4. TCP/IP Printing mangled across subnets

TCP/IP Printing mangled across subnets

  • S

    Re: Corrupted print jobs to different subnets?

    See post above. I can confirm that this is indeed happening in the following example scenario:

    Printer on VLAN10 <--> router from vlan 10 to vlan 12 <--route to pfsense on vlan 12-> pfSense on VLAN 12 <---> Print Server on vlan 12

    So, this problem occurs when multiple static routes are present on the same pfSense interface (in this case, the VLAN12 interface), traffic is entering via a gateway and leaving the same interface on pfSense, and "Bypass firewall rules for traffic on the same interface" is checked to allow traffic on multiple static routes via the same interface.

    Packets should not become mangled in this fashion when entering and leaving the same interface. Disabling the packet filter entirely also allows the traffic through, suggesting that something is still be affected by the packet filter engine despite the bypass setting.

    To troubleshoot, I am moving my router off of the same pfSense interface as the print server tonight to allow a proper state mapping to occur using the packet filter. My guess is that it will start working since it will be a symmetric layout as opposed to an asymmetric one.

    0
  • H

    Why is traffic ingressing and egressing on the same interface? Do you have mutliple subnets in the same broadcast domain?

    0
  • S

    I'm not sure what you mean by "broadcast domain." Each subnet by nature of layer 3 is its own broadcast domain. The downstream router ahead of the pfSense is in the same broadcast domain as the print server, and the pfSense functions as the head router for the subnets.

    0
  • Rebel Alliance Global Moderator

    @shawniverson said in TCP/IP Printing mangled across subnets:

    an asymmetric one.

    Asymmetrical is always going to be BORKED!!! having multiple vlans on the same interface is not going to be asymmetrical. Having some downstream router sitting on a non transit network for sure is going to be asymmetrical and borked. If you have downstream routers then connect pfsense to them via a transit network.. It could be a vlan sitting on same physical interface as other vlans - but use of transit network will remove asymmetrical problems.

    0
  • S

    Moving the downstream router to its own vlan to create symmetry resolves the issue. I still contend that pfSense should not cause routed traffic to become mangled, even in an asymmetric case.

    0
  • Rebel Alliance Global Moderator

    Who said it's mangled? Many services/devices will not function with asymmetrical. And through a firewall you have a problem where states time out, and then traffic gets blocked.

    You can not expect anything to work correctly if the traffic is asymmetrical - especially if through a firewall and or local where I send traffic to mac address abc (your gateway) and then get traffic back from a different mac.

    Depending on the direction of the traffic its possible the firewall just blocks the answers because it never saw the syn to open the state, etc. The solution is do not do asymmetrical traffic flow.

    0
  • S

    It is mangled because the payload is getting altered in transit. This is apparent with a packet capture. Asymmetric routing does not cause issues on other platforms including my cisco routers. Furthermore, if I disable packet filtering in the original scenario, everything functions as expected, so why is the packet filter still interfering when it and the bypass is enabled, and why does it suddenly stop mangling the packets when the packet filter is disabled? Why is the packet filter even a factor here?

    0
  • Netgate

    Cisco routers are not stateful firewalls. pfSense is, until you disable pf.

    http://www.cymru.com/gillsr/documents/icmp-redirects-are-bad.pdf

    0
  • S

    Then what is the point of this setting, and why does it not completely disable packet filtering for this interface and leave the packets unaltered that route via the same interface?

    Static Route Filtering
    Bypass firewall rules for traffic on the same interface
    This option only applies if one or more static routes have been defined. If it is enabled, traffic that enters and leaves through the same interface will not be checked by the firewall. This may be desirable in some situations where multiple subnets are connected to the same interface.

    I agree that a network shouldn't be asymmetric, but the presence of this setting and the unexpected behavior should be cause for some concern.

    0 1 Reply
  • Netgate

    Your design is flawed so your network performance is sub-optimal.

    Different clients and network devices treat ICMP redirects differently. Your best bet is to design your network so such hackiness is unnecessary.

    0
  • S

    Boy, you are dense and must not have read my earlier post or you would have realized that I have already redesigned my network.

    "Moving the downstream router to its own vlan to create symmetry resolves the issue."

    And you are dodging the issue. Static Route Filtering shouldn't be an option in pfSense if it is an unsupported configuration.

    0
  • Netgate

    It is not an unsupported configuration. It can "solve" (or paper over) a great many asymmetric routing cases.

    That it does not work for you in your specific case with your specific types of traffic does not mean the feature is broken.

    0
  • S

    So it is supported. Well, then be advised that you cannot TCP/IP print across a Static Route Filtered interface, which results in packet level alterations that interfere with printing as long as the packet filter is enabled.

    You did not explain why that is happening or attempt to shed light on it, but with the push-back, I'll leave this here and rest my case.

    0
  • Netgate

    @derelict said in TCP/IP Printing mangled across subnets:

    Different clients and network devices treat ICMP redirects differently.

    Actually, I did: "Different clients and network devices treat ICMP redirects differently."

    Packet capture analysis would be necessary to determine exactly what is breaking the flow.

    Good luck.

    0
  • Rebel Alliance Global Moderator

    @shawniverson said in TCP/IP Printing mangled across subnets:

    where multiple subnets are connected to the same interface.

    That is just BORKED design out of the gate as well.. There is one valid reason when you would be running multiple layer 3 on the same layer 2... That is during the migration from 1 address scheme to another address scheme..

    Something like running some link-local address space on that layer 3, at the same time as a global address.. But I wouldn't really count this as running 2 L3 on the same wire, since 1 of the address scheme's is only designed to be used on the same layer 2, etc.

    0
  • Rebel Alliance Global Moderator

    @shawniverson said in TCP/IP Printing mangled across subnets:

    avoid asymmetric configurations....

    Told you that 2 months ago.. ;)

    0
  • S

    A packet capture and deep analysis revealed that ICMP redirects were the root cause of the failed print jobs. The printer appeared to not understand these packets. Lesson learned. Hopefully this will serve as a reminder to others to avoid asymmetric configurations....

    1 2 Replies
  • Netgate

    @shawniverson said in TCP/IP Printing mangled across subnets:

    The printer appeared to not understand these packets.

    As soon as you stray
    from the tried and true
    You never know
    what's going to screw you
    burma shave

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy