4. Traffic blocked @1 @2 TCP:A TCP:PA by default

Traffic blocked @1 @2 TCP:A TCP:PA by default

  • H

    I got a pfsense 2.0 runing on a esxi5
    The only way that I can make it work without conections timeouts and those firewall filter logs is, disabling the firewall filter

    Whats wrong?

    I tried everything , setting the fw to conservative

    I ve disabled tcp offloading and those stuff useless on a virtual environment

    I got 4 virtual interfaces connected to the same vswitch, its that the problem?

    0
  • C

    That means you have asymmetric routing somehow/somewhere, not enough there to tell you where. Traffic isn't routing through the firewall in both directions, or it may get routed back in the wrong direction for some reason. Can't statefully filter such traffic with any firewall, most likely you need to fix whatever is causing that to happen (though there are other work arounds, they won't leave you with an extremely tight firewall).

    0
  • H

    @cmb:

    That means you have asymmetric routing somehow/somewhere, not enough there to tell you where. Traffic isn't routing through the firewall in both directions, or it may get routed back in the wrong direction for some reason. Can't statefully filter such traffic with any firewall, most likely you need to fix whatever is causing that to happen (though there are other work arounds, they won't leave you with an extremely tight firewall).

    Is there any tool to discover whats wrong?
    Cant be esxi?

    When you say whatever is causing that, what should I look  for?,  a broken switch?, a misconfigured virtual switch?,

    0
  • H

    How can be asymetric routing just just 1 router? and a single machine :S

    0
  • B

    I got 4 virtual interfaces connected to the same vswitch

    What does your ESXi network diagram look like?

    0
  • H

    Isnt complex


    0
  • B

    Do you have only that one NIC in your ESXi host or did you just cut off the bottom of diagram?

    You would have to VLAN the traffic if there's only one NIC.

    0
  • H

    @biggsy:

    Do you have only that one NIC in your ESXi host or did you just cut off the bottom of diagram?

    You would have to VLAN the traffic if there's only one NIC.

    I got just 1 iface

    I think my hard doesnt allow for vlan

    Also i tried with just 1 interface enabled, and its the same.

    0
  • C

    @HellMind:

    How can be asymetric routing just just 1 router? and a single machine :S

    You don't need more than 1 router for that. You must have two anyway from the looks of that, you have something to get you out to the Internet. There isn't enough here to tell you where you're going wrong, need to know what NICs you have on the firewall, how they're being used in relation to the rest of the network.

    0
  • H

    I've just moved to routeros

    Pfsense also present some stability issue on one of the boxes.
    Using vmx3 should work better but using routeros with e1000 its better -_-

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy