Asymmetric routing, wrong FW config - randomly works?

  • I was originally going to post about how this isn't working for me, but I believe I have it resolved now.


    Cisco 3750 with multiple VLANs, with static IP ranges configured in the 3750 ( / 16 … / 16 .... etc), routed to the gateway address of pfSense at / 16.

    pfSense is the main network router, with a main outgoing gateway at and a secondary gateway at leading back to the Cisco 3750.

    For a long time I have not been able to get reliable connections between the main / 16 LAN and the subnets on the Cisco 3750 like

    Oh sure, you can connect. Half the time. But things are just random and unstable. Trying to connect to a Windows file system at, and it takes forever for the connection to open. Sometimes the files all seem to disappear, then come back. Copying files fail halfway or time out.

    Running wireshark on a test laptop at , it would receive frequent "retransmit" packets from the Windows server at, so it was getting some data through, even with the wrong firewall rules.  (??)

    The pfSense firewall log was also full of block messages for various TCP flags like PA, from to

    I finally determined this evening that the way to do an asymmetric outgoing-only pass rule, is like this:

    PASS,  Proto: IPv4,  From: / 16,  To: / 16
    Advanced features: State type: None,  Gateway:

    Crucially, setting the State Type to "None" is by itself not good enough for an asymmetric rule. It still randomly fails with just the State Type set to None.

    Also in the pass rule, have to set the advanced features Gateway to for it to finally work and all the firewall "blocked by default rule" errors to go away.

    I still do not know why with the wrong firewall settings, the asymmetric routing "sorta" worked, as opposed to either completely working or completely not working.