Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Assymetric Routing symptoms with only one WAN link

    Scheduled Pinned Locked Moved General pfSense Questions
    2 Posts 2 Posters 260 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      Von-Holten
      last edited by

      Hello there,

      I have been struggling with my pfsense for days now and i am stuck, so i have come to you for help.

      The setup:

      1. Sagemcom box from my ISP set into Bridge Mode.
      2. pfsense firewall with 3 interfaces (2 used) WAN and LAN
      3. Unifi 60 W PoE Switch
      4. Unifi Pro AP
      5. Lenovo T460S laptop

      My ISP have assigned the MAC of my pfsense on their side, and that have given me a public IP on my WAN interface.
      I can ping by adresses and hostnames with success, both internal and public, so i believe my DNS is fine.

      Here is a trace to google from my WAN interface:
      a8efff73-9776-4396-8b10-0241a658bee5-image.png
      None of these hops belong to me.

      Looking at the system log i can see that TCP:SA traffic is blocked by the Default deny rule IPv4 on the WAN interface.
      Looking at states i can see that all HTTP and HTTPS traffic is eiteher syn_sent:closed or closed:syn_set.

      Something that i do not understand is that the source IP of the blocked packages are allways the same IP on port 7000 (MMS/UDP), with my WAN interface as destination on port 649. A easy rule from the log did not do anything good for me.

      I have done everything i can find, at one point i even created an allow all rule on my WAN, but no lock.
      A floating rule with sloppy state, the Bypass firewall rules for traffic on the same interface option and much other things have been put to the test. Meanwhile a ton of reboots have been done to both the pfsense and the bridge modem.

      Nothing is working and the family is not so happy about it, so i think it is about time to post it here.
      It looks like asymmetric routing, but with only one WAN, i cannot see how that is possible.

      I feel like i have been close to a real connection, at one point YouTube and Google where browsable, but nothing else.

      Please help me deliver Internet in great speeds to my household, so i dont have to rely on the magic box that my ISP sent me.

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        So what is the actual problem here? You are unable to browse the web from clients behind the firewall?

        That blocked TCP:SA traffic looks like a coincidence to me if it's always from the same remote IP. It's something in particular triggering that.

        Do you have outbound NAT set to automatic still?

        Check the routing table in Diag > Routes, do you have a default route?

        How are you getting a WAN IP? DHCP from your ISP? Is it pulling a valid IP and gateway? I would assume it is since you can ping out correctly.

        Check you can open TCP connections? Go to Diag > Port Test. Try to open port 443 to netgate.com.

        When you try to open a webpage from a client what actual error do you see?

        Steve

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.