Routed traffic being subjected to state inspection
-
I'm doing a slow transition from PIX to pfSense. A simplified version of my setup looks like this:
On the VA_pfSense box I have a static route on the LAN interface that says:
Network: 10.1.2.0/24 Gateway: 10.1.1.1
Everything works ok if the TCP sessions are originated from System A connecting to System B.
But if System B tries to initiate a TCP session with System A, the pfSense box drops the reply packet for the connection request and the connection times out. I see the dropped packet in the firewall logs.
I can create a route on System A and point it to the PIX for all 10.1.2.0 bound traffic but I rather not do that.
Why is pfSense checking TCP connection state for traffic that is no traversing from one interface to another on it. Is there a way around it?
I do not have this problem with ICMP. Have not tested UDP.
-
Found it.
-
I don't have anything to add to the topic, but I thought the topic was amusing. I read it as thinking you needed a way for a 'State authority' to inspect the traffic pfsense routes. Amusing to find you were talking about connection state ;)