Routing issue…
-
Hi All,
I have an issue with routing in pfsense 2.01
I have a Cisco ASA acting as the DG for 2 pfsense fw's who deal with LAN and DMZ traffic.
On the LAN PF fw I have a 3rd network which links it to the DMZLINK network (the network between the ASA and the DMZ FW) The DG for the LAN PF fw is the LANLINK on the ASA. There is a static route showing that the DMZ Network is behind the the DMZ PF fw via the DMZLINK network.
On the DMZ PF fw its DG is the DMZLINK on the ASA. There is a static route showing that the LAN Network is behind the LAN PF fw via the DMZLINK Network.
Deal is here there is a proxy server in the DMZ, when I try and hit the webserver based in the LAN, it works perfectly. When I try and hit the DMZ box (in anyway) from the LAN server, it routes the SYN ACK to the ASA via the DMZLINK…
So it works from DMZ to LAN, but not the other way round.
If i create a brand new network that is not part of this DMZNET link, it works perfectly. I raised a bug because it seemed to me that it appears to be ignoring routing on SYN ACK when the route specified also coincided with the same network the DG was on... Was told this was a config issue, but am unsure where/what this would be.
Any help gratefully received.
R
-
Sorry, forgot to attach an image to describe the wall of text… (not sure which one is/isn't working)
To re state: DMZ to LAN works fine and is obeying the static routes.
LAN to DMZ - SYN packet gets to the DMZ server, the ACK packet then gets routed via the DMZLINK DG (the ASA) which appears to ignore the routing setup on the pfsense fw.R
-
The diagram helps but I'm still confused about some things.
1. What is CUSTLAN10.1xx.20.1? is that an OPT interface on the first pfsense? If so, what is its mask?
2. You show that pfsense2 has a static route of 10.1xx.20.x via 10.100.23.114. What is the mask of that network according to that route?
3. What is the IP address of the LAN host and DMZ host that you are using to test this?
4. Is either pfsense performing outbound NAT? -
Heya, thanks for the response.
1. LANLINK = OPT1, DMZLINK = WAN and CUSTLAN = LAN. all are /24.
2. a /24
3. (In all my tests doesn't matter which I used) 10.101.20.10.
4. No nat on either pfsense.R
-
Well I can't tell you why specifically you're seeing the behaviour you describe, but I will say that pfsense makes some assumptions about the interfaces that you designate as WAN and LAN. In your case I would recommend swapping your WAN and LAN, as it is more conventional to use the WAN for the default route and LAN for static routes.
-
You likely need to disable reply-to.
Well I can't tell you why specifically you're seeing the behaviour you describe, but I will say that pfsense makes some assumptions about the interfaces that you designate as WAN and LAN. In your case I would recommend swapping your WAN and LAN, as it is more conventional to use the WAN for the default route and LAN for static routes.
That's not true in 2.x, doesn't matter.
-
Thanks CMB!
That seems to have sorted it… was starting to drive me insane :)
Perhaps something needs to pop up/check that when you put a static rule against the same DG network it says "You need to do this..." or something :)
Anyways, thanks a lot!