Actions
Bug #9645
closed
"Bypass firewall rules for traffic on the same interface" does not work as expected
Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
07/23/2019
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.4-p3
Affected Architecture:
Description
I have to use asymmetric routing. P1 (default gateway) routes to P2 on the same subnet. ICMP redirect doesn't work because I use CARP IP for default gateway on this subnet.
My problem is now that printing on HP printers behind P2 does not work.
I detected that after a package with PSH and ACK flags set the forwarding stops after one more package. If I create 2 rules (LAN interface and floating/outgoing) with with sloppy set for all flags it's working.
Automatic Fix does not work.
Manual Fix does work
Here are my packet traces:
without additional rules printing is broken:¶
P1 = forwarder Pfsense¶
87 0.124381 10.19.160.251 10.19.170.23 TCP 1514 54873 → 9100 [ACK] Seq=59861 Ack=1 Win=131328 Len=1460
88 0.124397 10.19.160.251 10.19.170.23 TCP 1514 [TCP Retransmission] 54873 → 9100 [ACK] Seq=59861 Ack=1 Win=131328 Len=1460
89 0.124403 10.19.160.251 10.19.170.23 TCP 1514 54873 → 9100 [ACK] Seq=61321 Ack=1 Win=131328 Len=1460
90 0.124419 10.19.160.251 10.19.170.23 TCP 1514 [TCP Retransmission] 54873 → 9100 [ACK] Seq=61321 Ack=1 Win=131328 Len=1460
91 0.124426 10.19.160.251 10.19.170.23 TCP 1514 54873 → 9100 [ACK] Seq=62781 Ack=1 Win=131328 Len=1460
92 0.124441 10.19.160.251 10.19.170.23 TCP 1514 [TCP Retransmission] 54873 → 9100 [ACK] Seq=62781 Ack=1 Win=131328 Len=1460
93 0.124447 10.19.160.251 10.19.170.23 TCP 1350 54873 → 9100 [PSH, ACK] Seq=64241 Ack=1 Win=131328 Len=1296
94 0.124463 10.19.160.251 10.19.170.23 TCP 1350 [TCP Retransmission] 54873 → 9100 [PSH, ACK] Seq=64241 Ack=1 Win=131328 Len=1296
95 0.128479 10.19.160.251 10.19.170.23 TCP 1514 54873 → 9100 [ACK] Seq=65537 Ack=1 Win=131328 Len=1460
96 0.128498 10.19.160.251 10.19.170.23 TCP 1514 [TCP Retransmission] 54873 → 9100 [ACK] Seq=65537 Ack=1 Win=131328 Len=1460
97 0.128505 10.19.160.251 10.19.170.23 TCP 1514 54873 → 9100 [ACK] Seq=66997 Ack=1 Win=131328 Len=1460
98 0.128667 10.19.160.251 10.19.170.23 TCP 1514 54873 → 9100 [ACK] Seq=68457 Ack=1 Win=131328 Len=1460
99 0.128686 10.19.160.251 10.19.170.23 TCP 1514 54873 → 9100 [ACK] Seq=69917 Ack=1 Win=131328 Len=1460
100 0.128698 10.19.160.251 10.19.170.23 TCP 1514 54873 → 9100 [ACK] Seq=71377 Ack=1 Win=131328 Len=1460
P2 = Pfsense with destination subnet¶
49 0.124465 10.19.160.251 10.19.170.23 TCP 1514 54873 → 9100 [ACK] Seq=59861 Ack=1 Win=131328 Len=1460
50 0.124480 10.19.160.251 10.19.170.23 TCP 1514 54873 → 9100 [ACK] Seq=61321 Ack=1 Win=131328 Len=1460
51 0.124498 10.19.160.251 10.19.170.23 TCP 1514 54873 → 9100 [ACK] Seq=62781 Ack=1 Win=131328 Len=1460
52 0.124563 10.19.160.251 10.19.170.23 TCP 1350 54873 → 9100 [PSH, ACK] Seq=64241 Ack=1 Win=131328 Len=1296
53 0.127925 10.19.170.23 10.19.160.251 TCP 54 9100 → 54873 [ACK] Seq=1 Ack=65537 Win=32120 Len=0
54 0.128447 10.19.160.251 10.19.170.23 TCP 1514 54873 → 9100 [ACK] Seq=65537 Ack=1 Win=131328 Len=1460
55 0.129569 10.19.170.23 10.19.160.251 TCP 54 9100 → 54873 [ACK] Seq=1 Ack=66997 Win=32120 Len=0
56 19.068648 10.19.160.251 10.19.170.23 TCP 56 54873 → 9100 [RST, ACK] Seq=68457 Ack=1 Win=0 Len=0
