Netgate SG-1000 microFirewall

Author Topic: SSH to LAN disconnects  (Read 228 times)

0 Members and 1 Guest are viewing this topic.

Offline beefer

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
SSH to LAN disconnects
« on: January 18, 2018, 07:05:24 am »
    Hi,

    I'm new to pfsense so forgive me my noobiness. I have two APs that are running hostapd (Lede) with pfsense FreeRadius server. I have 5 vlans configured for different radius users so the APs drop user in proper VLAN. Each AP gets dhcp addresses for LAN and every VLAN it drops clients to (which I figured is ok?). Now whenever I connect to the APs with SSH the connection gets killed after roughly 20-30 seconds. I've seen on serverfault that this is might be caused by 'multi-homed' systems and 'assymetric routing' - being a noob I only figured that having an AP on several vlans might be a 'multi-homed' AP. I have no idea what network mask might have to do with this, but here are my networks:
    • 192.168.2.0/24 - LAN
    • 192.168.3.0/29 - ADMIN
    • 192.168.6.0/24 - home wifi
    • (192.168.7.0 and up to 192.168.9.0/24)

    Setting firewall to 'conservative' makes the problem less annoying since the disconnect happens after 15 minutes or so. I could live with that, but I'm hungry for knowledge. Can you please help me diagnose the issue? I'm more interested in getting a fishing line instead of a fish ;)

EDIT: don't know if this is relevant, but the AP is bridging wireless clients to each vlan (and is bridging wifi inerface to lan also). I just wanted the AP to be as dumb as possible, so to control everything centrally from pfsense.

EDIT2: after 15 minutes I can see firewall logs blocking traffic to the AP (192.168.2.9) from ADMIN network (192.168.3.3) - my machine from ADMIN network tries to send tcp ack, but it's rejected by default deny rule ipv4. How come?
« Last Edit: January 18, 2018, 07:43:13 am by beefer »

Offline Harvy66

  • Hero Member
  • *****
  • Posts: 2313
  • Karma: +212/-12
    • View Profile
Re: SSH to LAN disconnects
« Reply #1 on: January 20, 2018, 10:45:27 pm »
Do you have a layer3 switch? It may be doing the routing in one of the directions.

Offline beefer

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: SSH to LAN disconnects
« Reply #2 on: January 21, 2018, 04:10:56 pm »
I have a managed switch. Thanks for the lead - it now all makes sense :D

Offline JKnott

  • Hero Member
  • *****
  • Posts: 1161
  • Karma: +49/-11
    • View Profile
Re: SSH to LAN disconnects
« Reply #3 on: January 21, 2018, 04:51:46 pm »
I have a managed switch. Thanks for the lead - it now all makes sense :D

Managed does not necessarily mean layer 3.  It just means the switch can be configured for VLANs, etc.

Offline beefer

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: SSH to LAN disconnects
« Reply #4 on: February 03, 2018, 05:02:24 am »
This has something definitely to do with vlans - when I enabled ssh to be on same vlan as I connect the problem is gone even if I set firewall to aggressively remove idle connections. The problem now is gone, but I lack knowledge how to debug such issue. Should I see that return route is different by taking pcap dumps on both ends of the connection (intuitively - I don't think so)?

Offline beefer

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: SSH to LAN disconnects
« Reply #5 on: February 03, 2018, 05:11:20 am »
Correct me if I'm wrong - the issue might look like this: I'm connecting to admin network and land in vlan5. From vlan5 I'm setting up an ssh connection to vlan1 (default tag, untagged). My packets are routed to AP (both APs below are the same access point) like this:

PC --> AP (vlan5) --> pfSense (vlan5) --> AP (vlan1)

But the return route is from AP directly to PC and pfsense is seeing only half the packets, hence treats them as idle/broken connection and removes it after a while? So running a packed dump on pfsense should tell me if this really is the case, right?