Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Hairpin routing?

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 2 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MrMoosieMan
      last edited by

      Topology - https://imgur.com/a/2J7Yt

      I'm having trouble setting up hairpining on the inside interface of my firewall.  Here is what I'm trying to do.

      I'm wanting my remote user (10.1.1.150) to be able to access the docker container.  This issue is that the container's default-gateway is the inside interface of the pfSense firewall and not the inside interface of Router1 (see picture)

      When the remote PC tries to connect to the container the path is as follows…

      Remote PC --> Router 2 --> link between routers (192.168.0.0/30) --> Router 1 --> LAN of Router 1 -- Docker Container.

      I want the return traffic from the container to the remote PC to take the following.

      Docker container --> pfSense inside interface --> Router1's LAN interface (10.1.1.1) link between routers (192.168.0.0/30) -->  Router 2 --> Remote PC

      Judging from packet-captures I've taken it appears my pfSense box is not forwarding the traffic to Router 1's inside interface (10.10.10.1) when it receives traffic from the container - I assume this is caused by the firewall seeing incorrect TCP state and/or NAT/firewall rules.

      Here is what I've configured within the firewall to try to get this working...

      1. Static route to 10.1.1.0/24 pointing to Router 1's inside IP (10.10.10.1)
      2. Created a firewall rule that permits 10.10.10.0/24 traffic to communicate with 10.1.1.0/24

      Any help you can give is much appreciated.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        If you absolutely cannot design around that asymmetric routing mess, check this checkbox:

        System > Advanced, Firewall & NAT, Static route filtering

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • M
          MrMoosieMan
          last edited by

          I checked the box but I'm still getting the same behavior.  When I look at the state table I'm seeing this…

          LAN tcp 10.10.10.227:32400 -> 10.1.1.186:52925 CLOSING:CLOSING 8 / 0 2 KiB / 0 B
          LAN tcp 10.10.10.227:32400 -> 10.1.1.186:52939 CLOSING:CLOSING 8 / 0 2 KiB / 0 B
          LAN tcp 10.10.10.227:32400 -> 10.1.1.186:52986 CLOSING:CLOSING 12 / 0 5 KiB / 0 B
          LAN tcp 10.10.10.227:32400 -> 10.1.1.186:53008 CLOSING:CLOSING 8 / 0 2 KiB /

          Does this mean that the firewall is closing the session or 10.10.10.227?

          Any other ideas?

          Thanks for the help.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.