Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Traffic restriction resulting in hung sessions

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 2 Posters 65 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      techietubby
      last edited by

      I have a PFSense firewall appliance with a LAN address of 10.1.0.100 and a VIP of 10.2.0.100 on the LAGG0 interface. We are in the process of a network migration from 10.1 to 10.2 therefore some Linux hosts have addresses on both subnets, and a D/G of 10.1.0.100, and others have already been migrated to the new subnet.
      Those that have been migrated (including DNS) operate exclusively on 10.2. and use the VIP address without issue, however where a server has its primary address and D/G on 10.1.x, and a VIP of 10.2.x hang after 20 seconds when opening sessions to another host that has been migrated to 10.2.
      I can see that the traffic is being routed across the LAGG0 interface and there doesn't seem to be any error message and so cannot find the cause of the hang. Does anyone have any ideas as to why a session would only hang after it has been established for 20 seconds or more?

      1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by

        You have created asymmetric routes between multihomed hosts and hosts only using the new subnet. Traffic from the migrated devices must go via pfSense and be routed. Traffic the other way can be sent directly. Thus pfSense only sees half the TCP conversation and starts blocking it.
        You can add a fudge rule to pass it but it would be better to not have asymmetric traffic.

        https://docs.netgate.com/pfsense/en/latest/troubleshooting/asymmetric-routing.html

        T 2 Replies Last reply Reply Quote 0
        • T Offline
          techietubby @stephenw10
          last edited by

          @stephenw10 Many thanks for taking the time to reply and to assist me.

          I tried activating the option but it didn't help.

          1 Reply Last reply Reply Quote 0
          • T Offline
            techietubby @stephenw10
            last edited by

            @stephenw10 I check our firewall and it is very old:

            2.5.1-RELEASE (amd64)
            built on Mon Apr 12 07:50:14 EDT 2021
            FreeBSD 12.2-STABLE

            Is there any idiot's guide showing how I can safely manually add a firewall rule?

            dec703a0-74a4-4a32-89f0-d8637236762e-image.png

            1 Reply Last reply Reply Quote 0
            • stephenw10S Offline
              stephenw10 Netgate Administrator
              last edited by

              You'll need to use the manual firewall rule option with sloppy states and TCP flags set in the advanced rules section like:
              https://docs.netgate.com/pfsense/en/latest/troubleshooting/asymmetric-routing.html#manual-fix

              You may need to add that as an floating rule with direction any and source/destination values that match traffic both ways between the old and new subnets to be sure.

              But it should be pretty clear from the firewall logs what traffic is actually being blocked.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.