8

The Setup

I have setup pfSense 2.0.1 (64bit-amd image) as a host in Hyper-V. As described in other blogs I had to do the “ifconfig down deX”, “ifconfig up deX” to get the network up and running.

The server (HP running Windows 2008 R2) is equipped with two physical NICs.

  • The first physical NIC (port 1) is not configured in the host (only as Hyper-V switch, see further down).

  • The second physical NIC (port 2) is configured with a network for remote management (standard C-class network). I think both NICs are connected to the same switch and VLAN=default (the physical wiring was done by my co-location provider).

In Hyper-V there are the following virtual networks defined:

  • internal: virtual machine internal network used for inter VM communication (“LAN” connecting the Windows servers).

  • Internet: virtual network used as WAN connection for pfSense. This network is assigned to the first physical NIC (port 1) of the server. The virtual network is dedicated for Hyper-V and is not shared with the host.

In my setup I use pfSense as the Internet facing firewall for a couple of virtual machines (Windows servers) also running on the same Hyper-V host.

The Windows boxes use the pfSense as default gateway and I successfully downloaded Windows updates to all VMs through pfSense firewall – working smooth.

For re-directing incoming services, the pfSense is setup with 1-1 NAT to map ISPs IP-addresses to internal 172.16.0.0/16 addresses on the Windows boxes.

The problem

The problem I had is that after working successfully with a RDP connection over the management network (port 2), the connection just dies and all network connectivity is lost to the server and VMs. Before the problem occurred I did two configuration changes.

  1. Moved the management IP address from port 1 to port 2. This change was successfully verified by re-connecting RDP one hour later on the new interface (port 2 as described above).

  2. Did some configurations on the virtual IPs in pfSense (needed for the 1-1 NAT).

Some minutes later the connectivity to the machine was lost.

The thing that puzzles me is that management network connection (port 2) is supposed to be untouched by Hyper-V since it is not integrated with Hyper-V. However there seem to be error propagation from pfSense (using NIC on port 1).

Earlier today we had a similar problem when using only one NIC (port 1 shared between Hyper-V/pfSense and the host). The problem we got then was that when pfSense was stopped we could ping the host and when it was started again the ping stopped working (no IP conflict what we know).

The pfSense is installed from the ISO and the “MAC Address spoofing” is default = off.

Since the problem seam to propagate between the two physical ports my guess is that this might have something to do with ARP not working correctly.

Any insights comments on this very much appreciated.

/ J

  • You did a god job of explaining the problem. But you don't say what changes you made. Can you list the actual (or obfuscated) IP addresses used as virtual and management IP and the actual changes done parts #1 and #2? – Andy Shinn Feb 12 '13 at 23:25
  • Are you debugging this locally (same switch for server and your client) ? I'm asking because you could be assuming pfSense/Hyper-V are the source of the problem when in fact it could a firewall/proxy somewhere expiring your stateful connections. Try to be as close as possible to this host and leave tcpdump and Wireshark running on pfSense and Windows, respectively, then check what is happening. Also, since you swapped the interfaces, double check everything in Hyper-V's virtual switch. – Giovanni Tirloni Aug 11 '14 at 18:10
  • Did you activated promiscuous mode on the virtual interface ? you'll need to activate that for firewalls: By default, a guest operating system's virtual network adapter only receives frames that are meant for it. Placing the guest's network adapter in promiscuous mode causes it to receive all frames passed on the virtual switch that are allowed under the VLAN policy for the associated portgroup. This can be useful for intrusion detection monitoring or if a sniffer needs to analyze all traffic on the network segment. – MrLightBulp Nov 28 '14 at 14:23

2 Answers2

1

Did you checked the Event Viewer on the W2008R2 ?

Could be due to max TCP connections allowed by Windows: https://technet.microsoft.com/en-us/library/cc759700%28WS.10%29.aspx

pfSense as a software router uses lots of connections which can be opened but not closed, waiting status and so on. This kind of network use can achieve the default limits of TCP stack and windows could close or not allow more connections of this type. The first thing to do on this case it's to check Event Viewer to see if something it's reported there.

NetVicious
  • 462
  • 5
  • 17
  • Can you expand on this answer? – BE77Y Feb 17 '15 at 08:51
  • pfSense as a software router uses lots of connections which can be opened but not closed, waiting status and so on. This kind of network use can achieve the default limits of TCP stack and windows could close or not allow more connections of this type. The first thing to do on this case it's to check Event Viewer to see if something it's reported there. – NetVicious Feb 17 '15 at 09:00
  • Appreciated - but it'd be most useful as an addition to your answer above. :) – BE77Y Feb 17 '15 at 09:07
0

This is sounding more like a routing issue between pfSense and the other devices...

If you are using the Virtual Machines behind the pFSense as a firewall, however you need them on a different SubNet than the PC's on the lan. You may have to turn up an additional interface on pfSense (LAN2 say) Then map it in the VM Host to a private VSwitch that the other VMs are using.. Or even TAG the traffic in the vSwitch and have seperate vlan for it.

I have had to do this many times on VMWare. Also for your 1:1 's you may have to add static network route mapping for those as example. I have seen pfSe nse get its routing messed up.

That way you have..

IINTERNET --> Wan0 -->pFSense -->LAN1 PCs..

                  pfSense -->LAN2 Virtual Machines.

After that you can control the routing and firewall rules better.

Hope this helps, Cheers...