Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    GIF L2 Bridge and TCP not working

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 2 Posters 277 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Promythyus
      last edited by

      Hi all,

      I have two sites, flexo and clamps. My desired outcome is to have devices on VLAN 55 at clamps site to "be on" flexo's LAN. Currently bridging to VLAN 55 on flexo for testing, but will ultimately replace VLAN_TEST with LAN.

      Diagram: https://i.imgur.com/DgVFkbs.png

      I've added the GIF interface on each side to a bridge with the physical networks I want to join. I've got a VM client on the physical network on each side. Clients connected to VLAN_55 on clamps are getting their DHCP addresses, and can ping WAN addresses. These clients cannot complete a TCP session however

      10.55.55.11 can do TCP just fine, but 10.55.55.10 and 10.55.55.12 can't. On BR_FLEXO on Flexo, I'm seeing a lot of blocked packets in TCP:SA state. Googling this leads to the Netgate documentation on Asymmetric Routing, but none of the advice seems to help.

      Packet capture shows the same traffic on BR_FLEXO at each end, flexo and clamps.

      How can I get TCP routing over my GIF properly?

      Thanks!

      1 Reply Last reply Reply Quote 1
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by stephenw10

        It's probably the same issue that effects GRE over IPSec: https://redmine.pfsense.org/issues/4479

        The states are not created where they are expected meaning reply traffic is blocked as the firewall sees it as out of state.
        The workaround for that is to use floating rules with sloppy states and 'any flags' set as shown in the asymmetric routing doc. It's not actually asymmetric but appears to be to the firewall.

        Steve

        1 Reply Last reply Reply Quote 0
        • P
          Promythyus
          last edited by

          Wow, thanks for the prompt response!

          I missed the part about the floating rule in the documentation. Thanks! :)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.