VPN connection to a centralized > > > 'core' of services (Zimbra for lab-to-lab email/webmail, OpenFire > jabber > > IM server, Apache/TikiWiki web/collaboration, BackupPC centralized > > backup server, centralized file server, OSSIM security monitor, > etc.). In the > > near future we will configure individual lab to lab VPN connections > to > > facilitate collaboration, resource sharing, etc. > > > > Seven of the labs connected have the following setup. > > > > lab machines/servers - lab gigabit switch - pfSense firewall - > backbone > > gigabit switch > > > > The pfSense firewalls are all Dell 2.6GHz GX270's with 512MB RAM, an > > > on-board gigabit port, and a second Intel Pro 1000 gigabit NIC. Both > > > ports in each of the firewalls appear to be running at 1000base full > duplex > > > > The 8th lab setup is a bit goofy - it's not currently connected and > will > > be the subject of a follow up email to this list. > > > > The VPN connections from each lab to the core are OpenVPN, UDP, > > shared key, AES 128bit (for now), LZO compression enabled. > > > > Each lab network is on a unique IP space - for example: > > > > Lab 1: 192.168.10.0/24 > > Lab 2: 192.168.15.0/24 > > Lab 3: 192.168.20.0/24 > > Lab 4: 192.168.25.0/24 > > Lab 5: 192.168.30.0/24 > > Lab 6: 192.168.35.0/24 > > Lab 7: 192.168.40.0/24 > > > > Core: 192.168.250.0/24 > > > > I'm not sure if this is the right, best or most efficient way to set > up the > > VPN's but based on the instructions on the pfSense site I set up a > separate > > OpenVPN tunnel for each lab... > > > > Lab 1: port 1191 on the Core pfSense firewall (vpn subnet: > 192.168.249.0/24) > > Lab 2: port 1192 on the Core pfSense firewall (vpn subnet: > 192.168.248.0/24) > > Lab 3: port 1193 on the Core pfSense firewall (vpn subnet: > 192.168.247.0/24) > > Lab 4: port 1194 on the Core pfSense firewall (vpn subnet: > 192.168.246.0/24) > > Lab 5: port 1195 on the Core pfSense firewall (vpn subnet: > 192.168.245.0/24) > > Lab 6: port 1196 on the Core pfSense firewall (vpn subnet: > 192.168.244.0/24) > > Lab 7: port 1197 on the Core pfSense firewall (vpn subnet: > 192.168.243.0/24) > > > > As I said before - all is working fine - except: when doing rsync's > over > > ssh/scp from the lab machines to the services core, I'm seeing a > maximum > > sustained throughput of around 60Mbps. With gigabit end to end - > even > > with the AES encryption overhead of the OpenVPN connection and the > scp > > encryption overhead of the file transfer, I would have expected > higher > > throughput than this. The sending machines and the receiving server > are > > not showing high CPU load so I don't think the encryption is the > issue. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
