Static routes and lag / latency / disconnection / reconnection / connection fail
-
Edit: This solution works, but it results in an asymmetric routing situation, which could cause other problems. This page presents a better solution: http://networkguy.de/?p=409
NOTE: This post contains (hopefully) a SOLUTION, not a problem!
I was having trouble with terrible lag, dropped connections, and connection failures (over static routes) after setting up a pfsense box with static routes.
I ran across this old thread https://forum.pfsense.org/index.php?topic=44534.0 which seemed to detail similar trouble.
I finally found the solution in this thread: https://forum.pfsense.org/index.php?topic=70117.0
TL;DR If you are having trouble with lag and other connection difficulties when using static routes through pfsense, then navigate to
Firewall -> Rules -> LAN -> Edit (for the relevant static route) -> Advanced Features -> -> State Type -> Advanced ->and change "Keep State" to "none"
======================================================
More in-depth info:
I just setup a new pfsense router. (GATEWAY1A on SITE1 with IP 192.168.1.1)
I have a VPN endpoint router which maintains an IPsec VPN with other remote sites. (GATEWAY1B on SITE1 with IP 192.168.1.2)
Let's say SITE1 is 192.168.1.0 /24 and SITE2 is 192.168.2.0 /24.
Let's also say I have CLIENT1 on SITE1 and CLIENT2 on SITE2.
I setup the following on my pfsense router (GATEWAY1A):
System -> Routing -> Gateways -> add new Gateway
Interface: LAN
Gateway: 192.168.1.2System -> Routing -> Static Routes -> add new Route
Destination Network: 192.168.2.0 /24
Gateway: 192.168.1.2 (defined above)Firewall -> Rules -> LAN -> add new Rule
Action: Pass
Interface: LAN
Destination: Type: Network
Destination: Address: 192.168.2.0 /24
Advanced Features: State Type: none <– This is the key to avoiding connection issues
Advanced Features: Gateway: 192.168.1.2 (defined above)======================================================
Issues:
Before I changed the State Type (the default was "Keep State"), I was experiencing the following issues when using the static route:
1. Pinging from CLIENT1 to CLIENT2 would show a regular cycle of (approx) 30ms, 30ms, 30ms, 600ms, 600ms, 600ms, 30ms, etc.
2. VNC and RDP sessions from CLIENT1 to CLIENT2 were unusable. They would successfully connect, work for 1 or 2 seconds, then disconnect and reconnect. Repeatedly. If I changed CLIENT1 to use GATEWAY1B directly, all problems would disappear, so I knew it was the static route causing the problems, and not the VPN.
3. Printing from SITE1 to SITE2 would not work at all.
4. Users from SITE2 trying to access an HTTPS website hosted at SITE1 would get a Page Not Found error.
5. My Windows Domain server at SITE2 was unable to successfully replicate from the Domain server on SITE1.All of these problems were instantly solved by changing the State Type. So if any of this seems familiar to you, and you are using static routes, then perhaps this is the solution for you.
-
Fix your asymmetrical routing.. Why would anyone want asymmetrical routing.. There is NEVER a reason for it other than a badly designed connection.