Routing issue with traffic coming from another firewall
-
I have the following setup:
A Fortigate 100D with a local network 10.150.3.0/24
A pfSense box with a local network 172.16.60.0/24To enable traffic from the 10.150.3.0/24 network to the 172.16.60.0/24 network, I have an interface on the Fortigate with IP address 172.16.60.2, which is connected to the same VLAN as the pfSense local interface.
On the pfSense there's a route to 10.150.3.0/24 with gateway set to 172.16.60.2.
When I try to initiate a connection from e.g. host 10.150.3.21 to host 172.16.60.20, I get a time-out after a while. It doesn't matter what service is used (tried TCP/80, TCP/443, TCP/3389, TCP/9102…).
When I capture packets on the source host (10.150.3.21), I can see the SYN packets being send towards the destination, but nothing's coming back.
Sniffing traffic on the destination, I can see the SYN/ACK packets being sent though, but with retransmissions (i.e. they cannot get back to 10.150.3.21).However, when I do a simple ping from source to destination or vice versa, the replies come back fine, and the previously failing connections do work afterwards, but only temporary. (i.e. after about 10 minutes after closing the connection, reconnecting fails again).
I used to have the 172.16.60.0/24 network on another Fortigate unit before I migrated to pfSense, and this never happened with the exact same topology. This makes me think that this is an issue with pfSense somehow. It looks like it cannot determine the route back to the source host, but then after some ICMP magic it suddenly can.
Anyone an idea what might be going on here? A known issue perhaps? (I Googled, but didn't find anything related)
-
+1 for this issue. I'm having the same issue but I'm using 2 separate PFsense firewalls in a similar configuration. Pings are good, but RDP won't work unless I maintain a constant ping. I suspected firewall rules, so I opened everything up and no net difference.
-
I don't know how I missed this one, there is an advanced firewall option:
Bypass firewall rules for traffic on the same interface
It's off by default and you can enable it under System->Advanced->Firewall/NAT (tab)
This seems to have resolved the issue for me.
-
I did a little more looking around for that advanced option and came across a PFsense doc https://doc.pfsense.org/index.php/Asymmetric_Routing_and_Firewall_Rules. This seems to explain the issue exactly as I was seeing it, asymmetric routing.
There is another method to resolve the issue versus enabling the "Bypass firewall rules for traffic on the same interface" option just in case that option isn't secure enough for your use case.
-
I have the following setup:
A Fortigate 100D with a local network 10.150.3.0/24
A pfSense box with a local network 172.16.60.0/24To enable traffic from the 10.150.3.0/24 network to the 172.16.60.0/24 network, I have an interface on the Fortigate with IP address 172.16.60.2, which is connected to the same VLAN as the pfSense local interface.
On the pfSense there's a route to 10.150.3.0/24 with gateway set to 172.16.60.2.
When I try to initiate a connection from e.g. host 10.150.3.21 to host 172.16.60.20, I get a time-out after a while. It doesn't matter what service is used (tried TCP/80, TCP/443, TCP/3389, TCP/9102…).
The destination host probably has pfSense as its default gateway, so return traffic from that host is routed to pfSense which doesn't have a state so it is dropped. This is "Asymmetric routing" as has been stated. Search on that.
The answer is probably a third subnet for the link between the two routers. Or figure out which one you want to be your main router and have everyone's default gateway set to that.
-
Thanks a lot Derelict and maglaubig. That was exactly the solution I needed!
-
Hi Guys,
I have a situation here,
Site A PFSense Firewall:
Local Lan:- 10.10.1.0/24Site B Fortigate Firewall:
Local Lan: 10.10.2.0/24Now, both the sites are connected via IPSec VPN Tunnel.
I have configured OpenVPN road warrior on Site A PFSense to access Site A network remotely & i am able to access Site A network without any issues.
My question is how will i be able to reach Fortigate site B local network 10.10.2.0/24 from home.
I have also followed this URL & configured push route command on PFSense Site A firewall & configured a phase 2 entry on Fortigate Site B firewall:
https://forum.pfsense.org/index.php?topic=26036.0
But i am not able to connect Fortigate Site B 10.10.2.0/24 network from home network.
Please help me. Thanks!
