Pfsense is blocking/half-blocking traffic from MPLS networks
-
hi John,
No public interface.
Picture the MPLS is the internal subnets that all using the pfsense is the gateway.the issue is these subnets are having problem communicating correcting to each other.
main users –- (int)pfsense (int) --- mpls --- remote
-
so your saying your mpls is connect to the same interface that your users are connected too?? That makes NO sense.. And how would pfsense be used in that seutp?
There should be an interface that your main network is connected to, and then there should be an interface that your mpls is connected too. This would not be the SAME interface.. It could be a vlan on the interface ok - but you would have those tabs on your firewall rules if setup correctly.
-
No, not the same interface. I'm not that bad. , :) i cant figure out a way to explain it to you guys correctly, so It's ok. I'll figure things out.
-
i cant figure out a way to explain it to you guys correctly
make a drawing.
-
Try putting some floating pass rules for local to local traffic, and tag them quick.
-
Let's see if this one help. :)
the way the MPLS is configured, all default traffic at remote location are going through MPLS and using the pfsense as the internet gateway.
All PC under 10.24.42.0/24 network is using PFSENSE as the gateway.
I hope this clear out why I had to add the allow list into the INTERNAL interface of the pfsense.
I've never tried floating rule. The weird thing I notice is i open * * under internal rule, and firewall log stated some traffic are blocked by default deny all. not sure where it is.
Also, to add: from 192.168.0.0/24, i can ping 10.24.42.20 and 30, and I can RDP back and forth. however, .30 is exchange server, and outlook client in 192.168.0.0/24 cannot connect to Exchange. Really odd behavior.
![MPLS with PFSENSE.PNG](/public/imported_attachments/1/MPLS with PFSENSE.PNG)
![MPLS with PFSENSE.PNG_thumb](/public/imported_attachments/1/MPLS with PFSENSE.PNG_thumb) -
I've never tried floating rule. The weird thing I notice is i open * * under internal rule, and firewall log stated some traffic are blocked by default deny all. not sure where it is.
The ruleset ends with an implicit deny all.
Floating rules do not exit after match like normal rules, you have to check the box after 'Quick'.
Try a floating rule like pass, quick, dir any, source- local subnets, dest- local subnets… -
You have asymmetric routing in that case. Go to System>Advanced, Firewall/NAT, check "Bypass firewall rules for traffic on the same interface".
-
thank you CMB. I think this is it! I will test with again maybe next week
-
That is a HORRIFIC setup.. Not counting the asymmetric routing.. Pfsense has no control over connecting from mpls to your machines.. And when does work your hairpinning.
Move the router to OUT side pfsense on a different interface – like the attached. Even if you do it with a vlan and the same physical interface your currently using. Setup a transit network between pfsense and the mpls router vs using same network your main network is on.