Asymmetric routing, wrong FW config - randomly works?
-
I was originally going to post about how this isn't working for me, but I believe I have it resolved now.
Environment:
Cisco 3750 with multiple VLANs, with static IP ranges configured in the 3750 (10.16.0.1 / 16 … 10.32.0.1 / 16 .... etc), routed to the gateway address of pfSense at 10.0.0.3 / 16.
pfSense is the main network router, with a main outgoing gateway at 12.34.56.78 and a secondary gateway at 10.0.0.1 leading back to the Cisco 3750.
For a long time I have not been able to get reliable connections between the main 10.0.0.3 / 16 LAN and the subnets on the Cisco 3750 like 10.32.0.8.
Oh sure, you can connect. Half the time. But things are just random and unstable. Trying to connect to a Windows file system at 10.0.0.132, and it takes forever for the connection to open. Sometimes the files all seem to disappear, then come back. Copying files fail halfway or time out.
Running wireshark on a test laptop at 10.32.1.7 , it would receive frequent "retransmit" packets from the Windows server at 10.0.0.132, so it was getting some data through, even with the wrong firewall rules. (??)
The pfSense firewall log was also full of block messages for various TCP flags like PA, from 10.0.0.132 to 10.32.1.7.
I finally determined this evening that the way to do an asymmetric outgoing-only pass rule, is like this:
PASS, Proto: IPv4, From: 10.0.0.0 / 16, To: 10.32.0.0 / 16
Advanced features: State type: None, Gateway: 10.0.0.1Crucially, setting the State Type to "None" is by itself not good enough for an asymmetric rule. It still randomly fails with just the State Type set to None.
Also in the pass rule, have to set the advanced features Gateway to 10.0.0.1 for it to finally work and all the firewall "blocked by default rule" errors to go away.
I still do not know why with the wrong firewall settings, the asymmetric routing "sorta" worked, as opposed to either completely working or completely not working.