Can ping server in different subnet, but not RDP or browse shared drives

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

Darkytoo

Member
Jan 2, 2014
106
4
18
I have a really odd problem. I have a separate subnet that contains all the servers, all but two of them I can browse with no problem and RDP into. There are two servers that I can ping, but cannot RDP or browse into. If I move them to the same subnet as my workstation, it works fine, and if i move my workstation to the same subnet, it works fine also. But here is where it gets REALLY odd.

1. Some servers on the different subnet CAN browse and RDP into them, both physical and virtual
2. if I change their static IP, or switch them from static to DHCP, they work fine for an hour or two, but then once again I can no longer RDP or browse them, but still ping them.

Any ideas? I have pfsense with snort running as my router, but I see now firewall blocking alerts, I see no errors in the event log on either machine, both servers have their firewalls turned off, and the IPs do not conflict with anything else. I'm suspecting either a windows update or some odd issue with pfsense, but rebooting pfsense and switches does not fix issue.
 

j_h_o

Active Member
Apr 21, 2015
644
179
43
California, US
1. You're sure the firewall is off? Confirm the network type and set it to Private.
PS > Get-NetConnectionProfile
InterfaceAlias : vEthernet (LAN-01)
InterfaceIndex : 30
NetworkCategory : Public
PS > Set-NetConnectionProfile -InterfaceIndex 30 -NetworkCategory Private

2. Usually the network is detected as "Public Network" and Remote Desktop isn't enabled for public connectivity. If you're connecting from a different subnet, I think it needs to accept traffic from Public.

3. Is the subnet mask set correctly on all the servers?
 

coolrunnings82

Active Member
Mar 26, 2012
407
92
28
Do you have jumbo frames enabled anywhere? I've had that issue before... Also does PFSense have any blocking rules on traffic between interfaces?
 

j_h_o

Active Member
Apr 21, 2015
644
179
43
California, US
I've also had this problem before with pfSense NAT rules. Do you have automatic NAT rule generation enabled, or do you have the appropriate rule to route/NAT traffic between subnets?
 

Darkytoo

Member
Jan 2, 2014
106
4
18
All firewalls are off. I did see that spmehow the lan connection was set to "public" instead of "domain". I restarted the NLA service and that fixed the problem, still now network browsing or RDP. for both servers. I did have jumbo packets set one one of them, that seemed to make to difference either. I do have the correct traffic rules to go between them. as far as "automatic nat rules" those shouldn't apply since i'm having the issue with internal networks, not external, correct? What is really weird is it will work fine for a few minutes after changing the IP, but then it will stop working except for ping. Could it be an issue with the LAGG group? it's just so odd that one 2 servers are affected. I had read about some windows update that had caused issues with authentication across subnets, could that maybe be issue?
 
Jan 4, 2014
89
13
8
could very well be a lagg issue.. make sure if you are using lacp , that both interfaces come up as 1.. check arp table.
easily tested by disabling 1 of 2 interfaces
 

Darkytoo

Member
Jan 2, 2014
106
4
18
So it appears I fixed this issue, but I threw a bunch of things at it once, but I have my suspicions:
1. I re-created LAGG groups, but this time I set the tags on the ports themselves, not the LAGG groups in the switch
2. I logged into pfsense console and saw 9k mbuf warnings, I had increased the mbuf but not the 9k. That did not fix it, so:
3. I reloaded pfsense from scratch, this time turning off flow control, increasing all mbuf's to reccomended size and turning on the hardware offloading.

This seems to have fixed the issue. I still have no idea what only some servers had issue, but so far everything seems to fixed. I think #1 was the main issue, but everything seems to work better now. Speed is still not quite what I would think would be possible, but that's ok as long as everything works.