Possible Asymmetric routing between two LANs, for NodeRED
-
Okay so here's what happened:
I left the firewall rule on the WiFi net (LAN2), and checked the firewall logs again:
I saw then that outgoing data from LAN1 (NodeRED) was blocked, so compared to the manual, I had to change the floating rule to LAN1.
Now everything works. I read a little about out of state packets, so "Sloppy" type is crucial.
What do you think @johnpoz? -
@adamambarus said in Possible Asymmetric routing between two LANs, for NodeRED:
, so "Sloppy" type is crucial.
NO, why even have stateful firewall if your just not going to block..
Dude blocking out of state traffic is normal and expected... Is your node red whatever not working.. Or you just seeing blocks in your firewall log that YOU think shoudn't be there?
And again you sure and hell do not need an outbound allow rule for device on lan 1 to talk to lan 2.. Shit lan 2 doesn't even need any rules for that.. Because the state will allow the return traffic.
if you don't like seeing out of state blocks - then see why they are happening.. Either the state timed out, one side said I don't want to talk any more see that RA up your first set of pictures.. That is saying hey DONE with this conversation.. But allowing out of state traffic via your stateful firewall is sure and not the way to go about it.
-
@johnpoz
Okay okay, let's take that "node red whatever" works like this...
It looks like Visual Studio Code has also asymmetric communication, and the rule pair is solving its issue.@johnpoz said in Possible Asymmetric routing between two LANs, for NodeRED:
Or you just seeing blocks in your firewall log that YOU think shoudn't be there?
It's not at all about it. this is just between my laptop and one IP and one port.
Look, I am all ears, and just trying to learn the principles. For NodeRED it looks like the application is running in a strange way that goes against the stateful firewall. VSCode had SA flags, so that is might be an example for asymmetrical. How would you approach its case then? -
@adamambarus how could you have asymmetrical traffic flow on 2 devices with only 1 connection to get to the other network.
Do you have either of these devices connected to both networks at the same time?
With such a setup it is IMPOSSIBLE to have asymmetrical routing.. Asymmetrical happens when you have something like this
So you have device in lan 1 talking to lan 2 IP of device.. But device in lan 2 also has a connection to lan 1.. So this can work for a while.. But at somepoint pfsense can say hey wait a minute not really seeing any traffic on one end of this state and close it.. Now the lan 1 device stills ending its A to lan 2 IP gets blocked as out of state.
But if your devices are only in their network, and only gateway they have to get off that network and talk to the other lan is through pfsense there is no possible way to be asymmetrical.. Your state is going away and the traffic is being blocked because there is no state.
Maybe you had a gateway drop and reset states. Maybe there was no traffic for a while and the states timed out.. Maybe one of the devices switched from one network to another network and is sending traffic now to pfsense that should of gone a different path, so pfsense never had a state for this traffic.
But if your device is in lan 1 and only lan 1 and its gateway is pfsense lan 1 address. And your lan 2 device is only connected to lan 2 and its gateway is pfsense lan 2 IP there is no possible way for your traffic to be asymmetrical.
But allowing out of state traffic in your typical network is sure not the way to go about fixing what you think is a problem with asymmetrical traffic.. Asymmetrical traffic is really never a good thing, but it could happen in a complex network with different routing paths to get somewhere, etc. Or as temp solution to a problem.. But asymmetrical is not something you would want in your network, nor would you want to allow for it you have it.. But if your devices are only connected to their respective lans - there is no way you have asymmetrical flow..
-
@johnpoz Great diagrams and decription. Thank you for that!!! What do you think if I redesign my network, and I would bridge my personal (not guest or IOT) WiFi VLAN to the homeserver LAN1 interface?
-
@adamambarus how do you have it now? like I said its impossible to create asymmetrical traffic unless you got some sort of really convoluted connections where devices are in more than 1 network??
An no you sure and the heck should not be bridging anything..
-
@johnpoz separate NICs, separate interfaces and separate subnets. Later I want to separate the WIFI clients into a few more VLANs something like personal, IOT, and guest.
I totally agree with not breaking the rules of the firewall's principles, but I feel so lost with VSCode and its SA packets, that I use constantly in remote mode.
-
@adamambarus said in Possible Asymmetric routing between two LANs, for NodeRED:
that I use constantly in remote mode.
huh? What are you calling remote mode? Per my first drawing.. If your on that box in lan 1 with only a connection to lan 1 and pfsense as the gateway talking to box in lan 2 that is only in lan 2 and using pfsense as its gateway it is impossible for you to have asymmetrical traffic flow.
-
@johnpoz Remote mode is when you connect via SSH to a device through VSCode, and you are able to see the filesystem, text editors, plugins, and terminal as it would be your local storage.
@johnpoz said in Possible Asymmetric routing between two LANs, for NodeRED:
If your on that box in lan 1 with only a connection to lan 1 and pfsense as the gateway talking to box in lan 2 that is only in lan 2 and using pfsense as its gateway it is impossible for you to have asymmetrical traffic flow.
That is exactly the case, I just double checked the gateways on the devices (I didn't configure anything manually in pfsense). -
@adamambarus then your traffic is just out of state.. I asked before is something not working?
See this link
Those could happen with any sort of service, not just web services.
Or your not doing any sort of load balancing or clustering right..
If stuff is working I wouldn't worry about it.. If you don't want to see those you could always turn off logging of the default rule. And then setup a logging rule that only logs SYN blocks.. I do this on my wan.. I sure don't want to see all sorts of noise, but I am interested in common udp ports and actual SYN sent to my wan..
But unless you have other connections on these device where they could have a leg in the other lan, its impossible for your traffic to be asymmetrical.. For devices to talk to each other in lan 1 or lan 2 they have to flow through pfsense. So blocking of Acks or FA (fin,ack), PA (push,ack) etc.. just telling you for whatever reason pfsense no longer has the state so this traffic is blocked.. There would need to be another syn to to open a state for return traffic flow.
-
@johnpoz You can imagine, I wouldn't mind if thing would work, but I get no response with these services. Anyway, I think I am not seeing a mistake in the routing, they should reach each other without gateways right?
-
Okay I think I have found the root cause. It was my home server: Long time ago I was using the wifi antenna on the computer, and I left it on the network thinking that it is a good backup.
ip route show
pointed out that while I was doing the requests on ethernet (LAN1, 128.0/24) the wifi (LAN2, 64.0/x) could be responding (its lower prio, but "closer" to the laptop client??)
After I stopped the wifi interface, everything works as it should.
-
@adamambarus said in Possible Asymmetric routing between two LANs, for NodeRED:
they should reach each other without gateways right?
how would they do that if they are on different networks
After I stopped the wifi interface
I specifically asked if they were attached to more than 1 network.
Why are you hiding rfc1918 space? I don't get it.. Do you think that gives away something.. Would be like telling you hey I live at 123 street, but not giving a city or state or country even.
You must have some huge amount of devices on each network using a /16, that is like 65k devices ;)
Is that your docker network? Are those overlapping with your normal network?