4. Asymmetric Routing - Firewalling between 2 lan's

Asymmetric Routing - Firewalling between 2 lan's

  • B

    Hi and Happy new Year !
    I'm sorry for my bad English ! I'm French.

    I have a problem with Asymmetric Routing.
    I want to filter between two networks as you can see on the image :

    Well I authorize all incoming connections to the LAN 1.
    To test I also allowed incoming connections to the LAN 2.
    But I still have connections blocked as in the following image:

    I already tried "Automatic Fix" of https://doc.pfsense.org/index.php/Asymmetric_Routing_and_Firewall_Rules

    Thanks for your help !

    0
  • LAYER 8 Netgate

    I don't see an asymmetric routing issue there. That is not a blocked connection. It's a blocked SA. Could just be out-of-state traffic. Are you getting blocked Syns?

    0
  • LAYER 8 Global Moderator

    Yeah thats not really a optimal setup there, downstream networks should always be connected via a transit network.

    So in your case 172.168.1.32 wants to talk to ssh on 192.168.2, he sends it to his gateway .100, just to get sent on to .200 in the same network.  The return traffic from 192.168.2 doesn't have to go to .100 pfsense says oh you want to got to .32, I have an interface in that network and just sends it on the wire..

    A better way to do that would be transit, see attached

    Or if you don't want to use transit network, then vs bouncing your 17.16.1 clients off your router via .100, create host routes on them to talk to pfsense interface at .200 for the 192.168.2/24 network

    How do you have these 2 networks connected to pfsense?  Is it 2 different switches connected to pfsense interfaces to fully isolate the network, or using using a common switch, with vlans setup?  Lan2 or 192.168.2.0 should never block that other than just out of state, but there should be a state since for 172.168.1 to get to 192.168.2 it would of had to go through pfsense… Unless you have a common switch just running 2 different layer 3 ips spaces over the same layer 2 network?


    0
  • LAYER 8 Netgate

    Yeah, looking at it again what is the second router for if everything on both sides of it is on 192.168.1.0/24?

    0
  • B

    Hi !
    I shared with you the solution of my problem !

    The vlan-routing was activate between LAN 1 and LAN 2. This caused the asymmetric routing.

    The static routing on routers were therefore ignored and caused it to malfunction!
    Thank you all!

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy