Hairpin routing?

  • Topology -

    I'm having trouble setting up hairpining on the inside interface of my firewall.  Here is what I'm trying to do.

    I'm wanting my remote user ( to be able to access the docker container.  This issue is that the container's default-gateway is the inside interface of the pfSense firewall and not the inside interface of Router1 (see picture)

    When the remote PC tries to connect to the container the path is as follows…

    Remote PC --> Router 2 --> link between routers ( --> Router 1 --> LAN of Router 1 -- Docker Container.

    I want the return traffic from the container to the remote PC to take the following.

    Docker container --> pfSense inside interface --> Router1's LAN interface ( link between routers ( -->  Router 2 --> Remote PC

    Judging from packet-captures I've taken it appears my pfSense box is not forwarding the traffic to Router 1's inside interface ( when it receives traffic from the container - I assume this is caused by the firewall seeing incorrect TCP state and/or NAT/firewall rules.

    Here is what I've configured within the firewall to try to get this working...

    1. Static route to pointing to Router 1's inside IP (
    2. Created a firewall rule that permits traffic to communicate with

    Any help you can give is much appreciated.

  • LAYER 8 Netgate

    If you absolutely cannot design around that asymmetric routing mess, check this checkbox:

    System > Advanced, Firewall & NAT, Static route filtering

  • I checked the box but I'm still getting the same behavior.  When I look at the state table I'm seeing this…

    LAN tcp -> CLOSING:CLOSING 8 / 0 2 KiB / 0 B
    LAN tcp -> CLOSING:CLOSING 8 / 0 2 KiB / 0 B
    LAN tcp -> CLOSING:CLOSING 12 / 0 5 KiB / 0 B
    LAN tcp -> CLOSING:CLOSING 8 / 0 2 KiB /

    Does this mean that the firewall is closing the session or

    Any other ideas?

    Thanks for the help.

Log in to reply