Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Asymmetric Routing Not Work Well

    General pfSense Questions
    3
    4
    1.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lunar12
      last edited by

      Hello All,

      Greetings.

      One question, I use pfSense ver. 2.2 with 4 interfaces.

      1 - WAN (Global Static /28)
      2 - LAN (179.0/24)
      3 - OPT1(188.0/24)
      4 - OPT2(189.0/24)

      Traffic between same Interface (e.g. OPT1 to OPT1) as shown below blocking TCP:SA:

      Firewall rule pass everything to OPT1 as shown below:

      I have tried:
      1 - Asymmetric Routing
              http://goo.gl/EAlK6m
              http://goo.gl/tqXBMW

      But still blocking all TCP:SA traffic.

      Regards

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Why would you have asymmetric routing between 2 interfaces on pfsense?

        Looks like you got some sort of mask issue.. Why would pfsense even see traffic from 192.168.188.220 to 192.168.188.221 or vice versa?

        Looks like the same network to me..  Did you bridge interfaces?  Pfsense sure shouldn't be seeing that traffic, why are you sending traffic through pfsense to get to the same network?

        I would guess that .221 sent traffic to .220 over the switch, and then for some unknown reason .220 is trying to send back its syn,ack via pfsense even though the source IP per your info is on the same segment and should not be sending that traffic to pfsense.  You have the wrong mask on .220?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • H
          Harvy66
          last edited by

          PFSense is a stateful firewall, not a dump router. Asymmetric paths means the states are never acknowledged. SYN goes in one interface, but that interface never see the SYN-ACK because it came back in a different interface. PFSense will reject these out of state packets by default.

          1 Reply Last reply Reply Quote 0
          • L
            lunar12
            last edited by

            Dears johnpoz and Harvy66,

            Thank's your replay is very helpful.

            Yes, as johnpoz posted the problem is mask issue on server side.

            Cheers

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.