Asymmetric routing? How do I deal with that?
-
Hi,
I have a question.
I have a setup like this one:
It's a website behind the firewall.
On pfSense I have a static route to the Squids cluster through the 172.16.3.4 interface.
The way it works is that the DNS(outside) is pointing the users to the Virtual IP on the Alteon, which then redirects them to the less busy Squid.Now, I noticed that some of the legit traffic from both sides (WAN and OPT1) is being blocked by the default deny rule of the firewall.
I then read that I should check the "Bypass firewall rules for traffic on the same interface" box, but it didn't help. I still see the blocked traffic.
So first of all, my questions are:
Is this actually the case of asymmetric routing?
Do I have to set it up differently?
Will it be better to make the Alteon transparent, i.e. have only one subnet on OPT1?
And will the "no state" option in the rule help me? And if it will - won't it cancel the point of having the firewall, because I'd have to insert it into the main rule which handles 95% of the traffic.Another question is how does the current situation effect the pfsense CPU load? In the log I see about 25 legit blocked entries per second when there's a regular traffic. I understand that in peaks (x8) that would be about 200/sec. I have about 10 rules on each interface. How bad is that?
Thanks.
-
Doesn't appear you have asymmetric routing in that scenario (unless something is missing from the diagram). You could easily just be seeing normal out of state traffic, this:
http://doc.pfsense.org/index.php/Logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection,_why%3FWhich is common for web hosting environments with a lot of traffic. Though to know for sure you'll need to get packet captures of the traffic and correlate with the logs. It won't have any impact on your system, if it's not causing problems it's safe to ignore.
-
ok, thanks a lot!