Hairpin routing?



  • Topology - https://imgur.com/a/2J7Yt

    I'm having trouble setting up hairpining on the inside interface of my firewall.  Here is what I'm trying to do.

    I'm wanting my remote user (10.1.1.150) to be able to access the docker container.  This issue is that the container's default-gateway is the inside interface of the pfSense firewall and not the inside interface of Router1 (see picture)

    When the remote PC tries to connect to the container the path is as follows…

    Remote PC --> Router 2 --> link between routers (192.168.0.0/30) --> Router 1 --> LAN of Router 1 -- Docker Container.

    I want the return traffic from the container to the remote PC to take the following.

    Docker container --> pfSense inside interface --> Router1's LAN interface (10.1.1.1) link between routers (192.168.0.0/30) -->  Router 2 --> Remote PC

    Judging from packet-captures I've taken it appears my pfSense box is not forwarding the traffic to Router 1's inside interface (10.10.10.1) when it receives traffic from the container - I assume this is caused by the firewall seeing incorrect TCP state and/or NAT/firewall rules.

    Here is what I've configured within the firewall to try to get this working...

    1. Static route to 10.1.1.0/24 pointing to Router 1's inside IP (10.10.10.1)
    2. Created a firewall rule that permits 10.10.10.0/24 traffic to communicate with 10.1.1.0/24

    Any help you can give is much appreciated.


  • Netgate

    If you absolutely cannot design around that asymmetric routing mess, check this checkbox:

    System > Advanced, Firewall & NAT, Static route filtering



  • I checked the box but I'm still getting the same behavior.  When I look at the state table I'm seeing this…

    LAN tcp 10.10.10.227:32400 -> 10.1.1.186:52925 CLOSING:CLOSING 8 / 0 2 KiB / 0 B
    LAN tcp 10.10.10.227:32400 -> 10.1.1.186:52939 CLOSING:CLOSING 8 / 0 2 KiB / 0 B
    LAN tcp 10.10.10.227:32400 -> 10.1.1.186:52986 CLOSING:CLOSING 12 / 0 5 KiB / 0 B
    LAN tcp 10.10.10.227:32400 -> 10.1.1.186:53008 CLOSING:CLOSING 8 / 0 2 KiB /

    Does this mean that the firewall is closing the session or 10.10.10.227?

    Any other ideas?

    Thanks for the help.