Netgate SG-1000 microFirewall

Author Topic: Problem with policiy routing and port forwarding : traffic not routed back  (Read 85 times)

0 Members and 1 Guest are viewing this topic.

Offline eejeequ9

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile

I have an understanding problem, about how pfsense works internally and how I may solve my problem. Any help will be greatly appreciated.

I have this setup (I cannot change it) :

Internet -> firewall_A (pfsense) -> --,--> network_1 -> firewall_1 (pfsense) -> network_2
Internet -> firewall_B (pfsense) -> _/

* several hosts (machines) are connected to network_2
* on firewall_1, I explicitly did not setup a default gw, since traffic may flow to one of both Internet connections. Instead I use "policy routing" for hosts in network_2, in form of firewall rules with an explicit gateway based on the host IP.
* for different hosts in network_2, I may select firewall_A or firewall_B as gateway, which is exactlly what I want.

My problem arise when I tried to configure a port forwarding on firewall_A :
* incoming connections flows from firewall_A to firewall_1 and reach hosts in network_2
* but the response of hosts then stay in firewall_1 and are not routed back to original gateway.

Other observations:
* response packet have an Internet IP as destination (which are not routed by firewall_1)
* response packet does not flow through the firewall rules (I tried floating+quick rules in order to log them, but none works)

My assumptions:
* firewall_1 keep in its connection state but do not keep the origine gateway, so it is not able to route the response packets.
* firewall_1 keep a state for the connection and ignore the firewall rules (policy-routing)

Does my explaination make any sense to you ?...

Best regards,