STRANGE CASE?! SYN_SENT:CLOSED Dual-WAN/NAT



  • I have a simple Dual-WAN setup.

    LAN: 192.168.0.254
    WAN: 192.168.201.254 <–DMZ-- .201.1
    OPT1: 192.168.202.254  <--DMZ-- .202.1

    I've setup Policy routing on game source/destination ports / game servers so that all game traffic will go to OPT1 while the default is WAN.

    This case is strange, without initiating traffic through WAN, making connections via OPT1 wouldn't give any response..

    (although I can ping certain hosts via static routes (dns))

    Here's a tcpdump example:
    10:26:57.644458 IP 192.168.0.104.1042 > 74.53.215.6.7456: S 3554463921:3554463921(0) win 65535 <mss 1460,nop,nop,sackok="">10:27:00.507230 IP 192.168.0.104.1042 > 74.53.215.6.7456: S 3554463921:3554463921(0) win 65535 <mss 1460,nop,nop,sackok="">NO RESPONSE (2 packets sent out)

    State: tcp      192.168.0.102:1044 -> 192.168.202.254:1044 -> 74.53.215.6:7456      SYN_SENT:CLOSED

    But after making traffic through WAN, it'll work flawless. Huh?!

    WORKING tcpdump example:
    10:30:21.740800 IP 192.168.0.104.1143 > 74.53.215.6.7456: S 3572235624:3572235624(0) win 65535 <mss 1460,nop,nop,sackok="">10:30:22.024314 IP 74.53.215.6.7456 > 192.168.0.104.1143: S 813763978:813763978(0) ack 3572235625 win 16384 <mss 1452,nop,nop,sackok="">10:30:22.024417 IP 192.168.0.104.1143 > 74.53.215.6.7456: . ack 1 win 65535
    10:30:22.024558 IP 192.168.0.104.1143 > 74.53.215.6.7456: P 1:6(5) ack 1 win 65535

    State: tcp      192.168.0.102:1075 -> 192.168.202.254:1075 -> 74.53.215.6:7456      TIME_WAIT:TIME_WAIT

    ---- What am I doing wrong? Why is it so weird? I even tried deleting all the states related to those hosts involved.. the case is still the same. I'm totally lost.</mss></mss></mss></mss>



  • what pfsense version?

    what interface are you capturing on?



  • latest snapshot.

    i used tcpdump -n …..
    but itll also appear in tcpdump -n -i OPT1nic.... I just didnt use -i cuz i wanted to see the actual source ip



  • Please make a screenshot of the firewall rules and any related nat rules.


Log in to reply