Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Asymmetric Routing - Firewalling between 2 lan's

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bru38
      last edited by

      Hi and Happy new Year !
      I'm sorry for my bad English ! I'm French.

      I have a problem with Asymmetric Routing.
      I want to filter between two networks as you can see on the image :

      Well I authorize all incoming connections to the LAN 1.
      To test I also allowed incoming connections to the LAN 2.
      But I still have connections blocked as in the following image:

      I already tried "Automatic Fix" of https://doc.pfsense.org/index.php/Asymmetric_Routing_and_Firewall_Rules

      Thanks for your help !

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        I don't see an asymmetric routing issue there. That is not a blocked connection. It's a blocked SA. Could just be out-of-state traffic. Are you getting blocked Syns?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          Yeah thats not really a optimal setup there, downstream networks should always be connected via a transit network.

          So in your case 172.168.1.32 wants to talk to ssh on 192.168.2, he sends it to his gateway .100, just to get sent on to .200 in the same network.  The return traffic from 192.168.2 doesn't have to go to .100 pfsense says oh you want to got to .32, I have an interface in that network and just sends it on the wire..

          A better way to do that would be transit, see attached

          Or if you don't want to use transit network, then vs bouncing your 17.16.1 clients off your router via .100, create host routes on them to talk to pfsense interface at .200 for the 192.168.2/24 network

          How do you have these 2 networks connected to pfsense?  Is it 2 different switches connected to pfsense interfaces to fully isolate the network, or using using a common switch, with vlans setup?  Lan2 or 192.168.2.0 should never block that other than just out of state, but there should be a state since for 172.168.1 to get to 192.168.2 it would of had to go through pfsense… Unless you have a common switch just running 2 different layer 3 ips spaces over the same layer 2 network?

          transit.png
          transit.png_thumb

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Yeah, looking at it again what is the second router for if everything on both sides of it is on 192.168.1.0/24?

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • B
              bru38
              last edited by

              Hi !
              I shared with you the solution of my problem !

              The vlan-routing was activate between LAN 1 and LAN 2. This caused the asymmetric routing.

              The static routing on routers were therefore ignored and caused it to malfunction!
              Thank you all!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.