PfSense - 1 Internet gateway + 1 MPLS - Static routes?
-
LAN–--pfSense (192.168.1.1) ---gateway---internet
|
pfsense #2 (192.168.1.2)---gateway-MPLS (172.x.x.x.)---customerThis is my current configuration. All of my internet traffic flows over 192.168.1.1 and uses our internal DNS servers. However, I recently added an MPLS circuit direct to one of our customers. They have a bunch of networks (192.168.3.x, 192.168.4, 10.0.1.x, etc., etc.) that I'd like to be able to talk to. Currently, I have a small group of users using the pfSense #2, and they simple issue a bunch of "route add customerIP mask customerMask 192.168.1.2" so that they can hit machines at the various customer networks. This works for a small group, but has some problems... 1) they have to run a script to do the route adds, 2) DNS doesn't work on the customer side, and 3) it doesn't scale at all... too many users to make this work on-going. Instead of users issuing the route adds, I'd like to just add an interface to the main pfSense box (e.g. opt1), and connect the gateway-MPLS directly to that. And then issue static routes on the pfSense box to get users to the remote networks (like below) automatically. It would be great if I could get DNS working (perhaps add a forwarder to my internal DNS server?). The problem is, I don't know if this is a good solution, or if there is something better/different/more appropriate. If you have any suggestions, I'd love to hear them.
LAN---pfsense (192.168.1.1) ---gateway --- internet
|---------------------gateway MPLS (172.x.x.x.) --- customer -
I see nothing wrong with it, it seems a very good solution, just remember to set the gateway on the IP configuration for your OPTx interface, and set rules, routes and such appropriately to allow (or dis-allow) access.
The DNS issue however, may be because the DNS doesn't have a route back to your network to reply to the DNS queries.
If that's the case, even your forwarder would have a problem. You'll also have to be prepared with static routes or routing on the PFsense#1 to handle any DNS resolved destination IP you get in reply to your query…