Interconnecting 2 independent LAN segs via Opt1



  • Hi to all,

    I have a problem where I need some hints.
    I have a segment A which is Class C and has its own internet gateway through pfSense 2.03. All works well.
    Then I have a segment B which also is Class C and has its fully functional internet gateway through pfSense 2.1. Also functionable.
    I added an Opt1 NIC to the router in seg B connecting it to Seg A.
    I added that NIC IP and subnet to gateways/routes in Router A.
    I can ping B from A.
    I can ping A from B.
    I can access web interface of router A from seg B.
    I can NOT establish any other connection (http/RDP/Samba) from B to A.
    I managed to get a RDP from A to B but it breaks down allmost immediately after establishing the connection. Reconnects, breaks, reconnects…

    Where do I have to look after? Any hints?

    Best regards, Holger



  • You don't have routes from A to B.



  • 'Unfortunately' this is not true:
    "I added that NIC IP and subnet to gateways/routes in Router A."

    Regards, Holger



  • Use RIP instead of manually adding routes.



  • Sounds like you will have asymmetric routes. A packet from LAN B client to LAN A client will go to Router B, which delivers it direct to LAN A client (because router B now has an interface ddirectly on LAN A). LAN A client has router A as its default gateway, so will send the reply to router A, router A will redirect it across to router B, which delivers it to client B.
    With ping (ICMP) that probably works OK - pfSense router A doesn't need a state/flow already established in order to forward the IMP reply? But for TCP/UDP protocols it certainly needs a state. Router A will never have seen the initial SYN packet of the flow (which went direct from router B to client A), so when it gets a packet for the flow going in the opposite direction, it can't match it to a flow and drops it. These should be visible in the firewall logs on router A (assume the default rules are logging).

    Quick fix is to NAT on router B from LAN B to the router B LAN A interface address - that makes client B appear to come from router B LAN A IP address, which LAN A client will be happy to reply to directly.

    Or, try sloppy states on router A (hmmm - may or may not work - worth a try)

    Or, if router A has another interface available, join router B to router A (rather than direct onto LAN A). Make them route to each other over the dedicated cable. Then there is no asymmetric route to mess things up.



  • You can also use DHCP option 121 to push the route to segment A clients. This removes the load from router A and keeps the route symmetric. This is the most efficient and correct way to do it. The static route on router A will only be used for itself, if it needs to talk to segment B.



  • Thank you for your answers.

    I manually added a static route on a server in seg A which now can comunicate with machines in seg B (and vice versa). This seems to be stable .

    But this doesn't make a clear case for me.
    The traffic SHOULD be routeable via the gateway and there should be no NAT applied. It is a classic routing task, why should router A need a state? It should deliver the IP packages it gets for net B and keep its mouth shut! >:(
    And the packets are coming in at LAN and are going out at LAN, so there is no NAT rule…
    Where am I wrong here?

    Best regards, Holger



  • Because when you connect from A to B, router A creates a state and client A expects packets to return from router A, but router B sends the response packets directly to client A. Both routers have broken states now. You are not properly routing across routers A and B.



  • If the routers were just being routers, it would all be happy. A plain router does not care about matching traffic flows in 2 directions. If you turned off all firewall behaviour in these router+firewall devices then it should work fine.
    As you mentioned about static routes, if you can/are happy to add a static route on every device in LAN A that you care to access from LAN B then that also removes the asymmetric route problem.
    Also, in a classic routing scenario, the default gateway would send an ICMP redirect response back to a client on LAN A "teaching" it about the more direct route available from the LAN A client to router B. If client A takes notice of this, then it can learn the static route" automagically. But I don't think that ICMP redirect is used/enabled everywhere these days.



  • He can either use DHCP option 121 to distribute the routes to clients, or he can enable RIP on segment A clients and enable RIP on router B on the segment A interface.



  • thanks again for your answers.

    @Phil: I still dont get it, in the middle of seg A runs a vpn endpoint tunneling an extern class c net and it is configured the same way as the gateway to seg B and THAT routing runs like a charm. But it is used only from inside A to outside internet (is there NAT involved?) - When I look at the NAT options/manual NAT rules I dont find anything fitting that traffic (from LAN interface to LAN interface)…

    @Kurian: Good point but I see local routing tables only as a temporary workaround.

    This is a production gateway/router and i get suspicious if i can not explain its behaviour. So for me this is not solved...

    Best regards, Holger



  • There is nothing unexplained about it. Your setup is simply wrong. pfSense is a statefull firewall/router. Unless you disable states, asymmetric routes will not work. All traffic to segment A clients should enter and leave through router A. You cannot have traffic leaving segment A clients through router A and returning to them directly from router B's IP address.

    The ideal solution to your problem is to get another NIC in router A and plug router B into that. Don't plug router B into segment A.



  • @Phil: I still dont get it, in the middle of seg A runs a vpn endpoint tunneling an extern class c net and it is configured the same way as the gateway to seg B and THAT routing runs like a charm. But it is used only from inside A to outside internet (is there NAT involved?) - When I look at the NAT options/manual NAT rules I dont find anything fitting that traffic (from LAN interface to LAN interface)…

    Maybe the VPN endpoint tunneling device is NATing the extern class c net onto LAN? Then everything on LAN will see packets from that as an ordinary LAN device with an IP address in LAN net.
    Otherwise, yes, LAN clients replying to extern class c net would send first to LAN A pfSense, the firewall won't know about the state/flow and the reply gets dropped. This config would have the same issues as the LAN B you describe.



  • Thank you for your patience, now I found the real solution for that problem:

    You find it in: System: Advanced: Firewall and NAT
    There mark Bypass firewall rules for traffic on the same interface
    This option only applies if you have defined one or more static routes. If it is enabled, traffic that enters and leaves through the same interface will not be checked by the firewall. This may be desirable in some situations where multiple subnets are connected to the same interface.

    Conclusion: pfSense CAN handle asymetric routings! And you showed me where to look for that. Thank you again.

    Best regards, Holger

    P.S. Where can I mark the thread as solved (manually editing the head line?)


Log in to reply