Actions
Bug #9645
closed
"Bypass firewall rules for traffic on the same interface" does not work as expected
Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
Rules / NAT
Target version:
-
Start date:
07/23/2019
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.4-p3
Affected Architecture:
Description
I have to use asymmetric routing. P1 (default gateway) routes to P2 on the same subnet. ICMP redirect doesn't work because I use CARP IP for default gateway on this subnet.
My problem is now that printing on HP printers behind P2 does not work.
I detected that after a package with PSH and ACK flags set the forwarding stops after one more package. If I create 2 rules (LAN interface and floating/outgoing) with with sloppy set for all flags it's working.
Automatic Fix does not work.
Manual Fix does work
Here are my packet traces:
without additional rules printing is broken:¶
P1 = forwarder Pfsense¶
87 0.124381 10.19.160.251 10.19.170.23 TCP 1514 54873 → 9100 [ACK] Seq=59861 Ack=1 Win=131328 Len=1460
88 0.124397 10.19.160.251 10.19.170.23 TCP 1514 [TCP Retransmission] 54873 → 9100 [ACK] Seq=59861 Ack=1 Win=131328 Len=1460
89 0.124403 10.19.160.251 10.19.170.23 TCP 1514 54873 → 9100 [ACK] Seq=61321 Ack=1 Win=131328 Len=1460
90 0.124419 10.19.160.251 10.19.170.23 TCP 1514 [TCP Retransmission] 54873 → 9100 [ACK] Seq=61321 Ack=1 Win=131328 Len=1460
91 0.124426 10.19.160.251 10.19.170.23 TCP 1514 54873 → 9100 [ACK] Seq=62781 Ack=1 Win=131328 Len=1460
92 0.124441 10.19.160.251 10.19.170.23 TCP 1514 [TCP Retransmission] 54873 → 9100 [ACK] Seq=62781 Ack=1 Win=131328 Len=1460
93 0.124447 10.19.160.251 10.19.170.23 TCP 1350 54873 → 9100 [PSH, ACK] Seq=64241 Ack=1 Win=131328 Len=1296
94 0.124463 10.19.160.251 10.19.170.23 TCP 1350 [TCP Retransmission] 54873 → 9100 [PSH, ACK] Seq=64241 Ack=1 Win=131328 Len=1296
95 0.128479 10.19.160.251 10.19.170.23 TCP 1514 54873 → 9100 [ACK] Seq=65537 Ack=1 Win=131328 Len=1460
96 0.128498 10.19.160.251 10.19.170.23 TCP 1514 [TCP Retransmission] 54873 → 9100 [ACK] Seq=65537 Ack=1 Win=131328 Len=1460
97 0.128505 10.19.160.251 10.19.170.23 TCP 1514 54873 → 9100 [ACK] Seq=66997 Ack=1 Win=131328 Len=1460
98 0.128667 10.19.160.251 10.19.170.23 TCP 1514 54873 → 9100 [ACK] Seq=68457 Ack=1 Win=131328 Len=1460
99 0.128686 10.19.160.251 10.19.170.23 TCP 1514 54873 → 9100 [ACK] Seq=69917 Ack=1 Win=131328 Len=1460
100 0.128698 10.19.160.251 10.19.170.23 TCP 1514 54873 → 9100 [ACK] Seq=71377 Ack=1 Win=131328 Len=1460
P2 = Pfsense with destination subnet¶
