The pfSense Store

Author Topic: Traffic blocked @1 @2 TCP:A TCP:PA by default  (Read 2060 times)

0 Members and 1 Guest are viewing this topic.

Offline HellMind

  • Newbie
  • *
  • Posts: 6
    • View Profile
Traffic blocked @1 @2 TCP:A TCP:PA by default
« on: May 17, 2012, 05:37:32 pm »
I got a pfsense 2.0 runing on a esxi5
The only way that I can make it work without conections timeouts and those firewall filter logs is, disabling the firewall filter

Whats wrong?

I tried everything , setting the fw to conservative

I ve disabled tcp offloading and those stuff useless on a virtual environment

I got 4 virtual interfaces connected to the same vswitch, its that the problem?

Offline cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6296
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: Traffic blocked @1 @2 TCP:A TCP:PA by default
« Reply #1 on: May 18, 2012, 01:46:34 am »
That means you have asymmetric routing somehow/somewhere, not enough there to tell you where. Traffic isn't routing through the firewall in both directions, or it may get routed back in the wrong direction for some reason. Can't statefully filter such traffic with any firewall, most likely you need to fix whatever is causing that to happen (though there are other work arounds, they won't leave you with an extremely tight firewall).

Offline HellMind

  • Newbie
  • *
  • Posts: 6
    • View Profile
Re: Traffic blocked @1 @2 TCP:A TCP:PA by default
« Reply #2 on: May 18, 2012, 03:19:42 am »
That means you have asymmetric routing somehow/somewhere, not enough there to tell you where. Traffic isn't routing through the firewall in both directions, or it may get routed back in the wrong direction for some reason. Can't statefully filter such traffic with any firewall, most likely you need to fix whatever is causing that to happen (though there are other work arounds, they won't leave you with an extremely tight firewall).
Is there any tool to discover whats wrong?
Cant be esxi?

When you say whatever is causing that, what should I look  for?,  a broken switch?, a misconfigured virtual switch?,

Offline HellMind

  • Newbie
  • *
  • Posts: 6
    • View Profile
Re: Traffic blocked @1 @2 TCP:A TCP:PA by default
« Reply #3 on: May 19, 2012, 03:58:36 am »
How can be asymetric routing just just 1 router? and a single machine :S

Online biggsy

  • Sr. Member
  • ****
  • Posts: 374
    • View Profile
Re: Traffic blocked @1 @2 TCP:A TCP:PA by default
« Reply #4 on: May 19, 2012, 06:37:41 am »
Quote
I got 4 virtual interfaces connected to the same vswitch

What does your ESXi network diagram look like?

Offline HellMind

  • Newbie
  • *
  • Posts: 6
    • View Profile
Re: Traffic blocked @1 @2 TCP:A TCP:PA by default
« Reply #5 on: May 19, 2012, 03:07:34 pm »
Isnt complex

Online biggsy

  • Sr. Member
  • ****
  • Posts: 374
    • View Profile
Re: Traffic blocked @1 @2 TCP:A TCP:PA by default
« Reply #6 on: May 19, 2012, 04:56:33 pm »
Do you have only that one NIC in your ESXi host or did you just cut off the bottom of diagram? 

You would have to VLAN the traffic if there's only one NIC.


Offline HellMind

  • Newbie
  • *
  • Posts: 6
    • View Profile
Re: Traffic blocked @1 @2 TCP:A TCP:PA by default
« Reply #7 on: June 02, 2012, 05:27:39 pm »
Do you have only that one NIC in your ESXi host or did you just cut off the bottom of diagram?  

You would have to VLAN the traffic if there's only one NIC.


I got just 1 iface

I think my hard doesnt allow for vlan

Also i tried with just 1 interface enabled, and its the same.

« Last Edit: June 02, 2012, 05:47:13 pm by HellMind »

Offline cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6296
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: Traffic blocked @1 @2 TCP:A TCP:PA by default
« Reply #8 on: June 03, 2012, 07:57:52 pm »
How can be asymetric routing just just 1 router? and a single machine :S

You don't need more than 1 router for that. You must have two anyway from the looks of that, you have something to get you out to the Internet. There isn't enough here to tell you where you're going wrong, need to know what NICs you have on the firewall, how they're being used in relation to the rest of the network.

Offline HellMind

  • Newbie
  • *
  • Posts: 6
    • View Profile
Re: Traffic blocked @1 @2 TCP:A TCP:PA by default
« Reply #9 on: June 04, 2012, 12:53:50 am »
I've just moved to routeros

Pfsense also present some stability issue on one of the boxes.
Using vmx3 should work better but using routeros with e1000 its better -_-