• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Weird routing issue

Scheduled Pinned Locked Moved Routing and Multi WAN
15 Posts 2 Posters 951 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • K
    Kevin S Pare
    last edited by Jun 20, 2019, 6:48 PM

    We are trying to phase out some ubiquiti routers and our last untangle router.

    Currently we have a web gateway sitting behind a ubiquti router, its a ts/citrix gateway to servers on the same vlan and on another vlan routed through the untangle router.

    The web gateway's default gw is the ubnt router, the ubnt router has a static route to get to the other vlan via the untangle.

    Pretty easy straight forward stuff.

    When we swapped in the pfsense router, everything appeared to work properly, but we found the connection/routing would only stay alive for 10-30 seconds and then it wouldn't work anymore.

    servers on the same vlan as the pfsense router would work fine, but it would not route traffic back through the untangle.

    We have a lan firewall rule that is basically allow anything to anything on the lan interface.

    but again it starts to work and then dies.

    Let me know if you need anymore clarification, for the time being I think I get can around this by adding the static route on the webgateway to get to the other vlan, but I shouldn't have to do this as it works on the ubnt router just fine.

    1 Reply Last reply Reply Quote 0
    • D
      Derelict LAYER 8 Netgate
      last edited by Jun 20, 2019, 6:49 PM

      Draw it.

      Sounds like asymmetry.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      K 1 Reply Last reply Jun 20, 2019, 6:53 PM Reply Quote 0
      • K
        Kevin S Pare
        last edited by Jun 20, 2019, 6:50 PM

        Some additional info.

        I have another pfsense router that hosts my vpn tunnels.

        From the across the vpn I can hit anything that uses the pfsense router for the vpn tunnels.

        If I try to hit a machine that uses another pfsense router, the static route doesn't work.

        I can hit the second pfsense router from across the vpn, so the routing is working, but I can't hit anything that uses the second pfsense router as a gateway.

        I'm missing something stupid.

        1 Reply Last reply Reply Quote 0
        • K
          Kevin S Pare @Derelict
          last edited by Jun 20, 2019, 6:53 PM

          @Derelict It's just basic routing. But something is blocking traffic somewhere and i can't see it or i'm missing it.

          1 Reply Last reply Reply Quote 0
          • D
            Derelict LAYER 8 Netgate
            last edited by Jun 20, 2019, 6:56 PM

            A state disappearing (working for 30-ish seconds then stopping) indicates an asymmetric routing problem. The firewall state is not seeing all of the TCP handshake.

            Like I said, diagram it out.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            K 1 Reply Last reply Jun 21, 2019, 4:32 PM Reply Quote 1
            • K
              Kevin S Pare
              last edited by Jun 20, 2019, 6:59 PM

              from the VPN side I can't get tcp packets in but ICMP works. Smells like a firewall rule but I have a allow ip any any rule to prevent that. I'll try and get a basic drawing for you.

              But again this is pretty basic stuff, and worked with the Ubiquiti router.

              I'm not a novice user, pretty advanced, ccnp ccdp etc . It just doesn't make any sense lol.

              1 Reply Last reply Reply Quote 0
              • D
                Derelict LAYER 8 Netgate
                last edited by Jun 20, 2019, 7:01 PM

                from the VPN side I can't get tcp packets in but ICMP works.

                Exactly, that sounds like asymmetric routing too.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • K
                  Kevin S Pare
                  last edited by Kevin S Pare Jun 20, 2019, 7:11 PM Jun 20, 2019, 7:09 PM

                  routing2.jpg

                  I have a computer using 10.0.0.2 as it's default gateway.

                  and a computer on 192.168.1.x vpn.

                  The computer using 10.0.0.2 as a gateway can get to the computer on 192.168.1.0

                  The computer on the vpn can not get back to the computer using 10.0.0.2.

                  But they can ping each other.

                  P2 has the simple default routes, but its like the route isn't obey'ed or it's trying to nat the traffic?

                  1 Reply Last reply Reply Quote 0
                  • K
                    Kevin S Pare
                    last edited by Jun 20, 2019, 8:23 PM

                    I think I got it figured out. I had to put in some no-nat rules in the outbound nat settings. Still testing, but it seems like I need an outbound nonat rule that matches my static routes.

                    1 Reply Last reply Reply Quote 0
                    • K
                      Kevin S Pare @Derelict
                      last edited by Jun 21, 2019, 4:32 PM

                      @Derelict I dug into this some more this morning. and you were right. I enabled "Bypass firewall rules for traffic on the same interface" this appears to have resolved all of our issues.

                      D 1 Reply Last reply Jun 21, 2019, 5:05 PM Reply Quote 0
                      • D
                        Derelict LAYER 8 Netgate @Kevin S Pare
                        last edited by Jun 21, 2019, 5:05 PM

                        @Kevin-S-Pare I would fix the asymmetric routing instead but that's probably just me.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • K
                          Kevin S Pare
                          last edited by Jun 21, 2019, 5:08 PM

                          I'm not sure how I can do that exactly right now. the only real way is to add static routes on all the various machines. unless i'm missing something obvious.

                          1 Reply Last reply Reply Quote 0
                          • D
                            Derelict LAYER 8 Netgate
                            last edited by Jun 21, 2019, 5:08 PM

                            Put in a transit network to whatever is routing and get it off the same segment as other hosts.

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • K
                              Kevin S Pare
                              last edited by Jun 21, 2019, 5:18 PM

                              A -> B -> C -> E - Traffic From Remote Location

                              E -> D -> C -> B -> A Traffic Going Back

                              A = Remote Server
                              B = Remote Cisco Router
                              C = PFSense Router 1
                              D = PFSense Router 2
                              E = Local Server

                              VPN Tunnel between B and C
                              E = Has services hosted via the wan connection on D, but needs to talk to a server over the VPN Tunnel

                              Where would you put a transit network. That seems like it would complicate a rather simple configuration?

                              1 Reply Last reply Reply Quote 0
                              • D
                                Derelict LAYER 8 Netgate
                                last edited by Jun 21, 2019, 5:48 PM

                                It's not simple. It's asymmetric. It breaks TCP through stateful firewalls as you have found out.

                                I can't make anything out of that "diagram". I'll need more detail. Like interface addresses, subnets, etc.

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                15 out of 15
                                • First post
                                  15/15
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                  This community forum collects and processes your personal information.
                                  consent.not_received