49 0.124465 10.19.160.251 10.19.170.23 TCP 1514 54873 → 9100 [ACK] Seq=59861 Ack=1 Win=131328 Len=1460
50 0.124480 10.19.160.251 10.19.170.23 TCP 1514 54873 → 9100 [ACK] Seq=61321 Ack=1 Win=131328 Len=1460
51 0.124498 10.19.160.251 10.19.170.23 TCP 1514 54873 → 9100 [ACK] Seq=62781 Ack=1 Win=131328 Len=1460
52 0.124563 10.19.160.251 10.19.170.23 TCP 1350 54873 → 9100 [PSH, ACK] Seq=64241 Ack=1 Win=131328 Len=1296
53 0.127925 10.19.170.23 10.19.160.251 TCP 54 9100 → 54873 [ACK] Seq=1 Ack=65537 Win=32120 Len=0
54 0.128447 10.19.160.251 10.19.170.23 TCP 1514 54873 → 9100 [ACK] Seq=65537 Ack=1 Win=131328 Len=1460
55 0.129569 10.19.170.23 10.19.160.251 TCP 54 9100 → 54873 [ACK] Seq=1 Ack=66997 Win=32120 Len=0
56 19.068648 10.19.160.251 10.19.170.23 TCP 56 54873 → 9100 [RST, ACK] Seq=68457 Ack=1 Win=0 Len=0
57 19.068985 10.19.170.23 10.19.160.251 TCP 54 [TCP Dup ACK 55#1] 9100 → 54873 [ACK] Seq=1 Ack=66997 Win=32120 Len=0
58 19.069166 10.19.160.251 10.19.170.23 TCP 56 54873 → 9100 [RST] Seq=66997 Win=0 Len=0
with additional rules it works like expected:¶
P1 = forwarder Pfsense¶
85 0.122887 10.19.160.251 10.19.170.23 TCP 1514 54982 → 9100 [ACK] Seq=58401 Ack=1 Win=131328 Len=1460
86 0.122899 10.19.160.251 10.19.170.23 TCP 1514 [TCP Retransmission] 54982 → 9100 [ACK] Seq=58401 Ack=1 Win=131328 Len=1460
87 0.122904 10.19.160.251 10.19.170.23 TCP 1514 54982 → 9100 [ACK] Seq=59861 Ack=1 Win=131328 Len=1460
88 0.122917 10.19.160.251 10.19.170.23 TCP 1514 [TCP Retransmission] 54982 → 9100 [ACK] Seq=59861 Ack=1 Win=131328 Len=1460
89 0.122922 10.19.160.251 10.19.170.23 TCP 1514 54982 → 9100 [ACK] Seq=61321 Ack=1 Win=131328 Len=1460
90 0.122935 10.19.160.251 10.19.170.23 TCP 1514 [TCP Retransmission] 54982 → 9100 [ACK] Seq=61321 Ack=1 Win=131328 Len=1460
91 0.122941 10.19.160.251 10.19.170.23 TCP 1514 54982 → 9100 [ACK] Seq=62781 Ack=1 Win=131328 Len=1460
92 0.122954 10.19.160.251 10.19.170.23 TCP 1514 [TCP Retransmission] 54982 → 9100 [ACK] Seq=62781 Ack=1 Win=131328 Len=1460
93 0.122959 10.19.160.251 10.19.170.23 TCP 1350 54982 → 9100 [PSH, ACK] Seq=64241 Ack=1 Win=131328 Len=1296
94 0.122972 10.19.160.251 10.19.170.23 TCP 1350 [TCP Retransmission] 54982 → 9100 [PSH, ACK] Seq=64241 Ack=1 Win=131328 Len=1296
95 0.129698 10.19.160.251 10.19.170.23 TCP 1514 54982 → 9100 [ACK] Seq=65537 Ack=1 Win=131328 Len=1460
96 0.129732 10.19.160.251 10.19.170.23 TCP 1514 [TCP Retransmission] 54982 → 9100 [ACK] Seq=65537 Ack=1 Win=131328 Len=1460
97 0.129740 10.19.160.251 10.19.170.23 TCP 1514 54982 → 9100 [ACK] Seq=66997 Ack=1 Win=131328 Len=1460
