On Thu, Mar 22, 2012 at 6:32 AM, Jim Pingle <[email protected]> wrote:
> Is this your only WAN? No. It is one of a load-balanced pair. > Does your rule passing out traffic to this server > have a gateway set? Yes. All traffic from the LAN to this server is policy routed through the correct gateway. > If that is the case, it could be the upstream gateway that is dropping > the session since, if policy routing is happening, the rule would be > getting a route-to making it bounce off the upstream gateway even though > it's inside of the WAN subnet. I think you lost me. I don't know what a route-to is, but you're saying my policy routing is forcing pfsense to send the traffic to the server via the upstream gateway? The route looks like this: workstation(192.168.5.99/24) <> (192.168.5.254)pfsense(69.165.225.252) <> (69.165.225.251)server I happen to control pfsense's and the server's upstream gateway, which is (69.165.225.254/28)pfsense2. If I do a tcpdump on pfsense's WAN (69.165.225.252) during an ssh session, I see a bunch of normal-looking packets to and from the server's port 22, and then this: 00:45:52.924810 IP 69.165.225.251.22 > 69.165.225.252.46922: Flags [P.], ack 25729, win 296, length 52 00:45:52.952204 IP 69.165.225.252.46922 > 69.165.225.251.22: Flags [P.], ack 26826, win 16360, length 52 00:45:52.956172 IP 69.165.225.251.22 > 69.165.225.252.46922: Flags [P.], ack 25781, win 296, length 52 00:45:52.983105 IP 69.165.225.252.46922 > 69.165.225.251.22: Flags [P.], ack 26878, win 16347, length 52 00:45:52.986038 IP 69.165.225.251.22 > 69.165.225.252.46922: Flags [R.], seq 26878, ack 25833, win 0, length 0 00:45:53.188838 IP 69.165.225.251.22 > 69.165.225.252.46922: Flags [P.], ack 25781, win 296, length 52 00:45:53.654784 IP 69.165.225.251.22 > 69.165.225.252.46922: Flags [P.], ack 25781, win 296, length 52 00:45:54.586754 IP 69.165.225.251.22 > 69.165.225.252.46922: Flags [P.], ack 25781, win 296, length 52 Is that a TCP reset packet from the server on the 5th line? Why would it do that? Concurrently, a tcpdump on pfsense2's LAN (69.165.225.254) I see this: 00:45:52.984014 IP 69.165.225.252.46922 > 69.165.225.251.22: Flags [P.], ack 26774, win 16373, length 52 00:45:53.014907 IP 69.165.225.252.46922 > 69.165.225.251.22: Flags [P.], ack 26826, win 16360, length 52 00:45:53.014942 IP 69.165.225.252.46922 > 69.165.225.251.22: Flags [P.], ack 26826, win 16360, length 52 00:45:53.046979 IP 69.165.225.252.46922 > 69.165.225.251.22: Flags [P.], ack 26878, win 16347, length 52 00:45:53.047082 IP 69.165.225.251.22 > 69.165.225.252.46922: Flags [R.], seq 26878, ack 25832, win 0, length 0 So it appears to me that pfsense isn't talking directly to the server, but is bouncing all its server-bound traffic off the upstream gateway, pfsense2. You're telling me this is normal due to policy routing? 0_o Uh, ok. So this is news to me. Is there a simple fix? Is this the part where I activate "Bypass firewall rules for traffic on the same interface"? And which pfsense do I need to do that on? Thanks a tonne, Jim and Chris, for helping me to nail this down. I hate being the pebkac error. db _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
