4. Hairpin routing?

Hairpin routing?

  • M

    Topology - https://imgur.com/a/2J7Yt

    I'm having trouble setting up hairpining on the inside interface of my firewall.  Here is what I'm trying to do.

    I'm wanting my remote user (10.1.1.150) to be able to access the docker container.  This issue is that the container's default-gateway is the inside interface of the pfSense firewall and not the inside interface of Router1 (see picture)

    When the remote PC tries to connect to the container the path is as follows…

    Remote PC --> Router 2 --> link between routers (192.168.0.0/30) --> Router 1 --> LAN of Router 1 -- Docker Container.

    I want the return traffic from the container to the remote PC to take the following.

    Docker container --> pfSense inside interface --> Router1's LAN interface (10.1.1.1) link between routers (192.168.0.0/30) -->  Router 2 --> Remote PC

    Judging from packet-captures I've taken it appears my pfSense box is not forwarding the traffic to Router 1's inside interface (10.10.10.1) when it receives traffic from the container - I assume this is caused by the firewall seeing incorrect TCP state and/or NAT/firewall rules.

    Here is what I've configured within the firewall to try to get this working...

    1. Static route to 10.1.1.0/24 pointing to Router 1's inside IP (10.10.10.1)
    2. Created a firewall rule that permits 10.10.10.0/24 traffic to communicate with 10.1.1.0/24

    Any help you can give is much appreciated.

    0
  • LAYER 8 Netgate

    If you absolutely cannot design around that asymmetric routing mess, check this checkbox:

    System > Advanced, Firewall & NAT, Static route filtering

    0
  • M

    I checked the box but I'm still getting the same behavior.  When I look at the state table I'm seeing this…

    LAN tcp 10.10.10.227:32400 -> 10.1.1.186:52925 CLOSING:CLOSING 8 / 0 2 KiB / 0 B
    LAN tcp 10.10.10.227:32400 -> 10.1.1.186:52939 CLOSING:CLOSING 8 / 0 2 KiB / 0 B
    LAN tcp 10.10.10.227:32400 -> 10.1.1.186:52986 CLOSING:CLOSING 12 / 0 5 KiB / 0 B
    LAN tcp 10.10.10.227:32400 -> 10.1.1.186:53008 CLOSING:CLOSING 8 / 0 2 KiB /

    Does this mean that the firewall is closing the session or 10.10.10.227?

    Any other ideas?

    Thanks for the help.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy