[fix] How to fix asymmetric routing issues on pfSense
TLDR: Run this on your pfSense instance
- Click System > Advanced
- Click the Firewall/NAT tab
- Check Bypass firewall rules for traffic on the same interface
- Click Save
I was having this issue on my home lab where it would happen that I couldn't have access to my servers through their web interface. Even the NFS mount would not mount.
But as soon as I run a ping against the server I'm trying to access, everything starts working normally again.
I thought this was normal because of the weird architecture of my home lab (a mix of services hosted on virtual machines, even my pfSense was in a VM, a sorta weird NAT to provide internet access to all my VMs). But it turns out that the phenomenon I was experiencing is called asymmetric routing which is the fact that the incoming route seen by a router doesn't match the outgoing packet route so the router/stateful firewall is a little confused, so it blocks the traffic.
I had to disable filtering on the LAN interface to get it working, by doing this :
- Click System > Advanced
- Click the Firewall/NAT tab
- Check Bypass firewall rules for traffic on the same interface
- Click Save
There is a second approach which essentially consists of configure some firewall rules. This method is better developed in the first link below.
Resources:
- https://docs.netgate.com/pfsense/en/latest/routing/static.html#asymmetric-routing
- https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#config-advanced-static-route-filtering
- https://docs.netgate.com/pfsense/en/latest/routing/gateway-configure.html
- https://docs.netgate.com/pfsense/en/latest/routing/gateways.html
- https://forums.raspberrypi.com/viewtopic.php?t=218167 [similar error]
