4. Traffic blocked @1 @2 TCP:A TCP:PA by default

Traffic blocked @1 @2 TCP:A TCP:PA by default

  • H

    I got a pfsense 2.0 runing on a esxi5
    The only way that I can make it work without conections timeouts and those firewall filter logs is, disabling the firewall filter

    Whats wrong?

    I tried everything , setting the fw to conservative

    I ve disabled tcp offloading and those stuff useless on a virtual environment

    I got 4 virtual interfaces connected to the same vswitch, its that the problem?

    0
  • C

    That means you have asymmetric routing somehow/somewhere, not enough there to tell you where. Traffic isn’t routing through the firewall in both directions, or it may get routed back in the wrong direction for some reason. Can’t statefully filter such traffic with any firewall, most likely you need to fix whatever is causing that to happen (though there are other work arounds, they won’t leave you with an extremely tight firewall).

    0
  • H

    @cmb:

    That means you have asymmetric routing somehow/somewhere, not enough there to tell you where. Traffic isn’t routing through the firewall in both directions, or it may get routed back in the wrong direction for some reason. Can’t statefully filter such traffic with any firewall, most likely you need to fix whatever is causing that to happen (though there are other work arounds, they won’t leave you with an extremely tight firewall).

    Is there any tool to discover whats wrong?
    Cant be esxi?

    When you say whatever is causing that, what should I look  for?,  a broken switch?, a misconfigured virtual switch?,

    0
  • H

    How can be asymetric routing just just 1 router? and a single machine :S

    0
  • B

    I got 4 virtual interfaces connected to the same vswitch

    What does your ESXi network diagram look like?

    0
  • H

    Isnt complex


    0
  • B

    Do you have only that one NIC in your ESXi host or did you just cut off the bottom of diagram?

    You would have to VLAN the traffic if there’s only one NIC.

    0
  • H

    @biggsy:

    Do you have only that one NIC in your ESXi host or did you just cut off the bottom of diagram?

    You would have to VLAN the traffic if there’s only one NIC.

    I got just 1 iface

    I think my hard doesnt allow for vlan

    Also i tried with just 1 interface enabled, and its the same.

    0
  • C

    @HellMind:

    How can be asymetric routing just just 1 router? and a single machine :S

    You don’t need more than 1 router for that. You must have two anyway from the looks of that, you have something to get you out to the Internet. There isn’t enough here to tell you where you’re going wrong, need to know what NICs you have on the firewall, how they’re being used in relation to the rest of the network.

    0
  • H

    I’ve just moved to routeros

    Pfsense also present some stability issue on one of the boxes.
    Using vmx3 should work better but using routeros with e1000 its better -_-

    0
Locked
 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy