7

I started with a fairly standard pfSense setup: one WAN and one LAN interface, LAN-to-WAN access via NAT.

Now I needed a second logical subnet on the LAN, which I set up in the following way:

  • configured a VIP from the second subnet on the pfSense's LAN interface
  • switched the outbound NAT from automatic to manual
  • created a copy of the auto-generated NAT rule, setting the IP range to that of the new subnet
  • added a new LAN rule allowing any traffic from the new subnet

As for Internet access, everything seems fine. Hosts from either subnet can access external resources.

However, I would also like the pfSense to route traffic between the two subnets. And here things get tricky: I can ping between subnets, but attempts at a TCP connect from a host on subnet A to a target on subnet B will time out.

Some packet capturing revealed the following:

  • Despite routing table entries according to which Host B is remote and the default gateway is the pfSense, Host A does not route through pfSense but resolves Host B's MAC address via ARP. Hence the TCP SYN goes straight from Host A to Host B, without the pfSense ever seeing it.
  • Host B receives the SYN and responds with SYN-ACK. This time, however, the communication passes back through the pfSense.
  • The pfSense thus sees a SYN-ACK without ever having encountered the corresponding SYN and discards it, presuming it to be malicious traffic. (Captures clearly show the SYN-ACK on the pfSense but not on Host A, and the logs show that it gets filtered.)

I don't exactly know what causes Host A to ignore route settings and bypass the default gateway – however, all of this would not be an issue if I had just a plain router. I'd rather not rely on a particular behavior of an OS but build the infrastructure in a tolerant way – hence I want routing between the two networks to work even if the pfSense sees just one direction of the traffic. Since both LAN subnets have the same level of trust, no filtering between them is required.

How can I turn off any and all filtering between the two subnets on the pfSense? I have tried setting "State Type" to "None", but to no avail...

Improve this question
1
  • Since I haven't found an answer, I ended up separating the two subnets and adding a dedicated router. Since everything was in VMs, I concentrated the VMs for Subnet B on one host and moved them into a VM network. I then placed a BSDRP VM between the two networks and made it the default gateway. The BSDRP box has routes to either subnets and a default route to the pfSense, so that no internal traffic is ever routed through the pfSense. Separating the networks is probably not required, as BSDRP is more likely to tolerate the kind of "one-way" routing that pfSense rejects.
    – user149408
    Commented Aug 12, 2014 at 12:02

1 Answer 1

Reset to default
6

As mentioned above, it is no longer an issue for me, but I have come across a potential solution:

As of version 2.1.5 (not sure about earlier ones), there is an option in System: Advanced: Firewall and NAT, called Static route filteringBypass firewall rules for traffic on the same interface. Checking this option will disable any filtering for traffic that enters and leaves on the same interface, aimed specifically at a scenario with multiple subets on the same interface.

I haven't tested it out (as the lab environment in which I needed this has by now been dismantled), but maybe it helps someone else...

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .