Use the routing knowledge to solve the problems in the real environment (asymmetric path) 02/02 Update SLTechnology News&Howtos

Use the routing knowledge to solve the problems in the real environment (asymmetric path)

2025-02-02 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

In the previous article

The solution proposed by "using routing knowledge to solve real-world problems" does not explain the crux of the problem!

Now make it up!

Changes: in this experiment (M0n0wall is replaced by Pfsense)

Problem encountered: the problem encountered this time is no different from that before-normal from SZBG ping/tracert HKBG 192.168.15.21

But the client Outlook mailbox is the mail server 192.168.15.21 that cannot properly connect to HKBG.

Direction of thinking:

Since there is nothing wrong with ping and tracert, it means that routing is not a big problem.

What's the difference? (protocol), ping/tracert/Outlook uses different protocols!

Normally: the client connects to the mail server like this->

Obviously Outlook uses the TCP protocol to communicate with the mail server while ping/tracert uses the ICMP protocol!

Both M0n0wall and Pfsense are stateful inspection-based firewalls (it integrates the functionality of FW+Router)

Firewall features based on stateful inspection:

If a session is incomplete (for example, only request message SYN, no response message ACK), then the session request will be intercepted or discarded!

Usually it requires that the integrity of the session must be maintained, as we know (the establishment and disconnection of a TCP connection can be divided into three handshakes and four disconnections)

TCP is a connection-oriented, stateful and reliable transport protocol:

Take a closer look at our existing network architecture:

We can see from the picture (the path when the message goes out / back from 192.168.20.45 is not the same, that is, the so-called asymmetric routing)

However, in this case (M0n0wall and Pfsense), the session is incomplete (because it only received the SYN packet, no other packets were received).

So connection requests initiated by 192.168.20.45 will be intercepted or discarded by (M0n0wall and Pfsense)!

To solve this problem, PFsense provides a solution:

We just need to check "Static route filtering" in System-> Advanced-> Firewall&NAT. Can really solve the above problems!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.