Solved: Static Route for Bridge Group on FP 1120 - Page 3

Derek1993 · ‎06-22-2023

Hello Cisco's Community.

I have next configuration. I am using FP 1120 as router and firewall for my Netwrok. I configured Bridge Group for my interfaces on FP 1120 via Firepower Device Manager. All my clients receive IPs vid DHPC

192.168.1.0/24

I want to add Static route for network

10.10.10.0/24 via GateWay IP 192.168.1.19

for this I used Routing--> Static Route-->Interface (Use BridgeGroup)--> Networks

(10.10.10.0/24)-->Gateway (192.168.1.19)-->Metric (100)

--> Save --> Deploy. BUT after this operation my Windows Client eg.

192.168.1.5

doesn't receive route from Cisco FP 1120, I checked it use route print, but there is no any route that I have configured on Cisco FP 1120, and , my client

192.168.1.5 cann't connect to 10.10.10.0/24 network via 192.168.1.19 as Gateway

But when I added route manualy

(route add 10.10.10.0/24 Mask 255.255.255.0 GW 192.168.1.19)

all is fine and my client

192.168.1.5

can connect to

network 10.10.10.0/24

Where is the problem ?? Is it in Bridge Group and I must to configure all of this without Bridge Group ??
Thx!

MHM Cisco World · ‎06-24-2023

Just check the gw of windows client' it is point to FPR or pfsense ?

Derek1993 · ‎06-24-2023

Hey There
U don't understand me correct:
pfSense has two interfaces:

WAN - connect to my home network 192.168.1.0/24 and receive IP 192.168.1.19

also pfSense Has another interface

LAN - its 10.10.10.0/24

and after my configuration My windows machine receive GW as

FP 1120 192.168.1.1 !

MHM Cisco World · ‎06-24-2023

Never Mind,
the windows have GW which is FPR bridge IP, the windows send packet to

10.10.10.0

the pfsense send back traffic direct to host.

This traffic is drop via FPR because it see half traffic, this asymmetric traffic drop behavior is issue,
the solution is NATing the traffic
NATing traffic to OUTside if the destination is

10.10.10.0

then add

static route to 10.10.10.0

toward pfsense IP.
add static route in pfsense of OUTside subnet toward bridge IP.

Derek1993 · ‎06-24-2023

Ok, so You mean add all this configuration on

pfSense 192.168.1.19

if Yes - I have already done all this steps, that's why if I add manual route to my windows machine like this

route add 10.10.10.0 MASK 255.255.255.0 GW 192.168.1.19

(pfSense WAN interface)...

MHM Cisco World · ‎06-24-2023

check my comment again,
there is asymmetric traffic and because of that FPR drop the packet, this not relate to you use BVI in static route in FPR.

client-FPR-pfSense 
pfSense-client

you see FPR is missing in return path,
BUT if you add static route in Win the traffic will be

client-Pfsense 
Pfsense-client

that why it work with adding static route in Win,
solution as I mention above you need NATing which make both path pass through FPR.

Derek1993 · ‎06-24-2023

Pfsense and FPR and clinet share same

subnet 192.168.1.0/24

Yes pfSense and FP 1120 on the same

subnet 192.168.1.0/24

The client use

gw push via dhcp

Yes Clients receive GW via DHCP from FP and the gateway for pfSense and Windows Box is

FP 1120 - 192.168.1.1

The only thing make issue here is client dont have correct gw (it must be fpr IP) or the subnet is incorrect between dhcp network and fpr interface IP. - No, client has correct IP as

GW FP 192.168.1.1

subnet is correct.. Any ideas ??

MHM Cisco World · ‎06-24-2023

The Pfsense share same subnet with fpr and client ? Why you use this topolgy if the gw is fpr ?

Derek1993 · ‎06-24-2023

@Flavio Miranda @MHM Cisco World
So I think the main problem: that I use BVI (bridge virtual interface) and I don't why but static route doesn't work... I make some testing and give You feedback. Any ideas before my testing ??

Flavio Miranda · ‎06-24-2023

Your main problem is the fact that you have both source and destination on the same interface. If you connect you PfSense in a different interface on the ASA all your problems goes alway.

Beside the fact that ASA needs to receive the packet and sent if back on the same interface, which is not a normal situation, as routed firewall is basically a router, you still have the problem that the PfSense has direct connectivity with the Windows Box plus creating more routing problem.

Which means, your topology is not good and you must have a very good justification to keep that way but, looking from outside, I´d say you should consider re-design your network on this point.

Derek1993 · ‎06-24-2023

Yes, Your are correct.. Go to make new networking...Thx a lot for your support, after change my network I return to You and give some feedbacks

Derek1993 · ‎06-30-2023

Thx all. The solution - change from Virtual Bridge Group Interface, to deafult interfaces and all static routes work very well !
Thx to ALL