ICMP works, TCP not: Asymmetrical Route? - 2.0.3



  • Hello again,

    we got a problem with our firewall.

    What we have:
    Netconfig:

    • 10.10.10.0/24 for all physical server
    • 10.10.200.0/24 for all virtual server
      – Alias IP 10.10.200.254
      -- Virtualization with Parallels/OpenVZ
      -- Using "routing" config.
      -- Rules "any to any: type any: all allow on every interface"

    what we try:
    A virtual server(10.10.200.0/24) tries to connect(anything with TCP) to another hardware node(10.10.10.0/24)
    is not working. If we try ICMP we got an answer.
    So imho the route should work but as explained, it does not.

    Maybe this is the problem:

    1: vServer 10.10.200.1 sends a SYN to 10.10.10.1
    2: the physical server, collect the package and is routing to the defaultGW 10.10.10.254 with sender 10.10.200.1(pfSense)
    3: pfSense receives the package.
    4: checkes the rules and figures out that there is one "any to any on any"
    5: Now pfsense sending the SYN package back thru the same Interface (cause the alias IP)
    6: physical server(10.10.10.1) receives the package
    7: physical server send the SYNACK with sender-ip 10.10.10.1 to receiver 10.10.200.1 via default GW 10.10.10.254
    8: Firewall does not has a rule and blocks the package. but IMHO the automatic back rule should work and it does not.

    We had this problem also on our old ZyXELL ZyWall, after enabling the Option "Asymetrical Route" the problem is gone.

    We are able to reproduce the same manner on pfSense 2.1 RCx.
    And if we DISABLE the Firewalling and using pfsense in routing mode, everything works fine except the firewalling ;)

    edit 1: typos
    edit 2: info



  • hi

    your problem is, the physical server does not send the ack request to firewall. it send it directly to 10.10.10.1, because the server should be in the same subnet. the answer of 10.10.10.1 to 10.10.200.1 must send it to the gateway because it is not in the same subnet. so only the ACK is going over gateway and so no rule match.

    now you must create an alias with all networks (e.g. 10.10.10.0/24 and 10.10.100.0/24) of the interface and add a new floating rule with:

    Interface of 10.10.10.0/24 and 10.10.100.0/24
    Direction any
    Protocol TCP
    Source and Destination is the created alias
    TCP Flags all
    State type none

    So it should do what you want.



  • So topic solved :)


Log in to reply