Why does protocol "Any" not match?
-
A request please. Could you please remove the edited picture of my network drawing from your thread? Even though there's no IP addressing or anything like that in it, I'd prefer not to have our network diagrams up long-term.
Thanks,
-Dan
-
You can do it. Use the modify button there.
-
I only see the modify button for my own posts. Maybe as a moderator you see it for all of them.
-
Yeah. OK. John reposted it I see now. Done.
-
" Even though there's no IP addressing or anything like that in it"
It was some boxes? That said desktop and finance?? DMZ on it…
"and their responses will come back directly from the juniper, but that works fine."
that is completely beyond the point when your talking about states.. And not to forget the stupid hairpin you now have.. Fix it!! How can anyone run a network like that?? So now you see that its wrong - why would you not fix it?
And you will yes run into problems with states with such setup.. While one side sees the syn to start the connection, it never sees any return traffic - so yes the state will time out.. And now you would have to reopen that state with another syn.
If your talking from desktop to finance - then no that should not be asymmetric from your drawing.. But how is you know your RDP idle time out is do to state expired? More than likely its just your idle session timeout setting on your host your remote desktop to.. From the client side you can also set the keepalive function
Have you sniffed to see if the keepalives are being sent, what interval?? If you want pure router then do that.. I showed you where to disable the firewall aspect and therefore the states a few posts back. But wouldn't it be better to just adjust the idle timeout, and or set your client side boxes to send keep alives?
-
fyi, source and destination is always relative to the interface.
What? I figured source and destination were the source and destination that were in the packet headers. Are you saying that's not so?
Both statements are true, but pfSense only cares about the first packet that creates the state-pair. Once a state is created, the packets for that state will never be evaluated again.
-
What does any of that have to do with your asymmetrical mess?
It's not asymmetrical. Period. You keep using that word. I do not think it means what you think it means.
There is only one route between any two systems, and it is through the same path of devices on the same interfaces.
Thanks for your attempt to help, but you're not getting this.
Am I missing something or was there a private message involved? Without knowing the design, the physical route does not matter, only the logical route. A common source of frustration with asymmetric routing is a Layer 3 switch.
-
He had his drawing of some blocks with dmz, server, desktop, finance labels of where his networks sit removed.. (his tinfoil hat is cutting of blood flow to his brain maybe?) ;)
He has devices that sit on what should be a transit - so yes there is possible asymmetrical routing.. And agrees here
"If any machine on the server subnet tries to reach the finance machines, they they may be asymmetrically routed, as their requests will go via the core router, and their responses will come back directly from the juniper, but that works fine."
There is no "may be" about it but doesn't seem to understand how this can be a problem with stateful firewalls… Maybe its the blood flow issue with that tin foil hat of his ;)
-
Name-calling really doesn't become you.
I know my network better than you guys do. You only know what I told you, and you're making assumptions about what was going on.
No matter how I re-architect the links between our pfsense boxes, and our juniper firewalls, the issue will persist. The routing tables on all boxes confirm this.
My question (which was about a class of rule not logging) quickly devolved into a "your doing it wrong" debate where the original issue was not addressed.
-
Name-calling really doesn't become you.
My question (which was about a class of rule not logging) quickly devolved into a "your doing it wrong" debate where the original issue was not addressed.
I find similar responses when requesting for assistance on this forum. Mainly from the 'moderators', which I find odd, considering this is a form to ask questions and hopefully receive some constructive feedback and useful information.
To date, I have mostly received criticism and 'you are wrong' with limited explanation as to why.
Disappointing.
-
Disappointing.
I don't recall your disappointing topics, but in regard to this one, the OP was given an explanation of why the rule wasn't hitting the way he expected. He rejected this explanation, saying it didn't apply to his setup, but then he deleted all documentation of his actual configuration. And then he came back three weeks later to complain that no one helped him.
And you are chiming in with a 'me too'? It would be more constructive to bump your original thread and ask for more information. Sometimes when people are saying you are doing it wrong, they mean there is a simpler, more straightforward way to achieve your goal. -
Some users here, when presented with the actual way to find and solve their problem, consider such information to be a waste of their time.
-
Exactly! On both your comments Derelict and dotdash..
Almost always "wrong" just means there is a simpler way to do it.. You can work around asymmetrical routing with host routes and or natting.. Both of which is the "wrong" way to fix the issue..
You can put a /8 mask on your interface - but this is pointless and also just "wrong" ;) Use of mask better suited to the actual size of your network is the "better/correct" way to do it..
These 2 topics seem to come up quite a bit..
-
Lock, please. With the picture gone, the thread is absolutely useless anyway (and the thread's subject totally misleading).