Routing issue Asymmetric
-
Hello All,
I am experiencing a routing issue where the client machines are having issues keeping connections alive to the Application Server. I have added in a gateway and a static route to the 192.168.1.0 network for Site B.
Logs on client machines show terminated connections.
I have researched and tried to implement these solutions.
https://docs.netgate.com/pfsense/en/latest/troubleshooting/asymmetric-routing.htmlhttps://docs.netgate.com/pfsense/en/latest/routing/static.html#figure-static-routes
I hope the diagram makes sense.
-
@jnelson yeah that would be asymmetrical, if clients were using that 4.254 as their default gateway.
You would either need to do full host routing on your devices in the 4 network and on the 1 network.
Or you need to connect your sites via transit networks..
Something like this. With transit networks connecting your mpls routers that connect your sites to the routers at your sites that provide internet
Now there is no asymmetrical traffic..
-
@johnpoz Thank you, this is what I thought I had going on.
Unfortunately, I do not have managment capabilities of the MPLS routers.
Full host routing would involve placing routes on the host machines in the 192.168.4.0 /24 network, correct?
Thank you for your time to answer and clarify my own question.
If I physically connected the MPLS router to the PFSense 2100, would this make a differnece at all?
I recently installed the pfsense firewall and the managed switch on the 192.168.4.x network. This TCP session timeout has now surfaced.
Previously, there was a Netgear Prosafe FVS318G 8 port firewall that was in place and they were not having the TCP sessions forcibly closed.
jnelson
-
@jnelson well use your existing networks as the transit. And move your actual network to something else 192.168.5/24 on one side and 192.168.2/24 on other for example..
If you have no control over what network they use. Problem is you might have routing problems on their devices. But why can you not get with who manages the mpls routers to fix the problem.
Your going to have issues when device sends their syn,ack back to their gateway (pfsense) and pfsense never saw the syn to open the state.
The correct setup for what you have there is with transit networks.
As to routing on hosts, yeah you would need a route on the client that says hey you want to talk to 192.168.1/24 send it to mpls router at 4.1 vs pfsense at 4.254.
And on the other end your app server would need route to 4/24 to send it to 1.254 vs pfsense 1.1 address.
Problem with such a setup is you loose firewall between your networks.. I would really suggest you get with who manages the mpls to correct the setup. They should have no problems changing the ips to some new transit networks and fixing the routing. If they are currently using your pfsense IPs on each end as default.. Then you could change your networks and use the existing 4/24 and 1/24 networks as the transit networks.
