4. Source-routing and NAT port forwarding issue

Source-routing and NAT port forwarding issue

  • G

    Hello,

    In my pfSense on APU2 setup, the packets coming from a particular host in the LAN
    are source-routed to a VPN interface, thanks to a LAN rule matching the source IP.
    The packets are then NATed and go through the VPN. This is working fine, validating
    the source-routing mecanism.

    For a service on the inside host, a port forward from the VPN interface is needed.

    I've added the port forward rule along with its linked rule, and the packets coming from
    the VPN on the defined port are reaching the inside host.

    TCP sessions are not getting established though. It happens that in response to the
    client's SYN packet, the inside host effectively sends the SYN/ACK, but :
    This SYN/ACK isn't source-routed to the VPN interface, but goes to the default, as if the
    source-routing rule was not matched.

    The "Bypass firewall rules for traffic on the same interface" doesn't work, and it makes
    sense because the SYN/ACK packet isn't hitting the proper interface (VPN one).

    Do i miss something obvious ? Is there a way to "trace" the packets and understand why
    the SYN/ACK one wouldn't by matched by the source-routing rule, although it obvisouly
    matches the source IP ?

    Thank you

    G

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy