Possible Asymmetric routing between two LANs, for NodeRED
-
@adamambarus how could you have asymmetrical traffic flow on 2 devices with only 1 connection to get to the other network.
Do you have either of these devices connected to both networks at the same time?
With such a setup it is IMPOSSIBLE to have asymmetrical routing.. Asymmetrical happens when you have something like this
So you have device in lan 1 talking to lan 2 IP of device.. But device in lan 2 also has a connection to lan 1.. So this can work for a while.. But at somepoint pfsense can say hey wait a minute not really seeing any traffic on one end of this state and close it.. Now the lan 1 device stills ending its A to lan 2 IP gets blocked as out of state.
But if your devices are only in their network, and only gateway they have to get off that network and talk to the other lan is through pfsense there is no possible way to be asymmetrical.. Your state is going away and the traffic is being blocked because there is no state.
Maybe you had a gateway drop and reset states. Maybe there was no traffic for a while and the states timed out.. Maybe one of the devices switched from one network to another network and is sending traffic now to pfsense that should of gone a different path, so pfsense never had a state for this traffic.
But if your device is in lan 1 and only lan 1 and its gateway is pfsense lan 1 address. And your lan 2 device is only connected to lan 2 and its gateway is pfsense lan 2 IP there is no possible way for your traffic to be asymmetrical.
But allowing out of state traffic in your typical network is sure not the way to go about fixing what you think is a problem with asymmetrical traffic.. Asymmetrical traffic is really never a good thing, but it could happen in a complex network with different routing paths to get somewhere, etc. Or as temp solution to a problem.. But asymmetrical is not something you would want in your network, nor would you want to allow for it you have it.. But if your devices are only connected to their respective lans - there is no way you have asymmetrical flow..
-
@johnpoz Great diagrams and decription. Thank you for that!!! What do you think if I redesign my network, and I would bridge my personal (not guest or IOT) WiFi VLAN to the homeserver LAN1 interface?
-
@adamambarus how do you have it now? like I said its impossible to create asymmetrical traffic unless you got some sort of really convoluted connections where devices are in more than 1 network??
An no you sure and the heck should not be bridging anything..
-
@johnpoz separate NICs, separate interfaces and separate subnets. Later I want to separate the WIFI clients into a few more VLANs something like personal, IOT, and guest.
I totally agree with not breaking the rules of the firewall's principles, but I feel so lost with VSCode and its SA packets, that I use constantly in remote mode.
-
@adamambarus said in Possible Asymmetric routing between two LANs, for NodeRED:
that I use constantly in remote mode.
huh? What are you calling remote mode? Per my first drawing.. If your on that box in lan 1 with only a connection to lan 1 and pfsense as the gateway talking to box in lan 2 that is only in lan 2 and using pfsense as its gateway it is impossible for you to have asymmetrical traffic flow.
-
@johnpoz Remote mode is when you connect via SSH to a device through VSCode, and you are able to see the filesystem, text editors, plugins, and terminal as it would be your local storage.
@johnpoz said in Possible Asymmetric routing between two LANs, for NodeRED:
If your on that box in lan 1 with only a connection to lan 1 and pfsense as the gateway talking to box in lan 2 that is only in lan 2 and using pfsense as its gateway it is impossible for you to have asymmetrical traffic flow.
That is exactly the case, I just double checked the gateways on the devices (I didn't configure anything manually in pfsense). -
@adamambarus then your traffic is just out of state.. I asked before is something not working?
See this link
Those could happen with any sort of service, not just web services.
Or your not doing any sort of load balancing or clustering right..
If stuff is working I wouldn't worry about it.. If you don't want to see those you could always turn off logging of the default rule. And then setup a logging rule that only logs SYN blocks.. I do this on my wan.. I sure don't want to see all sorts of noise, but I am interested in common udp ports and actual SYN sent to my wan..
But unless you have other connections on these device where they could have a leg in the other lan, its impossible for your traffic to be asymmetrical.. For devices to talk to each other in lan 1 or lan 2 they have to flow through pfsense. So blocking of Acks or FA (fin,ack), PA (push,ack) etc.. just telling you for whatever reason pfsense no longer has the state so this traffic is blocked.. There would need to be another syn to to open a state for return traffic flow.
-
@johnpoz You can imagine, I wouldn't mind if thing would work, but I get no response with these services.
Anyway, I think I am not seeing a mistake in the routing, they should reach each other without gateways right? -
Okay I think I have found the root cause. It was my home server: Long time ago I was using the wifi antenna on the computer, and I left it on the network thinking that it is a good backup.
ip route showpointed out that while I was doing the requests on ethernet (LAN1, 128.0/24) the wifi (LAN2, 64.0/x) could be responding (its lower prio, but "closer" to the laptop client??)
After I stopped the wifi interface, everything works as it should.
-
@adamambarus said in Possible Asymmetric routing between two LANs, for NodeRED:
they should reach each other without gateways right?
how would they do that if they are on different networks
After I stopped the wifi interface
I specifically asked if they were attached to more than 1 network.
Why are you hiding rfc1918 space? I don't get it.. Do you think that gives away something.. Would be like telling you hey I live at 123 street, but not giving a city or state or country even.
You must have some huge amount of devices on each network using a /16, that is like 65k devices ;)
Is that your docker network? Are those overlapping with your normal network?
