Asymmetric Routing - Firewalling between 2 lan's
-
Hi and Happy new Year !
I'm sorry for my bad English ! I'm French.I have a problem with Asymmetric Routing.
I want to filter between two networks as you can see on the image :
Well I authorize all incoming connections to the LAN 1.
To test I also allowed incoming connections to the LAN 2.
But I still have connections blocked as in the following image:
I already tried "Automatic Fix" of https://doc.pfsense.org/index.php/Asymmetric_Routing_and_Firewall_Rules
Thanks for your help !
-
I don't see an asymmetric routing issue there. That is not a blocked connection. It's a blocked SA. Could just be out-of-state traffic. Are you getting blocked Syns?
-
Yeah thats not really a optimal setup there, downstream networks should always be connected via a transit network.
So in your case 172.168.1.32 wants to talk to ssh on 192.168.2, he sends it to his gateway .100, just to get sent on to .200 in the same network. The return traffic from 192.168.2 doesn't have to go to .100 pfsense says oh you want to got to .32, I have an interface in that network and just sends it on the wire..
A better way to do that would be transit, see attached
Or if you don't want to use transit network, then vs bouncing your 17.16.1 clients off your router via .100, create host routes on them to talk to pfsense interface at .200 for the 192.168.2/24 network
How do you have these 2 networks connected to pfsense? Is it 2 different switches connected to pfsense interfaces to fully isolate the network, or using using a common switch, with vlans setup? Lan2 or 192.168.2.0 should never block that other than just out of state, but there should be a state since for 172.168.1 to get to 192.168.2 it would of had to go through pfsense… Unless you have a common switch just running 2 different layer 3 ips spaces over the same layer 2 network?
-
Yeah, looking at it again what is the second router for if everything on both sides of it is on 192.168.1.0/24?
-
Hi !
I shared with you the solution of my problem !The vlan-routing was activate between LAN 1 and LAN 2. This caused the asymmetric routing.
The static routing on routers were therefore ignored and caused it to malfunction!
Thank you all!