Routing voice to LAN MPLS not working
-
pfSense 2.2.6 on SG-2440
I tried to switch from a Fortigate to pfSense. I was able to get IPv6 and dual WAN failover to work. I was pleased to find out that port mapping for each WAN always return to same interface without resorting to nasty tricks. The config was going peachy until I got to the LAN side MPLS. I added the static routes for data and phones only to discover that my TCP data connections through the MPLS were getting cut off after 20-40 seconds. I first added a static route to Windows to bypass pfSense and hit the MPLS directly. This kept the connections up. Now to get them to go through pfSense like they are going through Fortigate. It didn't take long to find this topic referencing the instructions.
Asymmetric Routing and Firewall Rules
I try the automatic option "Bypass firewall rules for traffic on the same interface." No effect. TCP connections still get cut off. I reboot, pfSense just in case the firewall is remembering something it shouldn't. No effect, connections are still cut off. So I work through the instructions for the manual option. The instructions are ambiguous but I eventually come up with the right combo and now my TCP connections stay up. Unfortunately it's not good enough to carry IP traffic from Cisco phones and I get the dreaded call that the phones don't work. All my testing showed that they did work but when the workday came, they didn't. We could hear the caller but the caller couldn't hear us.
I like the promise "Bypass firewall rules for traffic on the same interface." I don't want any firewall management of same interface traffic. No rules, no states, nothing. Just route! Unfortunately the promise is broken just a few words later "activates rules for traffic to/from the static route networks which are much more permissive." Whatever rules those are must be invisible. I never see any rules show up in the firewall like I do for many other checkboxes.
I'd rather not create a raft of rules to get that SIP traffic to pass. Can pfSense route same interface without interference from the firewall? The Fortigate can do this without creating an internal->internal firewall rule. An overly intrusive firewall is why an ASA can't do this job.