98 0.129753 10.19.160.251 10.19.170.23 TCP 1514 [TCP Retransmission] 54982 → 9100 [ACK] Seq=66997 Ack=1 Win=131328 Len=1460
99 0.129759 10.19.160.251 10.19.170.23 TCP 1514 54982 → 9100 [ACK] Seq=68457 Ack=1 Win=131328 Len=1460
100 0.129772 10.19.160.251 10.19.170.23 TCP 1514 [TCP Retransmission] 54982 → 9100 [ACK] Seq=68457 Ack=1 Win=131328 Len=1460
P2 = Pfsense with destination subnet¶
48 0.125574 10.19.160.251 10.19.170.23 TCP 1514 54991 → 9100 [ACK] Seq=58401 Ack=1 Win=131328 Len=1460
49 0.125767 10.19.160.251 10.19.170.23 TCP 1514 54991 → 9100 [ACK] Seq=59861 Ack=1 Win=131328 Len=1460
50 0.125782 10.19.160.251 10.19.170.23 TCP 1514 54991 → 9100 [ACK] Seq=61321 Ack=1 Win=131328 Len=1460
51 0.125795 10.19.160.251 10.19.170.23 TCP 1514 54991 → 9100 [ACK] Seq=62781 Ack=1 Win=131328 Len=1460
52 0.125808 10.19.160.251 10.19.170.23 TCP 1350 54991 → 9100 [PSH, ACK] Seq=64241 Ack=1 Win=131328 Len=1296
53 0.131936 10.19.170.23 10.19.160.251 TCP 54 9100 → 54991 [ACK] Seq=1 Ack=65537 Win=32120 Len=0
54 0.132261 10.19.160.251 10.19.170.23 TCP 1514 54991 → 9100 [ACK] Seq=65537 Ack=1 Win=131328 Len=1460
55 0.132279 10.19.160.251 10.19.170.23 TCP 1514 54991 → 9100 [ACK] Seq=66997 Ack=1 Win=131328 Len=1460
56 0.132447 10.19.160.251 10.19.170.23 TCP 1514 54991 → 9100 [ACK] Seq=68457 Ack=1 Win=131328 Len=1460
57 0.132465 10.19.160.251 10.19.170.23 TCP 1514 54991 → 9100 [ACK] Seq=69917 Ack=1 Win=131328 Len=1460
58 0.132481 10.19.160.251 10.19.170.23 TCP 1514 54991 → 9100 [ACK] Seq=71377 Ack=1 Win=131328 Len=1460
59 0.132497 10.19.160.251 10.19.170.23 TCP 1514 54991 → 9100 [ACK] Seq=72837 Ack=1 Win=131328 Len=1460
60 0.132520 10.19.160.251 10.19.170.23 TCP 1514 54991 → 9100 [ACK] Seq=74297 Ack=1 Win=131328 Len=1460
61 0.132537 10.19.160.251 10.19.170.23 TCP 1514 54991 → 9100 [ACK] Seq=75757 Ack=1 Win=131328 Len=1460
62 0.132712 10.19.160.251 10.19.170.23 TCP 1074 54991 → 9100 [PSH, ACK] Seq=77217 Ack=1 Win=131328 Len=1020
63 0.134591 10.19.170.23 10.19.160.251 TCP 54 9100 → 54991 [ACK] Seq=1 Ack=78237 Win=32120 Len=0
64 0.134815 10.19.160.251 10.19.170.23 TCP 56 54991 → 9100 [FIN, ACK] Seq=78237 Ack=1 Win=131328 Len=0
65 0.135148 10.19.170.23 10.19.160.251 TCP 54 9100 → 54991 [ACK] Seq=1 Ack=78238 Win=32120 Len=0
66 0.136304 10.19.170.23 10.19.160.251 TCP 54 9100 → 54991 [FIN, ACK] Seq=1 Ack=78238 Win=32120 Len=0
67 0.136465 10.19.160.251 10.19.170.23 TCP 56 54991 → 9100 [ACK] Seq=78238 Ack=2 Win=131328 Len=0
Updated by 
Updated by
Actions