Routed traffic being subjected to state inspection



  • I'm doing a slow transition from PIX to pfSense. A simplified version of my setup looks like this:

    On the VA_pfSense box I have a static route on the LAN interface that says:

    Network: 10.1.2.0/24  Gateway: 10.1.1.1

    Everything works ok if the TCP sessions are originated from System A connecting to System B.

    But if System B tries to initiate a TCP session with System A, the pfSense box drops the reply packet for the connection request and the connection times out. I see the dropped packet in the firewall logs.

    I can create a route on System A and point it to the PIX for all 10.1.2.0 bound traffic but I rather not do that.

    Why is pfSense checking TCP connection state for traffic that is no traversing from one interface to another on it. Is there a way around it?

    I do not have this problem with ICMP. Have not tested UDP.



  • Found it.



  • I don't have anything to add to the topic, but I thought the topic was amusing. I read it as thinking you needed a way for a 'State authority' to inspect the traffic pfsense routes. Amusing to find you were talking about connection state ;)


Locked