Some advise

cancel
Showing results for 
Search instead for 
Did you mean: 

Some advise

L3 Networker

Hi there,

I am trying to deploy a network that is connected directly to my PA box over a wifi connector and I am hitting some stumbling blocks. I wondered if someone might be able to offer any advise.

The scenoria is this.

I have an office that is connected to my office via a wifi transmitter. These wifi use the 172.16.5.x range. There is to be a firewall on the other end of this connection for the wifi to plug into (pfsense).

On the Firewall on the other end I have 2 interfaces. A Lan and the wifi connector (it has an address on the wifi range). I have set the wifi up as the WAN interface and it's gateway as the wifi interface IP on the PA box.

Traffic between those 2 seems to flow ok.

Now, the Local LAN. If I setup a NAT rule on the PA box, or in this case incorporate it into an existing rule, that says all traffic from the LAN within my PA network goes out through our external IP (which is an interface on the PA box). That works fine for my local LAN that is attached directly to the PA network. But for this other office, when I try that the traffic shows and shows as allowed out, but always incomplete. I also tried setting up a static route on the Virtual router pointing to the wifi WAN card on the pfsense box as it's next hop, but still traffic shows incomplete and I never get any pages appear on the other end (apart from local DNS traffic, I have a DNS forwarder for my domain pointing to my domain controller and all DNS requests within my domain work ok via that)

I have a policy based re-direct for internal LAN that says if going to that wificonnected office, then go over the wifi transmitter. That allows me to get onto it from where I am sitting.

The ideal scenario would be that the network on this wifi connected office is an extention of the private LAN network (10.10.0.0/16) that I have in my main office. But if on the pfsense side I try tell it to use 10.10.1.3 (which is what all the LAN pc's within the main office use) as it's gateway, which I have to then set the LAN on the other side as /16 to allow this, I think lose connection with the firewall.

If I try a completely separate network range then all traffic appears to come from the wifi connector on the wifi connected offices WAN card and again, traffic shows as incomplete.

I know this is not strictly a PA issue, but if anyone could offer any suggestions it would be appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions

Thanks for your assistance on this one guys. But in the end I managed to resolve the issue and ti was nothing to do with the PA box. For some reason the Pfsense firewall on the other side didn't like me setting the Wifi interface as the WAN interface. Worked fine once I set the wifi connector to another interface.

View solution in original post

5 REPLIES 5

L7 Applicator

Hello Jrussell,

Could you please verify below mentioned information.

--- destination device is having a valid return route, to send back the traffic.

--- Please verify, if there is a session available for the traffic on the APN firewall.

> show session all filter source IP_ADD_OF_THE_TESTING_PC destination IP_ADD_OF_THE_DESTINATION'.

If there is an session exist for the same traffic,  then please apply  CLI command PAN> show session id XYZ   >>>>>>>> to get detailed information about that session, i.e NAT rule, security rule, ingress/egress interface etc. It will also show you the number of packets has been received and transmitted.


Thanks

L4 Transporter

Observing incomplete sessions could mean that the tcp handhshake did not go through or there was no data packets received after the tcp handshake completed. As HULK mentioned, session info will give us more idea. I am speculating that you might be running into asymmetric routing wherein SYN goes out through one interface of PA but the response with SYN-ACK is being received on a different interface. By default, PA drops packets in case of asymmetric routing. You can check using counters to see if that is the case. The command is :

> show counter global filter delta yes   =====>>> run this command about 4-5 times at the time of passing traffic.

you should see "tcp-non-syn-reject" counter increment

Hope this helps.

Thanks

Sorry, I thought having a static route with the next hop being the wifi NIC on the other end would be my valid return route? Or am I missing something there.

I am just in the middle of trying to put the config back to how it was as I was playing with the setup yesterday, once I have it how it was I will try those commands you suggested to get the session traffic

Ok. Once you will provide the session details, we may give you some more insight.

Thanks

Thanks for your assistance on this one guys. But in the end I managed to resolve the issue and ti was nothing to do with the PA box. For some reason the Pfsense firewall on the other side didn't like me setting the Wifi interface as the WAN interface. Worked fine once I set the wifi connector to another interface.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!