Simple firewall as router
-
Hi all,
Can pfsense don't check the tcp-syn flag and keep state in all interfaces? For example:-
Action: Accept
Interface: LAN
Protocol: tcp
Source: *
Source port: *
Destination: 202.x.x.x.x
Destination port: 443If the destination and destination port matched, allow the packet outging to wan interface even if asymmetric route is happened (now pfsense use the default ipv4 block rule to block the packet).
Please advise.
-
Yes: https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-due-to-asymmetric-routing.html
But really you should find out why it's asymmetric and fix that.
Unless you really want it to be a router only in which case you can disable pf entirely.
Steve
-
Hi Steve,
I read the doc before and followed the doc to configure it. It cannot work .
My flow is:-
ISP1 ---- (WAN) Router (LAN) ---- Server---(LAN) Pfsense (WAN)----ISP2.In Pfsense:-
-
checked The Bypass firewall rules for traffic on the same interface option located under System > Advanced on the Firewall/NAT tab
-
add same rule in LAN and float interfaces.
Action: Accept
Interface: LAN
Protocol: tcp
Source: *
Source port: *
Destination: 202.x.x.x.x
Destination port: 443
state type: sloppy
tcp flag: any flags -
-
That rule would have to exist in on LAN and out on WAN since states would not exist on either interface.
If that traffic is replies going back from the server via ISP2 the destination port will not be 443. The client would have used that initially. The destination IP will be the client address and the destination port will probably be unknown.
Why does the server not just reply back to ISP1?
Steve
-
Hi,
I tried to change the rule set to
Action: Accept
Interface: LAN
Protocol: tcp
Source: *
Source port: *
Destination: *
Destination port: *still cannot work. I tried to use the command pfctl -d. It can work. So I think the firewall rule set block my traffic. We cannot control the incoming traffic. Therefore, we have asymmetric route issue in our network.
-
But it is only the reply traffic that goes back out though pfSense yes?
As I said you will need an OUT rule on WAN since that will also be out of state TCP traffic.
Let's see a screenshot of the blocked traffic you're seeing,
Steve