LAN-to-LAN routing blocking [solved]



  • Hi,

    I have a new installation and there are Problems when I route to other networks through the LAN interface.
    I have a Cisco 3750x Stack as Core-Router (Intervlanrouting) and as Internetbreakout i want to use Pfsense.
    They are both configured to use OSPF, and they are fully adj., so the routing is no problem! I can ping everywhere without any Problem.
    But SMB-shares or Remote-Desktops are blocked and after blocking for 5 sec. the connection can be established…

    I Have no idea what i must set in Pfsense to allow the packetflow without interuption!

    Thanks Oli

    PS: I am using Pfsense 2.0.3 because of MultiWan with Sqiud!





    ![lan rules.PNG](/public/imported_attachments/1/lan rules.PNG)
    ![lan rules.PNG_thumb](/public/imported_attachments/1/lan rules.PNG_thumb)



  • This is another asymmetric routing case. Old clients (192.168.178.0/24) will be using pfSense LAN as their default gateway (192.168.178.1). Then pfSense routes this traffic through to Cisco (192.168.178.9). Cisco delivers the packet. The reply is delivered directly by the Cisco to the old client, because Cisco and old client are in the same subnet. pfSense does not see the replies, and pfSense states time out.
    pfSense will send ICMP redirect messages back to the old client, and if the old client is smart enough it will take note of those and start using Cisco directly as the gateway to those other private networks.
    You can:
    a) If pfSense has an extra interface, connect Cisco to pfSense by a separate cable to pfSense, and use a different subnet for Cisco-pfSense. Then all traffic from old clients in both directions has to go through pfSense; or
    b) System: Advanced: Firewall and NAT - Bypass firewall rules for traffic on the same interface - then this traffic should be passed.
    c) Switch to Manual Outbound NAT, add a NAT rule for interface LAN source 192.168.178.0/24 destination those subnets behind Cisco, NAT to the LAN IP. Then all the traffic from "old clients" will appear to come from 192.168.178.1 and so the reply packets will all go back from Cisco to pfSense, be unNATed, and then deliverd to the "old client".



  • Thank u so much!

    I had a knot in my brain!  :o

    As i read "asymmetric routing" i get a red head! ;)

    What a novice error, i realy feel  feel ashamed..

    The Solution was:  of course builing a separate transport-network between Cisco-Stack and Pfsense, 172.30.29.0 /26

    thanks again, and regards oli