Problem with policiy routing and port forwarding : traffic not routed back



  • Hi,

    I have an understanding problem, about how pfsense works internally and how I may solve my problem. Any help will be greatly appreciated.

    I have this setup (I cannot change it) :

    Internet -> firewall_A (pfsense) -> –,--> network_1 -> firewall_1 (pfsense) -> network_2
    Internet -> firewall_B (pfsense) -> _/

    • several hosts (machines) are connected to network_2
    • on firewall_1, I explicitly did not setup a default gw, since traffic may flow to one of both Internet connections. Instead I use "policy routing" for hosts in network_2, in form of firewall rules with an explicit gateway based on the host IP.
    • for different hosts in network_2, I may select firewall_A or firewall_B as gateway, which is exactlly what I want.

    My problem arise when I tried to configure a port forwarding on firewall_A :

    • incoming connections flows from firewall_A to firewall_1 and reach hosts in network_2
    • but the response of hosts then stay in firewall_1 and are not routed back to original gateway.

    Other observations:

    • response packet have an Internet IP as destination (which are not routed by firewall_1)
    • response packet does not flow through the firewall rules (I tried floating+quick rules in order to log them, but none works)

    My assumptions:

    • firewall_1 keep in its connection state but do not keep the origine gateway, so it is not able to route the response packets.
    • firewall_1 keep a state for the connection and ignore the firewall rules (policy-routing)

    Does my explaination make any sense to you ?...

    Best regards,

    Damien



  • I'm running into the same problem, trying to add a firewall to an existing multi-gateway network.

    In our case, we have 3 firewalls not in our control, on different subnets, but connected to the same VLAN.

    We're wanting to do 1-1 NAT'ing from addresses in these subnets to addresses in the internal network

    In our case, I believe the optimum solution would be to get the 3 subnets split into 3 VLANs. I don't know if that's feasible in your case, if the 2 firewalls are on the same subnet and you can't change the setup.

    Was wondering if you'd got any further with the problem? If there were a way of defining alternative routing tables and assigning the routing table in the inbound rule, I think that would allow situations like this, but I can't see a way of doing this in the GUI.



  • Hi neilh23,

    Thank you for your response  :)

    We may put our 'extern firewalls' in separate VLAN, but I do not see how it will help.

    For now we just add NAT in our extern firewalls. It works, but the drawback is that services in our DMZ do not see real source IP of incoming traffic anymore.

    Regards,

    Damien


Log in to reply