Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    TCP/IP Printing mangled across subnets

    Scheduled Pinned Locked Moved Firewalling
    18 Posts 4 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      shawniverson
      last edited by

      Re: Corrupted print jobs to different subnets?

      See post above. I can confirm that this is indeed happening in the following example scenario:

      Printer on VLAN10 <--> router from vlan 10 to vlan 12 <--route to pfsense on vlan 12-> pfSense on VLAN 12 <---> Print Server on vlan 12

      So, this problem occurs when multiple static routes are present on the same pfSense interface (in this case, the VLAN12 interface), traffic is entering via a gateway and leaving the same interface on pfSense, and "Bypass firewall rules for traffic on the same interface" is checked to allow traffic on multiple static routes via the same interface.

      Packets should not become mangled in this fashion when entering and leaving the same interface. Disabling the packet filter entirely also allows the traffic through, suggesting that something is still be affected by the packet filter engine despite the bypass setting.

      To troubleshoot, I am moving my router off of the same pfSense interface as the print server tonight to allow a proper state mapping to occur using the packet filter. My guess is that it will start working since it will be a symmetric layout as opposed to an asymmetric one.

      1 Reply Last reply Reply Quote 0
      • H
        Harvy66
        last edited by

        Why is traffic ingressing and egressing on the same interface? Do you have mutliple subnets in the same broadcast domain?

        1 Reply Last reply Reply Quote 0
        • S
          shawniverson
          last edited by

          I'm not sure what you mean by "broadcast domain." Each subnet by nature of layer 3 is its own broadcast domain. The downstream router ahead of the pfSense is in the same broadcast domain as the print server, and the pfSense functions as the head router for the subnets.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            @shawniverson said in TCP/IP Printing mangled across subnets:

            an asymmetric one.

            Asymmetrical is always going to be BORKED!!! having multiple vlans on the same interface is not going to be asymmetrical. Having some downstream router sitting on a non transit network for sure is going to be asymmetrical and borked. If you have downstream routers then connect pfsense to them via a transit network.. It could be a vlan sitting on same physical interface as other vlans - but use of transit network will remove asymmetrical problems.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • S
              shawniverson
              last edited by shawniverson

              Moving the downstream router to its own vlan to create symmetry resolves the issue. I still contend that pfSense should not cause routed traffic to become mangled, even in an asymmetric case.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by johnpoz

                Who said it's mangled? Many services/devices will not function with asymmetrical. And through a firewall you have a problem where states time out, and then traffic gets blocked.

                You can not expect anything to work correctly if the traffic is asymmetrical - especially if through a firewall and or local where I send traffic to mac address abc (your gateway) and then get traffic back from a different mac.

                Depending on the direction of the traffic its possible the firewall just blocks the answers because it never saw the syn to open the state, etc. The solution is do not do asymmetrical traffic flow.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • S
                  shawniverson
                  last edited by

                  It is mangled because the payload is getting altered in transit. This is apparent with a packet capture. Asymmetric routing does not cause issues on other platforms including my cisco routers. Furthermore, if I disable packet filtering in the original scenario, everything functions as expected, so why is the packet filter still interfering when it and the bypass is enabled, and why does it suddenly stop mangling the packets when the packet filter is disabled? Why is the packet filter even a factor here?

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Cisco routers are not stateful firewalls. pfSense is, until you disable pf.

                    http://www.cymru.com/gillsr/documents/icmp-redirects-are-bad.pdf

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • S
                      shawniverson
                      last edited by

                      Then what is the point of this setting, and why does it not completely disable packet filtering for this interface and leave the packets unaltered that route via the same interface?

                      Static Route Filtering
                      Bypass firewall rules for traffic on the same interface
                      This option only applies if one or more static routes have been defined. If it is enabled, traffic that enters and leaves through the same interface will not be checked by the firewall. This may be desirable in some situations where multiple subnets are connected to the same interface.

                      I agree that a network shouldn't be asymmetric, but the presence of this setting and the unexpected behavior should be cause for some concern.

                      johnpozJ 1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by Derelict

                        Your design is flawed so your network performance is sub-optimal.

                        Different clients and network devices treat ICMP redirects differently. Your best bet is to design your network so such hackiness is unnecessary.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • S
                          shawniverson
                          last edited by

                          Boy, you are dense and must not have read my earlier post or you would have realized that I have already redesigned my network.

                          "Moving the downstream router to its own vlan to create symmetry resolves the issue."

                          And you are dodging the issue. Static Route Filtering shouldn't be an option in pfSense if it is an unsupported configuration.

                          1 Reply Last reply Reply Quote 0
                          • DerelictD
                            Derelict LAYER 8 Netgate
                            last edited by Derelict

                            It is not an unsupported configuration. It can "solve" (or paper over) a great many asymmetric routing cases.

                            That it does not work for you in your specific case with your specific types of traffic does not mean the feature is broken.

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • S
                              shawniverson
                              last edited by

                              So it is supported. Well, then be advised that you cannot TCP/IP print across a Static Route Filtered interface, which results in packet level alterations that interfere with printing as long as the packet filter is enabled.

                              You did not explain why that is happening or attempt to shed light on it, but with the push-back, I'll leave this here and rest my case.

                              1 Reply Last reply Reply Quote 0
                              • DerelictD
                                Derelict LAYER 8 Netgate
                                last edited by Derelict

                                @derelict said in TCP/IP Printing mangled across subnets:

                                Different clients and network devices treat ICMP redirects differently.

                                Actually, I did: "Different clients and network devices treat ICMP redirects differently."

                                Packet capture analysis would be necessary to determine exactly what is breaking the flow.

                                Good luck.

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator @shawniverson
                                  last edited by

                                  @shawniverson said in TCP/IP Printing mangled across subnets:

                                  where multiple subnets are connected to the same interface.

                                  That is just BORKED design out of the gate as well.. There is one valid reason when you would be running multiple layer 3 on the same layer 2... That is during the migration from 1 address scheme to another address scheme..

                                  Something like running some link-local address space on that layer 3, at the same time as a global address.. But I wouldn't really count this as running 2 L3 on the same wire, since 1 of the address scheme's is only designed to be used on the same layer 2, etc.

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator @shawniverson
                                    last edited by

                                    @shawniverson said in TCP/IP Printing mangled across subnets:

                                    avoid asymmetric configurations....

                                    Told you that 2 months ago.. ;)

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    1 Reply Last reply Reply Quote 0
                                    • S
                                      shawniverson
                                      last edited by

                                      A packet capture and deep analysis revealed that ICMP redirects were the root cause of the failed print jobs. The printer appeared to not understand these packets. Lesson learned. Hopefully this will serve as a reminder to others to avoid asymmetric configurations....

                                      DerelictD johnpozJ 2 Replies Last reply Reply Quote 1
                                      • DerelictD
                                        Derelict LAYER 8 Netgate @shawniverson
                                        last edited by Derelict

                                        @shawniverson said in TCP/IP Printing mangled across subnets:

                                        The printer appeared to not understand these packets.

                                        As soon as you stray
                                        from the tried and true
                                        You never know
                                        what's going to screw you
                                        burma shave

                                        Chattanooga, Tennessee, USA
                                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.