LAN to LAN routing - Still TCP:SA



  • Hi,

    I have set up multiple LAN IP addresses using Firewall -> Virtual IP -> "IP Alias".  Using PfSense 2.0.3 PRERELEASE, but exactly the same behaviour on 2.0.2 …

    But return traffic from my servers on the Virtual IP Aliased (private network) LAN to the LAN (on another subnet) is still blocked with TCP:SA, even though I have set the flag: "Bypass firewall rules for traffic on the same interface "

    No matter what I try with LAN rules, I can't get it to work.

    Is there a particular rule I need to set to make LAN to LAN really not be impeded by anything?  It should bypass ALL firewall rules...

    I already removed the "block private networks" from the LAN filter.

    Please help.

    Thanks



  • Can you screen shot your rules?



  • Hi,  I think I just (finally) solved it while solving another problem - by putting rules in the FLOATING firewall rules which switch off state checking.

    It turns out that even if the pfsense is not even supposed to be in the loop between 2 machines on the same lan, and same subnet, it will still kill the TCP conversation after 30 seconds due to TCP:S… How it does that, I do not know - but I have added the rules for all possible combinations of the various subnets I have running on the LAN in the FLOATING rules.

    They seem not to have any effect in the LAN rule-area.

    Thanks for reading, perhaps this helps somebody else.



  • We are suffering from this same problem.  We have a single internal IPv6 subnet mapped to the router.  There is a second private addres space subnet on an adjacent virtual router (hosted with windows) for managing VPN and directaccess clients.  Unfortunately, the IPv6 traffic between LAN subnet and VPN subnet hosts is blocked at the firewall.  Or, more precisely, TCP:SA and TCP:R traffic alone is blocked, while all other traffic can pass.  We've setup very permissive rules, and yet this keeps happening.

    Our internal LAN interface ruleset (as requested by the previous poster) is as follows:

    Those aliases are to fda2:1fee:7b5a:4704::/64 (LAN subnet) and fda2:1fee:7b5a:1000::/64 (VPN/DirectAccess subnet).  There is a static route setup to the other router for the DirectAccess subnet:

    The results in the firewall is that TCP:SA and TCP:R are blocked while other traffic is passed. You can see a UDP allowed in the screenshot. I can ping the hosts from an internal client with ICMP too. See the rows here affected:

    The blocked rows are blocked by the "Default Deny" IPv6  rule.

    I have tried the solution proposed above – moving the rules to floating.  The traffic is identified in the log as occuring on the LAN interface, but technically the *:1000:: hosts are reachable via an IPHTTPS or Teredo tunnel that originates

    Another thread stated that this might be due to "asymetric" routing with no details.  I have no idea if that's the case or how I would determine that in my troubleshooting.

    Any help is much appreciated.  (PS - running 2.1-BETA1 build from April 11)



  • Put it in the FLOATING rules…. Putting it in the LAN rules I found out doesn't work for some reason.

    Hope it helps.



  • "I have tried the solution proposed above – moving the rules to floating."

    I did try that with no success.  Didn't change the behavior at all.



  • Any ideas from anyone on this?



  • Sorry, it works for IPV4, don't use IPV6 yet. But you may want to check on your other routers in the network. TCP:SA is usually a valid block and you may be doing some criss-cross routing. (It's healthy to know where your packets go  :) )


Log in to reply