I have a network set-up using two pfSense routers arranged like this:-
DMZ1 WAN1 WAN2 DMZ2
| | | |
| | | |
\___ PF1 PF2___/
| |
| |
\___TRUSTED___/
Each pfSense router has its own separate WAN connection, and a separate DMZ network attached to it. They share a common TRUSTED LAN between them.
The machines on the trusted network have PF1 as their default gateway. PF1 has a static route defined to DMZ2 via PF2, and PF2 has a static route to DMZ1 via PF1. There is NAT to the WAN but internal networks (DMZ1/2 and TRUSTED) use different RFC1918 subnets.
I inherited this arrangement, and all used to work fine. I made a config change to PF1 (relating to multicast), and machines on DMZ2 suddenly could not talk to TRUSTED. I rolled the change back, but the problem persisted.
What I guess you'd hope would happen is that TCP packets would go DMZ2 -> PF2 -> TRUSTED and on return TRUSTED -> PF1 -> PF2 -> DMZ2. That's the only way I can see it would have worked. However, PF1 drops the returning packets. I've verified this using tcpdump.
I've worked around this by adding static routes to DMZ2 via PF2 to the servers on TRUSTED, but some devices on there do not support static routes so this is not ideal. Is there way to make this arrangement work decently, or is the design inherently flawed?
Thanks!
Best Answer
You need the option to bypass filtering for static routes, under System>Advanced. Can't filter the traffic in that scenario since it's asymmetrically routed.