Simple firewall as router



  • Hi all,

    Can pfsense don't check the tcp-syn flag and keep state in all interfaces? For example:-

    Action: Accept
    Interface: LAN
    Protocol: tcp
    Source: *
    Source port: *
    Destination: 202.x.x.x.x
    Destination port: 443

    If the destination and destination port matched, allow the packet outging to wan interface even if asymmetric route is happened (now pfsense use the default ipv4 block rule to block the packet).

    Please advise.


  • Netgate Administrator

    Yes: https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-due-to-asymmetric-routing.html

    But really you should find out why it's asymmetric and fix that.

    Unless you really want it to be a router only in which case you can disable pf entirely.

    Steve



  • Hi Steve,

    I read the doc before and followed the doc to configure it. It cannot work .

    My flow is:-
    ISP1 ---- (WAN) Router (LAN) ---- Server---(LAN) Pfsense (WAN)----ISP2.

    In Pfsense:-

    1. checked The Bypass firewall rules for traffic on the same interface option located under System > Advanced on the Firewall/NAT tab

    2. add same rule in LAN and float interfaces.
      Action: Accept
      Interface: LAN
      Protocol: tcp
      Source: *
      Source port: *
      Destination: 202.x.x.x.x
      Destination port: 443

    state type: sloppy
    tcp flag: any flags


  • Netgate Administrator

    That rule would have to exist in on LAN and out on WAN since states would not exist on either interface.

    If that traffic is replies going back from the server via ISP2 the destination port will not be 443. The client would have used that initially. The destination IP will be the client address and the destination port will probably be unknown.

    Why does the server not just reply back to ISP1?

    Steve



  • Hi,

    I tried to change the rule set to

    Action: Accept
    Interface: LAN
    Protocol: tcp
    Source: *
    Source port: *
    Destination: *
    Destination port: *

    still cannot work. I tried to use the command pfctl -d. It can work. So I think the firewall rule set block my traffic. We cannot control the incoming traffic. Therefore, we have asymmetric route issue in our network.


  • Netgate Administrator

    But it is only the reply traffic that goes back out though pfSense yes?

    As I said you will need an OUT rule on WAN since that will also be out of state TCP traffic.

    Let's see a screenshot of the blocked traffic you're seeing,

    Steve


Log in to reply