Blocked replies when firewall enabled

inigoml

Hi everybody.

I have a strange problem with two PFSense 2.0.1 firewalls when firewall is enable in one of them. Al rules are configured as PASS (no blocking at this moment).

Our network is as shown
                                                                            host B
–- LAN A ----------- PFSense A ----------------- LAN B (interconnection LAN) ----------------- PFsense B ------------- LAN C --------------
    host A                                                          |    |    |    |                                                                host C
                                                                Links to other LANs

When connecting from host A to host B, no problem at all.
When connection from host B to host A, no problem at all.
When connection from host B to host C, no problem at all.
When connecting from host C to host B, no problem at all.
When connection from host C to host A, no problem at all
When connection from host C to host A, no problem at all...
... but when connecting from host A to host C, packets arrive to host C and are replied, pass through PFSenseB (checked by capturing traffic in both WAN and LAN interfaces) but never reach PFSenseA.
There is no firewall, host or any other element between PFSenseA and B.

If I enable NAT in PFSenseA so packets go out with a LAN B address, no problem at all.
If I disable firewalling in PFSenseB, no problem at all.

So something at PFSenseB is blocking replies and it's not a firewall rule since all traffic is allowed.

Any clues?

inigoml

More info.  When I say disable firewalling is by selecting check "Disable all firewall filtering".
I've also enabled logging in my rules al traffic is matched for inbound packets so allow rules are applying correctly.

inigoml

More INFO after in depth analysis:

When accesing from LAN-C to LAN-A (works) rules are selected right without any problem.
When accesing form LAN-A to LAN-C, reply packets at PFSenseB are routed to default gateway (???!!!) instead of using defined route but ONLY IF FIREWALL IS ENABLED ¿¿¿??? ¿A bug?

Passing pfsenseA

18:30:26.753866 00:50:56:af:00:1d > 00:50:56:af:32f, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    180.106.133.253 > 10.70.4.22: ICMP echo request, id 22927, seq 11, length 64

Passing pfsenseB:

18:30:26.752733 00:50:56:af:00:1d > 00:50:56:af:32f, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    180.106.133.253 > 10.70.4.22: ICMP echo request, id 22927, seq 11, length 64

All right here, but..

Response at PfSenseB:

18:30:26.752955 00:50:56:af:32f > 00:00:5e:00:01:03, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 63, id 43442, offset 0, flags [none], proto ICMP (1), length 84)
    10.70.4.22 > 180.106.133.253: ICMP echo reply, id 22927, seq 11, length 64

WHY???? 00:00:5e:00:01:03
This MAC corresponds to my default gateway, not the defined gateway for this connection.

Remember: Routes are perfect. From LAN-C to LAN-A no problem and disabling firewall no problem also.

cmb

Not a bug, how routing works by design. In that scenario you're going to need to disable reply-to.

inigoml

It's quite surprising for us. Our old linux box had a different behavior in this scenario, sending always packet to defined gateway and not to default gateway.

How do we disable reply-to? In the specific rules, Advanced? No effect when disabling reply-to… reply packets are sent to default gateway always.

We have solved the problem by adding an specific route in our default gateway but we didn't want to do it since LAN-A should never be reached form any other network but C...

inigoml

@cmb:

Not a bug, how routing works by design. In that scenario you're going to need to disable reply-to.

CMB, thank you very much for your tip. We found this option under System->Advanced and now firewalling is working as we wanted.