Firewall blocking OSPF with VTI's

srobinson · Oct 12, 2018, 4:39 PM

We are having issues with OSPF on the new VTI interfaces, basically because packets are going in an out different paths the firewall is blocking it, TCP:PA and TCP:A. Has anyone found a way around this? I did turn on Bypass firewall rules for traffic on the same interface but that did not help.

jimp · Oct 12, 2018, 4:41 PM

What are the actual firewall rules you have in place on the IPsec interface? And what do the full log messages look like?

I haven't had any trouble hitting OSPF neighbors on VTI nor with TCP. There is probably something else going on with your setup.

srobinson · Oct 12, 2018, 4:46 PM

Currently there is an allow all rule. I am seeing neighbors just fine and getting the routing tables. It is, for the most part, working. Basically the issue is sometimes packets go out one VTI and come back in another VTI. The firewall doesn't have a state for it and so it seems to block those packets. I know what is happening but I am unsure of how to resolve it.

Netgate talks about it here but these solutions do not seem to resolve the issue.
https://www.netgate.com/docs/pfsense/firewall/troubleshooting-blocked-log-entries-due-to-asymmetric-routing.html

jimp · Oct 12, 2018, 5:15 PM

Sounds like you have a routing loop or multiple paths with the same cost leading to one. You need to fix your costs so that doesn't happen. That's just an OSPF issue not specific to pfSense.

srobinson · Oct 17, 2018, 3:58 PM

You were right. There was a configuration error on one of the ospf sites that was causing the asymmetric routing.