Dealing with asymmetric routes

johnpoz

Can you draw your current setup?

I am not seeing why you have this setup.

CENTER Provider box (Cisco) -> VPN DXX service made by provider
LAN 192.168.0.252

Why is this connected to your lan? Why is your vpn connection not a wan interface?

And I don't see why your trying to route 192.168/16 when your on a subnet of 192.168/16

If you vpn provider gives you an IP 192.168.0.252 on this network with a gateway of 192.168.0.254 to get to other networks.

Here is real simple drawing..

So you have a WAN connection in the 192.168.0/24 network – all your other locations have IPs in this network as well?? Why do you not just route directly to them.. So lets say 10.0.99/24 is at site A, your route on pfsense would say if you want to get to 10.0.99/24 talk to 192.168.0.248

Lets say site B is 10.0.98/24 -- route that says talk to 192.168.0.249 for that network..

Your lan network would not be on the 192.168.0/24 This network is your vpn network..

None of the other locations would have LAN networks on this 192.168.0/24 network - it is a transient network only. Now I am assuming your other locations all get IPs on the 192.168.0/24.. ?? What IPs do your other locations have for their vpn connections?

This makes no sense

Remote office network sample from 192.168.xx.0/24
Network 192.168.20.0/24
Netmask 255.255.255.0
Gateway 192.168.20.250 (provider Cisco gateway)

Is this the network they use for their LAN?? Who is providing this address space for them to use.. What if you needed a /22 at the location? Your vpn connection should be 1 address, all of your remote locations could/would be on the same segment for this transient network.

The issue is you don't overlap networks, and you sure don't route out a network that your currently a subnet of ;)

I am really just making assumptions here.. And I have to head out the door right now.. But yes your network seems quite borked to me.. Unless there is something being lost in discussion.

A drawing would be very helpful in understanding your current setup, and then how it can be converted over to using pfsense.. But again you normally would route out via a WAN connection.. In pfsense, if it has a gateway on it - its normally seen as wan and not lan. If you have a vpn connection to other networks -- your not going to want this to be your lan network as well.

example.jpg_thumb

namezero111111

Since you PMed me to look at this:

It seems like there is some good advice going around here, but there may be some salient details that get lost in writing.
I think you should really post a diagram of your network in a form like johnpoz did. (Even if you do it in mspaint :D ).

In general:
1. No, there is no "hardcoded" restriction against 192.169/x in PFSense.
2. Get rid of 192.169/16 (unless of course you are indeed RGnet).
3. Generally don't route your own network

However, in my opinion is would be acceptable to route a supernet of your own network as shown in the attached diagram I just drew.
(Provided that 192.168.16.2 also has a 192.168.0/24 route via 192.168.16.1).

Untitled.png_thumb

johnpoz

Typo in your drawing there namezero or missing info?

your routing 192.168/16 via 192.168.16.2 but you show default gateways of 192.168.16.1 and 192.168.0.1 ? That would be bad practice as well.. You have 2 default gateways.. Yes if you have a more specfic route that route should be taken. But your metric for your lan interface (assuming that from way your drawn) is going to be much better - so why not take that route to try and get to 192.168.2.128/25 ?

Draw your setup up please labasus then we can all work off same picture to what your doing wrong other than the stuff already pointed out ;)

namezero111111

No, I meant 192.168.16.1 is on the other interface (upper line) connecting it via another network segment to 16.2.

visio only lets me draw one text box per object.

johnpoz

Ah that makes more sense - name of router is "default gateway"

like this

192.168.16.1 - router - 192.168.0.1

You can add as many text boxes you need on a drawing

Drawing1.jpg_thumb

namezero111111

Yes, exactly! Apologies if the diagram was duplicitous.

16.2 will then have more specific routes for the remote nets.

Are those text boxes linked to the object or just "dangling" nearby?

Either way, a diagram like that by the OP would greatly facilitate things here.

namezero111111

For example, we use something like this on the small remote sites (10-20 devices)

Do note though that especially when you bypass FW rules for traffic on the same interface, you shouldn't have multiple subnets on the same Layer 2 segment.

Edit: Also, if you don't want anyone talking to the VPN gateways on the VPN subnet, you should block this via firewall or alternatively move the dedicated subnet past 10.0.16.x to exclude it from the /20.

Untitled.png_thumb

labasus

Here it is… network topology (to see attached files - registration required)

If you will have some questions just ask, I can update this scheme with more details, if smth will be missed.

InternetPfsense.png_thumb

namezero111111

From what I understand, your original issue happens between the 192.168.0.252 MPLS router and the PFSense on the VMWare when communicating from a remote net like 192.168.1.0/24 to VM Server 192.169.0.11, correct?

Does everything work ok when communicating between, for example, 192.168.1.0/24 and 192.168.0.0/24 (Office LAN), and the problems only happen when the IP Alias on LAN is utilized?

Normally, the "bypass fw for subnets on same interface" should take care of the asymmetric routing for the Office LAN; That is, you only have an asymmetric route if "VM PFSense" acts as the default gateway on the network, and the "Office LAN" member has no static route to 192.168.1.0/24 defined.

That's why I'm asking whether the problem only occurs when using the IP Alias.

labasus

Exactly

@namezero111111:

From what I understand, your original issue happens between the 192.168.0.252 MPLS router and the PFSense on the VMWare when communicating from a remote net like 192.168.1.0/24 to VM Server 192.169.0.11, correct?

Does everything work ok when communicating between, for example, 192.168.1.0/24 and 192.168.0.0/24 (Office LAN), and the problems only happen when the IP Alias on LAN is utilized?

Normally, the "bypass fw for subnets on same interface" should take care of the asymmetric routing for the Office LAN; That is, you only have an asymmetric route if "VM PFSense" acts as the default gateway on the network, and the "Office LAN" member has no static route to 192.168.1.0/24 defined.

That's why I'm asking whether the problem only occurs when using the IP Alias.

namezero111111

Ok, if it only happens on the IP Alias, could you please post your /tmp/rules.debug file?
Just sanitize the pulic IPs, they don't matter here.