1

I have a network set-up using two pfSense routers arranged like this:-

DMZ1  WAN1          WAN2  DMZ2
 |     |             |     |
 |     |             |     |
 \___ PF1           PF2___/
       |             |
       |             |
       \___TRUSTED___/

Each pfSense router has its own separate WAN connection, and a separate DMZ network attached to it. They share a common TRUSTED LAN between them.

The machines on the trusted network have PF1 as their default gateway. PF1 has a static route defined to DMZ2 via PF2, and PF2 has a static route to DMZ1 via PF1. There is NAT to the WAN but internal networks (DMZ1/2 and TRUSTED) use different RFC1918 subnets.

I inherited this arrangement, and all used to work fine. I made a config change to PF1 (relating to multicast), and machines on DMZ2 suddenly could not talk to TRUSTED. I rolled the change back, but the problem persisted.

What I guess you'd hope would happen is that TCP packets would go DMZ2 -> PF2 -> TRUSTED and on return TRUSTED -> PF1 -> PF2 -> DMZ2. That's the only way I can see it would have worked. However, PF1 drops the returning packets. I've verified this using tcpdump.

I've worked around this by adding static routes to DMZ2 via PF2 to the servers on TRUSTED, but some devices on there do not support static routes so this is not ideal. Is there way to make this arrangement work decently, or is the design inherently flawed?

Thanks!

JohnCC
  • 292
  • 1
  • 6
  • 14
  • Ideally, how do you want the network to operate, which hosts should be able to talk to what? Also 'PF1 has a static route defined to DMZ2 via PF1,' - presumably that should be via PF2? – James Yale Sep 06 '12 at 08:46
  • Thanks, fixed the typo. Ideally a machine on any of the 3 internal networks should be able to talk to any other on any of the other networks, firewall rules permitting. – JohnCC Sep 06 '12 at 09:10
  • Try System: Advanced: Firewall and NAT, and enable Static route filtering - does that allow the traffic? – James Yale Sep 06 '12 at 09:28
  • Good call! Useful to know that exists, but it's already set on both firewalls so it can't be that. – JohnCC Sep 06 '12 at 09:43
  • Is the packet dropped or blocked by the firewall? You should be able to see any blocks in the firewall log, Status: System Logs: Firewall – James Yale Sep 06 '12 at 09:47
  • I don't see anything in the log, which does strike me as odd. I should add that pings work. Also, this pfSense version is 1.2.3-RELEASE. Does that have the feature that makes it log all packets that hit the default blocking? – JohnCC Sep 06 '12 at 10:04
  • Diagnostics: System logs: Settings - Log packets blocked by the default rule – James Yale Sep 06 '12 at 10:55
  • @James Thanks! Yes, it is being blocked. I tried to connect to port 80 on TRUSTED host 192.168.101.95 from the DMZ. `Sep 6 12:02:16 TRUSTED 192.168.101.95:80 192.168.120.104:41928 TCP:[|tcp]` – JohnCC Sep 06 '12 at 11:03

1 Answers1

1

You need the option to bypass filtering for static routes, under System>Advanced. Can't filter the traffic in that scenario since it's asymmetrically routed.

Chris Buechler
  • 2,998
  • 14
  • 18
  • 1
    Hi Chris - that option is enabled on both firewalls. I do wonder if I've triggered an obscure pfSense bug somewhere since this used to work and then stopped when an apparently unrelated config change was made and then rolled back. – JohnCC Sep 07 '12 at 09:11