57 19.068985 10.19.170.23 10.19.160.251 TCP 54 [TCP Dup ACK 55#1] 9100 → 54873 [ACK] Seq=1 Ack=66997 Win=32120 Len=0
58 19.069166 10.19.160.251 10.19.170.23 TCP 56 54873 → 9100 [RST] Seq=66997 Win=0 Len=0
with additional rules it works like expected:¶
P1 = forwarder Pfsense¶
85 0.122887 10.19.160.251 10.19.170.23 TCP 1514 54982 → 9100 [ACK] Seq=58401 Ack=1 Win=131328 Len=1460
86 0.122899 10.19.160.251 10.19.170.23 TCP 1514 [TCP Retransmission] 54982 → 9100 [ACK] Seq=58401 Ack=1 Win=131328 Len=1460
87 0.122904 10.19.160.251 10.19.170.23 TCP 1514 54982 → 9100 [ACK] Seq=59861 Ack=1 Win=131328 Len=1460
88 0.122917 10.19.160.251 10.19.170.23 TCP 1514 [TCP Retransmission] 54982 → 9100 [ACK] Seq=59861 Ack=1 Win=131328 Len=1460
89 0.122922 10.19.160.251 10.19.170.23 TCP 1514 54982 → 9100 [ACK] Seq=61321 Ack=1 Win=131328 Len=1460
90 0.122935 10.19.160.251 10.19.170.23 TCP 1514 [TCP Retransmission] 54982 → 9100 [ACK] Seq=61321 Ack=1 Win=131328 Len=1460
91 0.122941 10.19.160.251 10.19.170.23 TCP 1514 54982 → 9100 [ACK] Seq=62781 Ack=1 Win=131328 Len=1460
92 0.122954 10.19.160.251 10.19.170.23 TCP 1514 [TCP Retransmission] 54982 → 9100 [ACK] Seq=62781 Ack=1 Win=131328 Len=1460
93 0.122959 10.19.160.251 10.19.170.23 TCP 1350 54982 → 9100 [PSH, ACK] Seq=64241 Ack=1 Win=131328 Len=1296
94 0.122972 10.19.160.251 10.19.170.23 TCP 1350 [TCP Retransmission] 54982 → 9100 [PSH, ACK] Seq=64241 Ack=1 Win=131328 Len=1296
95 0.129698 10.19.160.251 10.19.170.23 TCP 1514 54982 → 9100 [ACK] Seq=65537 Ack=1 Win=131328 Len=1460
96 0.129732 10.19.160.251 10.19.170.23 TCP 1514 [TCP Retransmission] 54982 → 9100 [ACK] Seq=65537 Ack=1 Win=131328 Len=1460
97 0.129740 10.19.160.251 10.19.170.23 TCP 1514 54982 → 9100 [ACK] Seq=66997 Ack=1 Win=131328 Len=1460
98 0.129753 10.19.160.251 10.19.170.23 TCP 1514 [TCP Retransmission] 54982 → 9100 [ACK] Seq=66997 Ack=1 Win=131328 Len=1460
99 0.129759 10.19.160.251 10.19.170.23 TCP 1514 54982 → 9100 [ACK] Seq=68457 Ack=1 Win=131328 Len=1460
100 0.129772 10.19.160.251 10.19.170.23 TCP 1514 [TCP Retransmission] 54982 → 9100 [ACK] Seq=68457 Ack=1 Win=131328 Len=1460
P2 = Pfsense with destination subnet¶
48 0.125574 10.19.160.251 10.19.170.23 TCP 1514 54991 → 9100 [ACK] Seq=58401 Ack=1 Win=131328 Len=1460
49 0.125767 10.19.160.251 10.19.170.23 TCP 1514 54991 → 9100 [ACK] Seq=59861 Ack=1 Win=131328 Len=1460
50 0.125782 10.19.160.251 10.19.170.23 TCP 1514 54991 → 9100 [ACK] Seq=61321 Ack=1 Win=131328 Len=1460
51 0.125795 10.19.160.251 10.19.170.23 TCP 1514 54991 → 9100 [ACK] Seq=62781 Ack=1 Win=131328 Len=1460
52 0.125808 10.19.160.251 10.19.170.23 TCP 1350 54991 → 9100 [PSH, ACK] Seq=64241 Ack=1 Win=131328 Len=1296
53 0.131936 10.19.170.23 10.19.160.251 TCP 54 9100 → 54991 [ACK] Seq=1 Ack=65537 Win=32120 Len=0
54 0.132261 10.19.160.251 10.19.170.23 TCP 1514 54991 → 9100 [ACK] Seq=65537 Ack=1 Win=131328 Len=1460
55 0.132279 10.19.160.251 10.19.170.23 TCP 1514 54991 → 9100 [ACK] Seq=66997 Ack=1 Win=131328 Len=1460
56 0.132447 10.19.160.251 10.19.170.23 TCP 1514 54991 → 9100 [ACK] Seq=68457 Ack=1 Win=131328 Len=1460
57 0.132465 10.19.160.251 10.19.170.23 TCP 1514 54991 → 9100 [ACK] Seq=69917 Ack=1 Win=131328 Len=1460
58 0.132481 10.19.160.251 10.19.170.23 TCP 1514 54991 → 9100 [ACK] Seq=71377 Ack=1 Win=131328 Len=1460
59 0.132497 10.19.160.251 10.19.170.23 TCP 1514 54991 → 9100 [ACK] Seq=72837 Ack=1 Win=131328 Len=1460
