Pfsense is blocking/half-blocking traffic from MPLS networks

hphan082 · Jul 9, 2015, 8:16 AM

Hi everyone,
We are running a setup with pfsense where we running pfsense in one location (I'll call it MAIN). And we have remote location (Location1,Location2 and Location3) connect back to Main via MPLS.

I just did a cutover from another firewall to pfsense and ran into really odd issue.

Main also has servers running, i.e Citrix, Exchange, etc. With pfsense in place, all local workstation within MAIN are working fine: internet ok, exchange ok, etc.
However, I got reports from all Remote Locations that they are able to get to Webmail (http–> https redirection), but Outlook cannot connect. And they can't get to Citrix login page (http--> https redirection). ALL DNS record are pointing to internal IPs since everything is within MPLS network.

I have added all remote location to the INTERNAL interface's firewall rule. However, when i looked at traffic log, I'm seeing that the return traffic from MAIN --> REmote-Location are being blocked by pfsense.

Am I missing a configuration somewhere?
Please help me. I attached some screenshot with this post.
![Firewall Log.PNG_thumb](/public/imported_attachments/1/Firewall Log.PNG_thumb)
![Firewall Rules.PNG](/public/imported_attachments/1/Firewall Rules.PNG)
![Firewall Rules.PNG_thumb](/public/imported_attachments/1/Firewall Rules.PNG_thumb)
![Firewall Log.PNG](/public/imported_attachments/1/Firewall Log.PNG)

johnpoz · Jul 9, 2015, 12:23 PM

I think you don't understand the way rules work, how would remote locations be coming in pfsense int interface??

did you turn off nat? If not your going to have to setup port forwards. If running on private networks did you disable block rfc1918 rule that is on by default on the wan interface?

so you have this right

main users –- (int) pfsense (pub) -------- mpls ------- remote

So as remote make connections to stuff in main users network they hit PUB inteface.. This is where rules are put in.

Rules are INBOUND to an interface.. Putting rules on int interface are to allow or stop where your main users go..

hphan082 · Jul 9, 2015, 5:28 PM

hi John,
No public interface.
Picture the MPLS is the internal subnets that all using the pfsense is the gateway.

the issue is these subnets are having problem communicating correcting to each other.

main users –- (int)pfsense (int) --- mpls --- remote

johnpoz · Jul 9, 2015, 7:28 PM

so your saying your mpls is connect to the same interface that your users are connected too?? That makes NO sense.. And how would pfsense be used in that seutp?

There should be an interface that your main network is connected to, and then there should be an interface that your mpls is connected too. This would not be the SAME interface.. It could be a vlan on the interface ok - but you would have those tabs on your firewall rules if setup correctly.

hphan082 · Jul 9, 2015, 7:34 PM

No, not the same interface. I'm not that bad. , :) i cant figure out a way to explain it to you guys correctly, so It's ok. I'll figure things out.

Derelict · Jul 9, 2015, 7:44 PM

i cant figure out a way to explain it to you guys correctly

make a drawing.

dotdash · Jul 9, 2015, 7:46 PM

Try putting some floating pass rules for local to local traffic, and tag them quick.

hphan082 · Jul 9, 2015, 8:03 PM

Let's see if this one help. :)

the way the MPLS is configured, all default traffic at remote location are going through MPLS and using the pfsense as the internet gateway.

All PC under 10.24.42.0/24 network is using PFSENSE as the gateway.

I hope this clear out why I had to add the allow list into the INTERNAL interface of the pfsense.

I've never tried floating rule. The weird thing I notice is i open * * under internal rule, and firewall log stated some traffic are blocked by default deny all. not sure where it is.

Also, to add: from 192.168.0.0/24, i can ping 10.24.42.20 and 30, and I can RDP back and forth. however, .30 is exchange server, and outlook client in 192.168.0.0/24 cannot connect to Exchange. Really odd behavior.

![MPLS with PFSENSE.PNG](/public/imported_attachments/1/MPLS with PFSENSE.PNG)
![MPLS with PFSENSE.PNG_thumb](/public/imported_attachments/1/MPLS with PFSENSE.PNG_thumb)

dotdash · Jul 9, 2015, 8:57 PM

@hphan082:

I've never tried floating rule. The weird thing I notice is i open * * under internal rule, and firewall log stated some traffic are blocked by default deny all. not sure where it is.

The ruleset ends with an implicit deny all.
Floating rules do not exit after match like normal rules, you have to check the box after 'Quick'.
Try a floating rule like pass, quick, dir any, source- local subnets, dest- local subnets…

cmb · Jul 9, 2015, 9:20 PM

You have asymmetric routing in that case. Go to System>Advanced, Firewall/NAT, check "Bypass firewall rules for traffic on the same interface".

hphan082 · Jul 9, 2015, 9:31 PM

thank you CMB. I think this is it! I will test with again maybe next week

johnpoz · Jul 10, 2015, 11:54 AM

That is a HORRIFIC setup.. Not counting the asymmetric routing.. Pfsense has no control over connecting from mpls to your machines.. And when does work your hairpinning.

Move the router to OUT side pfsense on a different interface – like the attached. Even if you do it with a vlan and the same physical interface your currently using. Setup a transit network between pfsense and the mpls router vs using same network your main network is on.