Source routing to 2 gateways on same subnets

lester · Oct 6, 2014, 10:04 PM

Hi,
Thanks for your quickly answer,

Your right, it's very small :)

172.16.1.1/24: Pfsense

I have try another distrib such as Zeroshell, its very simple but after 56K opens connections it's hang, Overload ! …

We have about 4000 users on 1Gb central internet access
I try to found a good distrib for PBR with 2 WAN ( 2 Firewalls on separate provider, because new and old provider )

Do you have any trick for many users ?

I have installed it on VM with 4 vCPU and 4Gb RAM
Pfsense is used only for local routing from my Backbone to 2 firewalls.
I will try your solution tomorow

Bye

lester · Oct 8, 2014, 7:29 PM

Hi,

Thank Derelic,
i have all configured as your write, but
i have a problem with incoming access from WAN to LAN

On the LAN, same subnet 172.16.1.x, i have a server with services open from Internet.
I have checked the NAT on my firewall: Ok it have his public reserved IP ( Inside to Outside )
But access Outside to Inside are not good.

Config:

GW:
GW_Provider1 (default) WAN 172.16.1.254
GW_Provider2 WAN 172.16.1.253

Route: Nothing
Groupe: Nothing

Int:
em0 LAN 172.16.1.1
em1: WAN 172.16.1.2

Rules:
Floating: Nothing

LAN:
Proto Source Port Destination Port Gateway Description

- - LAN Address 80/22 * Anti-Lockout
    IPv4* 172.16.1.197 * * * GW_Provider2 Test User to GW2
    IPv4* * * * * * All users
    IPv4* LAN net * * * * Default
    IPv6* LAN net * * * * Default IPv6

WAN:
Proto Source Port Destination Port Gateway Description
IPv4* * * * * * Test for External access

NAT:
WAN:
Checked Manual Outbound NAT and deleted all line

Perhaps is an asymetrical routing problem because the incoming connection from my firewall are routed directly to the host and the host answer it by passing through the Pfsense ?

I very need your help

Derelict · Oct 8, 2014, 7:35 PM

Why is everything you're doing on 172.16.1? I don't understand your diagram at all.

lester · Oct 8, 2014, 9:21 PM

Sorry i don t understand your question

Derelict · Oct 8, 2014, 9:47 PM

Int:
em0 LAN 172.16.1.1
em1: WAN 172.16.1.2

This makes no sense. Each segment needs its own IP subnet. I'm surprised pfSense even let you do that.

em0: 172.16.1.1/24
em1: 172.16.2.1/24

Makes sense.

I think you're doing something very wrong. How about some interface, firewall rule, NAT rule screenshots?

lester · Oct 9, 2014, 8:46 AM

Hi
please the detail in the screenshoot.

This test is making under 172.16.90.0 network

lester · Oct 9, 2014, 3:37 PM

I think the problem have caused by asymetrical routing.

so, if i enable: Bypass firewall rules for traffic on the same interface

The "Bypass firewall rules for traffic on the same interface" option located under System > Advanced on the Firewall/NAT tab activates rules for traffic to/from the static route networks which are much more permissive when it comes to creating states for TCP traffic and allowing it to pass. The rules allow any TCP packets, regardless of their flags, to create a state and also have the "sloppy state" type set which performs a less strict state match. "

source: https://doc.pfsense.org/index.php/Asymmetric_Routing_and_Firewall_Rules

Does firewall rules works for route traffic to certain gateways ?

mikeisfly · Oct 12, 2014, 10:08 AM

Also what are your lan and wan subnet mask. Looks like your lan and wan are overlapping networks which won't work. Probably should be some input validation in pfsense to not let that happen.

Derelict · Oct 12, 2014, 10:44 AM

This guy is all kinds of hosed.

No offense, bro, but if you're not going to go with the defaults, you have to know what you're doing. Same is true for ANY router.

Stick with /24, do what your ISP tells you on WAN, and it'll probably work.

lester · Oct 12, 2014, 1:26 PM

I am not offended,

I know what i am trying to do and i know that is the single solution so it's an asymmetrical routing, because the firewalls are on the same subnet and the ACK are sended directly from the firewall to the end device.

I have found, for the outgoing traffic,
i need the decrease TCP timeout because the ACK does not pass through the router and decrease TCP timeout are result decrease the number of active session in the router.

So, i just have a last problem caused by the incoming traffic, by the inspection.
When the traffic come from the firewall to the end device ( TCP-SYN ) the ACK try to pass through the router and are dropped.( because the inspection don't see the TCP-SYN, so it drop the ACK )

I have try the same topologies ( on virtual environment ) with an Cisco ASR1001.
I have disable all inspection in the ASR and the result seem to be ok.

The TCP traffic topologies needed:
Outgoing traffic:
TCP-SYN from device > main backbone (by routing) > Router (by routing) > Firewall > Internet
TCP-ACK from Internet > Firewall > main Backbone > End device
Solution proposal: Decrease TCP Timeout for not to have too many active sessions

Incoming traffic:
TCP-SYN From Internet > Firewall > main Backbone > End device
TCP-ACK From device > main backbone (by routing) > Router (by routing) > Firewall > Internet
Need solution to bypass/disable inspection otherwise is dropped

Is just a temporary solution for 3 months, after we have only one ISP

Any idea ?

Cheegii · Dec 9, 2017, 10:05 AM

so, check the "non local gateway" in routing>gateway of each gateway. Becoz you got multiple wan from one isp routing. pfsense non sense of gateway routing from one isp. make sure separate each gateway route. sorry for my bad english.