Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Simple firewall as router

    General pfSense Questions
    2
    6
    103
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tomli last edited by

      Hi all,

      Can pfsense don't check the tcp-syn flag and keep state in all interfaces? For example:-

      Action: Accept
      Interface: LAN
      Protocol: tcp
      Source: *
      Source port: *
      Destination: 202.x.x.x.x
      Destination port: 443

      If the destination and destination port matched, allow the packet outging to wan interface even if asymmetric route is happened (now pfsense use the default ipv4 block rule to block the packet).

      Please advise.

      1 Reply Last reply Reply Quote 0
      • stephenw10
        stephenw10 Netgate Administrator last edited by stephenw10

        Yes: https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-due-to-asymmetric-routing.html

        But really you should find out why it's asymmetric and fix that.

        Unless you really want it to be a router only in which case you can disable pf entirely.

        Steve

        T 1 Reply Last reply Reply Quote 0
        • T
          tomli @stephenw10 last edited by

          Hi Steve,

          I read the doc before and followed the doc to configure it. It cannot work .

          My flow is:-
          ISP1 ---- (WAN) Router (LAN) ---- Server---(LAN) Pfsense (WAN)----ISP2.

          In Pfsense:-

          1. checked The Bypass firewall rules for traffic on the same interface option located under System > Advanced on the Firewall/NAT tab

          2. add same rule in LAN and float interfaces.
            Action: Accept
            Interface: LAN
            Protocol: tcp
            Source: *
            Source port: *
            Destination: 202.x.x.x.x
            Destination port: 443

          state type: sloppy
          tcp flag: any flags

          1 Reply Last reply Reply Quote 0
          • stephenw10
            stephenw10 Netgate Administrator last edited by

            That rule would have to exist in on LAN and out on WAN since states would not exist on either interface.

            If that traffic is replies going back from the server via ISP2 the destination port will not be 443. The client would have used that initially. The destination IP will be the client address and the destination port will probably be unknown.

            Why does the server not just reply back to ISP1?

            Steve

            1 Reply Last reply Reply Quote 0
            • T
              tomli last edited by

              Hi,

              I tried to change the rule set to

              Action: Accept
              Interface: LAN
              Protocol: tcp
              Source: *
              Source port: *
              Destination: *
              Destination port: *

              still cannot work. I tried to use the command pfctl -d. It can work. So I think the firewall rule set block my traffic. We cannot control the incoming traffic. Therefore, we have asymmetric route issue in our network.

              1 Reply Last reply Reply Quote 0
              • stephenw10
                stephenw10 Netgate Administrator last edited by

                But it is only the reply traffic that goes back out though pfSense yes?

                As I said you will need an OUT rule on WAN since that will also be out of state TCP traffic.

                Let's see a screenshot of the blocked traffic you're seeing,

                Steve

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post

                Products

                • Platform Overview
                • TNSR
                • pfSense
                • Appliances

                Services

                • Training
                • Professional Services

                Support

                • Subscription Plans
                • Contact Support
                • Product Lifecycle
                • Documentation

                News

                • Media Coverage
                • Press
                • Events

                Resources

                • Blog
                • FAQ
                • Find a Partner
                • Resource Library
                • Security Information

                Company

                • About Us
                • Careers
                • Partners
                • Contact Us
                • Legal
                Our Mission

                We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                Subscribe to our Newsletter

                Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                © 2021 Rubicon Communications, LLC | Privacy Policy