Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ICMP works, TCP not: Asymmetrical Route? - 2.0.3

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      phedaikin
      last edited by

      Hello again,

      we got a problem with our firewall.

      What we have:
      Netconfig:

      • 10.10.10.0/24 for all physical server
      • 10.10.200.0/24 for all virtual server
        – Alias IP 10.10.200.254
        -- Virtualization with Parallels/OpenVZ
        -- Using "routing" config.
        -- Rules "any to any: type any: all allow on every interface"

      what we try:
      A virtual server(10.10.200.0/24) tries to connect(anything with TCP) to another hardware node(10.10.10.0/24)
      is not working. If we try ICMP we got an answer.
      So imho the route should work but as explained, it does not.

      Maybe this is the problem:

      1: vServer 10.10.200.1 sends a SYN to 10.10.10.1
      2: the physical server, collect the package and is routing to the defaultGW 10.10.10.254 with sender 10.10.200.1(pfSense)
      3: pfSense receives the package.
      4: checkes the rules and figures out that there is one "any to any on any"
      5: Now pfsense sending the SYN package back thru the same Interface (cause the alias IP)
      6: physical server(10.10.10.1) receives the package
      7: physical server send the SYNACK with sender-ip 10.10.10.1 to receiver 10.10.200.1 via default GW 10.10.10.254
      8: Firewall does not has a rule and blocks the package. but IMHO the automatic back rule should work and it does not.

      We had this problem also on our old ZyXELL ZyWall, after enabling the Option "Asymetrical Route" the problem is gone.

      We are able to reproduce the same manner on pfSense 2.1 RCx.
      And if we DISABLE the Firewalling and using pfsense in routing mode, everything works fine except the firewalling ;)

      edit 1: typos
      edit 2: info

      "We’re all books containing thousand of pages and within each of them lies an irreparable truth."– Subjekt 16

      1 Reply Last reply Reply Quote 0
      • T
        traxanos
        last edited by

        hi

        your problem is, the physical server does not send the ack request to firewall. it send it directly to 10.10.10.1, because the server should be in the same subnet. the answer of 10.10.10.1 to 10.10.200.1 must send it to the gateway because it is not in the same subnet. so only the ACK is going over gateway and so no rule match.

        now you must create an alias with all networks (e.g. 10.10.10.0/24 and 10.10.100.0/24) of the interface and add a new floating rule with:

        Interface of 10.10.10.0/24 and 10.10.100.0/24
        Direction any
        Protocol TCP
        Source and Destination is the created alias
        TCP Flags all
        State type none

        So it should do what you want.

        1 Reply Last reply Reply Quote 0
        • P
          phedaikin
          last edited by

          So topic solved :)

          "We’re all books containing thousand of pages and within each of them lies an irreparable truth."– Subjekt 16

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.