Bug in code, or i do not understand firewalls please help me to understand

  • i have 2 physical FW's A and B, to seperate internet connections.
    both LAN interfaces are connected via a switch and the 2 switches are connected. It is a /23; 192.168.0/23
    FW-A has 192.168.0/23
    FW-B has 192.168.1/23

    i made 2 rules on both LAN interfaces to add to the default LAN net to any. (These rules are above the explicit deny rules)
    FW A Allow 192.168.1/23 * LAN net
    FW B Allow 192.168.0/23 * LAN net
    This means i can reach and manage both the FW's.
    However when i try to reach a switch, on the web interface from subnet A to subnet B on the web interface the default deny hits by denying the 3 way handshake (the SYN ACK; SA)


  • @Rob-Vercouteren said in Bug in code, or i do not understand firewalls please help me to understand:

    FW-A has 192.168.0/23
    FW-B has 192.168.1/23

    That wont work. Those are both the exact same address range. Change B to .2. Also, you're missing an octet. IPv4 addresses are represented by 4 octets, such as

  • @JKnott yeah it's short CIDR
    it's the same as /23 and /23
    Which is in the same class B subnet.

    The question remains, why are packets filtered from the same subnet, by a rule which implicit allows the traffic.
    (i cannot find how to bypass it, since there are no static routes (needed))

  • LAYER 8 Global Moderator

    @Rob-Vercouteren said in Bug in code, or i do not understand firewalls please help me to understand:

    hits by denying the 3 way handshake (the SYN ACK; SA)

    Because you got some asymmetrical routing.. So yeah out of state traffic..

    How about you draw up how you have everything connected, and what specific network(s) your using how you represent the network be it 192.168.0/23 or 192.168.1/23 is the same network... Are you using /24 on your clients on these networks?

    192.168.1/23 is actually an invalid way to represent it.. 192.168.0/23 = -

    To represent a network you use the wire address 192.168.0/23 for example would be fine 192.168.1.x/23 would represent a host address since it is not the wire address. So 192.168.1/23 not really valid representation.. Sure you can figure out what your trying to say, but its not proper way to present it.

    If your seeing SA blocks on firewall then it screams asymmetrical traffic flow.

  • @Rob-Vercouteren

    Fix your address problem first. As long as you have that config, it can't work properly. Also, it's not a class B. Class B addresses have a /16 subnet mask. Also, you should try to get away from classes. They've been obsolete for over 20 years. With CIDR, you choose the appropriate subnet mask length with the /x. In your case, either use /24 or move the 2nd network to a proper address for /23. Here's a hint. It's not any network address that has an odd number in the 3rd octet.

  • @johnpoz
    yes you are correct about the subnet; the correct way is 192.168.0/23 = -
    my clients are in that subnet. (/23
    (forgive my drawing art plz, really appreciate your effort in helping me out)

    so from my laptop/PC i can easiliy manage both FW's.
    however if i want to reach the web interface of SW-B i'm starting to get the issues as described. I can ping it though (which means routing is OK as there is layer 3 connectivity)
    The strange part is that i have squid installed on FW-B (FW-B has more bandwidth upstream) and the clients behind SW-A make use of that and works like a charm.
    My mailserver (behind FW-A) can be accessed via Wifi, where the accesspoint is behind SW-B.

  • @JKnott you are right, i didnt tell correct, i attached a little drawing and explanation.
    thnx for the help so far, really appreciate it.subnetcalc.png

    This is how i came to class B.

  • @Rob-Vercouteren

    Well, if that's it's idea of class B, it's wrong. Originally, there was no such thing as classes. Everyone got /8 networks. Then, when they realized that wouldn't last, they created classes, with A the original /8, B with /16 and C, /24. Even that didn't work well, with B being too big for many organizations and C too small. So, back in the early 90's CIDR was introduced, which allowed choosing the appropriate length and many more networks.

  • LAYER 8 Global Moderator

    Well you have a mask set wrong on that switch.. because if everything was in 192.168.0/23 then you talking to the switch from a client also in that same /23 wouldn't send any traffic to pfsense.. Why would any traffic go to gateway?

    But if you switches mask was say /24 or something else where was not in its local network, then your PC IP would not be in its network, and it would send its syn,ack to its gateway..

    Pfsense would say sorry - don't see any state for that, never saw the syn, so it would be blocked.

    Why would you not just connect your 2nd internet connection to FW-A? I don't see any need for 2 pfsense in such a setup. And if you were going to do that, then connect the fw-a and b together via transit and policy route traffic you want to use the 2nd internet connection.

    Or just setup a HA pair and let them load balance or policy route traffic out your 2 internet connections, etc.

  • @johnpoz OMG i understand! i configured a default gateway on the management interface of the switch, im really sorry this really is a noob error.
    Thanx it works! \o/ Basically you were right: assymetric routing (within the same subnet, LOL I kid you not, the subnet on the switch was configured properly, however i configured a default gateway (FW-B, doh). Now i removed it and it works.

  • LAYER 8 Global Moderator

    Well your switch software is buggy then!!

    If it has a IP of and you talk to it from which is in the network 192.168.1/23 It shouldn't be sending traffic to its gateway..

    So either the mask was wrong.. Or the switch is buggy and really doesn't understand its in a /23 network

    But for future, pretty much anytime you see a SA block on firewall, unless its on your wan and that is the sort of probing they are doing - it just screams asymmetrical traffic flow.

  • @johnpoz yup i think it doesn't(but it works)

  • LAYER 8 Global Moderator

    I really do not get why your wanting to use /23 in the first place.. Do you have over 250 clients?

    This whole setup seems wonky to me, would never ever in a million years setup something like that ;)

  • @johnpoz nope, i've been into networking for 15 years, networking engineer. Working with L2/L3 and L4 and IDS and IPS-es.
    This is just my hobby home network.
    It's about 20 machines.
    so it was actually 2 /24's. When i had to do maintenance or softwareupgrade i noticed my internetconnection somehow suffered impact due to the maintenance, so i got myself another internet connection. Then i got the idea of connecting.
    Well, i wanted to try policy based routing in the first place, as the ISP's are different in terms of network usage. On the first it is ok to have a mailserver, but on the other you can only send mail via the mailservers of the ISP.
    So when i thought of connecting do i have to reconfigure all my clients, so i did via DHCP, the switches had to be done manually.
    with static ip's going via 1, with DHCP with the other connection, by just changing the subnetmask on the FW's and in the DHCP scope.

  • @Rob-Vercouteren said in Bug in code, or i do not understand firewalls please help me to understand:

    nope, i've been into networking for 15 years, networking engineer. Working with L2/L3 and L4 and IDS and IPS-es.

    Then why did you need that subnet calculator? I've never found the need for one.

  • LAYER 8 Netgate

    /shrug I use one all the time. Use one to do base conversions and basic math too. Even though I know how to do it manually.

  • @Derelict

    Well, I was working with binary, octal & hex long before I even heard of IP, so that may have something to do with it. In fact, one trick I used to use for doing math in my head was to convert to binary, shift as required and back to get a ball park figure. I'd also frequently use logarithms and trig identities, again in my head. Of course, that was several years ago, but I'm still fairly sharp with logs.

Log in to reply