Noob problem with NAT I think

pdsgomes · Feb 18, 2022, 4:50 PM

Site1:
Host: 172.19.32.30
GW: 172.19.32.252 (pfsense)
Router: 172.19.32.254

Site2:
Host: 172.20.32.30
GW: 172.20.32.254 (not pfsense)

From site2 I can ping pfsense from site1 but I can't ping the clients behind that pfsense.

If on site1 I change the GW of the clients to the router (172.19.32.254), from site2 I can ping both pfsense and the clients behind it.

What am I missing?

Grateful

JKnott · Feb 18, 2022, 6:02 PM

@pdsgomes

Do the routers know about the subnet behind the router at the other end? You have to add them unless you're using a routing protocol, such as OSPF, to learn them.

stephenw10 · Feb 18, 2022, 7:12 PM

I assume some VPN between the sites? Connected to pfSense?

I'm not sure what the site 1 'router' is if it's neither the gateway or pfSense.

We're going to need a diagram here.

From you use of those terms I'm going to guess it's an asymmetric routing issue.

Steve

pdsgomes · Feb 18, 2022, 8:01 PM

@stephenw10 Thank you for your response.

Site1 internet router is 172.19.32.254 and is connected via vpn to 172.20.32.254, which is the internet router on site2.

Pfsense is only on site2 at present.

pdsgomes · Feb 18, 2022, 8:08 PM

@stephenw10 I have configured pfsense on site2 to be able to control the internet, but some machines must be able to reach site1, from site1 they must be able also to connect to site2 pc's.

pdsgomes · Feb 18, 2022, 10:08 PM

This post is deleted!

pdsgomes · Feb 18, 2022, 10:13 PM

stephenw10 · Feb 18, 2022, 11:51 PM

Yeah as I thought it's an asymmetric routing problem.

When a client at site 2 tries to connect to a client at site 1 the traffic goes over the tunnel and then directly from the router to the client. But when the client at site at site 1 replies it does so via it's gateway which is pfSense. pfSense blocks that traffic because it only sees the reply so the state is invalid.
https://docs.netgate.com/pfsense/en/latest/troubleshooting/asymmetric-routing.html

It works when the connection is established the other way presumably because pfSense is outbound NATing the connection.

You need to remove the asymmetry. The best way to do that would be to replace the router at site 1 with the pfSense instance.

Steve

pdsgomes · Feb 21, 2022, 10:22 AM

@stephenw10 Many thanks for the response, i just follow the intructions on the link:

Automatic Fix
The Bypass firewall rules for traffic on the same interface option located under System > Advanced on the Firewall & NAT tab activates rules for traffic to/from the static route networks which are much more permissive when it comes to creating states for TCP traffic and allowing it to pass. The rules allow any TCP packets regardless of their flags to create a state, and also utilize “Sloppy” state tracking which performs a less strict state match.

Solved my problem.

Thank you
Pedro

stephenw10 · Feb 21, 2022, 5:44 PM

Nice.

I would recommend moving to a symmetric routing design though. At some point that will come back to bite you otherwise.

Steve