No outbound traffic in transparant bridge mode
-
I followed this setup for pfSense (latest version) for a transparant firewall: https://community.adamnet.works/hc/en-us/articles/115002725594-Running-on-a-Transparent-pfSense-Bridge
Inbound traffic to the server works. Only problem I have is that outbound traffic from a server behind pfSense is not working except ping. Firewall rules for WAN, LAN, and OTP1 (brigde) is set to allow all (including protocol any).
States shows : NO_TRAFFIC:SINGLE
-
Not working except ping sounds like an asymmetric routing problem. Is the server still using pfSense as it's gateway rather than whatever is upstream?
Steve
-
The server is using the upstream gateway (all public IP addresses).
-
Do you see the outbound traffic blocked in the firewall log?
If so what exactly doe the block show? I expect it to show flagged TCP packets.
Steve
-
There is no traffic blocked in the firewall log, traffic is passed according to the log when loggin is turned on.
-
Then I would run a packet capture on WAN and see what's actually leaving and coming back.
What are you actually attempting from the server that is failing? How is it failing?
Steve
-
I try to ssh to an other server on the WAN side of pfsense, only ping works and inbound traffic.
packet dump:
a.a.a.a.40684 > a.a.a.b.22: Flags [S], cksum 0x4434 (incorrect -> 0xca78), seq 4262675153, win 29200, options [mss 1460,sackOK,TS val 2616871823 ecr 0,nop,wscale 7], length 0
-
OK, so no reply packets coming back at all. Is that servers MAC/IP in the ARP table?
Can you ssh to it from pfSense?If there is a subnet error on one of those machine it might be replying to it's gateway and hence you have asymmetric routing.
Steve
-
I can do SSH from pfsense to the server on the wan side. From the server on the wan side I can do SSH to the internal server.
The ARP table only shows the bridge interface OPT1 and the gateway from the provider.
-
I can also pfsense from the internal server, then his mac address pops up in the arp table
-
Can you ssh to pfSense from the WAN side sever to pfSense?
There are no reply packets at all so either the server is not replying at all or it's replying via a different route.
If there was some subnet mask issue or a bad route I would not expect pfSense to make any difference there. It would still fail if you removed pfSense and connected the internal server directly, is that the case?
Steve
-
I can SSH from WAN to pfsense, the server works also when connected directly. When in Bridge mode, the subnet or gateway shouldn't matter?
-
pfsense runs in a vm on proxmox, can that be a problem with the linux bridge proxmox uses?
I did a second setup with pfsense in NAT mode and a local IP address on the LAN side, same problem with outbound connection. I can only ping.
EDIT: Found the solution: disable "Hardware Checksum Offloading" for Proxmox VirtIO interface