60 0.132520 10.19.160.251 10.19.170.23 TCP 1514 54991 → 9100 [ACK] Seq=74297 Ack=1 Win=131328 Len=1460
61 0.132537 10.19.160.251 10.19.170.23 TCP 1514 54991 → 9100 [ACK] Seq=75757 Ack=1 Win=131328 Len=1460
62 0.132712 10.19.160.251 10.19.170.23 TCP 1074 54991 → 9100 [PSH, ACK] Seq=77217 Ack=1 Win=131328 Len=1020
63 0.134591 10.19.170.23 10.19.160.251 TCP 54 9100 → 54991 [ACK] Seq=1 Ack=78237 Win=32120 Len=0
64 0.134815 10.19.160.251 10.19.170.23 TCP 56 54991 → 9100 [FIN, ACK] Seq=78237 Ack=1 Win=131328 Len=0
65 0.135148 10.19.170.23 10.19.160.251 TCP 54 9100 → 54991 [ACK] Seq=1 Ack=78238 Win=32120 Len=0
66 0.136304 10.19.170.23 10.19.160.251 TCP 54 9100 → 54991 [FIN, ACK] Seq=1 Ack=78238 Win=32120 Len=0
67 0.136465 10.19.160.251 10.19.170.23 TCP 56 54991 → 9100 [ACK] Seq=78238 Ack=2 Win=131328 Len=0
Updated by Grischa Zengel almost 5 years ago
Here are my rules for this interface:
# pfctl -s rules | grep igb0.11 scrub on igb0.11 all no-df random-id fragment reassemble block drop in log on ! igb0.11 inet from 10.19.160.0/24 to any block drop in log on igb0.11 inet6 from fe80::ec4:7aff:feb3:8f17 to any pass in quick on igb0.11 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP relay" pass out on igb0.11 inet proto tcp from 10.19.160.0/24 to 10.19.168.0/21 flags any keep state (sloppy) label "USER_RULE: Fix local redirect" pass in quick on igb0.11 inet proto tcp from 10.19.160.0/24 to 10.19.168.0/21 flags any keep state (sloppy) label "USER_RULE: Fix local redirect" block return in log quick on igb0.11 inet from <Intgraserver_new> to <Integrsvr_Old> label "USER_RULE: Integra Test" pass in quick on igb0.11 inet all flags S/SA keep state label "USER_RULE: Allow ALL" pass in quick on igb0.11 inet6 all flags S/SA keep state label "USER_RULE: Allow ALL" pass quick on igb0.11 inet proto tcp from 10.19.160.0/24 to 10.19.168.0/21 flags any keep state (sloppy) label "pass traffic between statically routed subnets" pass quick on igb0.11 inet from 10.19.160.0/24 to 10.19.168.0/21 flags S/SA keep state (sloppy) label "pass traffic between statically routed subnets" pass quick on igb0.11 inet proto tcp from 10.19.168.0/21 to 10.19.160.0/24 flags any keep state (sloppy) label "pass traffic between statically routed subnets" pass quick on igb0.11 inet from 10.19.168.0/21 to 10.19.160.0/24 flags S/SA keep state (sloppy) label "pass traffic between statically routed subnets"
Updated by Jim Pingle almost 5 years ago
- Status changed from New to Not a Bug
Your manual rule is functionally identical to the automatic rule. Something else must have changed.
There is no bug here that I can see.
That said, the automatic rules can't cover every scenario. Sometimes manual rules are necessary.
Updated by Grischa Zengel almost 5 years ago
Perhaps the order or the length of the filters?
Or a race condition (https://lists.freebsd.org/pipermail/freebsd-net/2017-June/048291.html)?
They tried the whole day to print (>60) and all jobs failed. After adding a route to the print server it worked.
I rebooted both pfsenses and only after adding the manual rule it worked multiple times.
And if you write both rules are the same it didn't make sense to add the same rule manually for this special scenario.
Even this is a very special and rare scenario I think there should be more investigation.
Actions