[SOLVED] Same subnet, two firewalls
-
It is not possible because there are dedicated services that run through FW2
-
What do you mean by 'dedicated services'? You have some port forwards on FW2 that point to SRV2? Or is FW2 itself providing some critical services?
-
I apologize for my English, it is very bad.
FW2 providing a critical services to SRV2 and it is untouchable and unusable for other connectivity.
-
Your English is just fine, but I wanted to confirm what I thought you were saying. I don't think this will ever work like this, or at least I do not know how if it is possible. You are starting a session through one stateful firewall and getting replies from another completely different firewall, which your end is dropping. Maybe one of the smarter network guys here has a trick up his sleeve, but I don't.
-
For best clarity
-
In addition to, with others firewalls (eg. Kerio Winroute :o) it was working
-
I see two possible solutions:
-
You could create an outbound NAT rule on FW1, that translates the source address on traffic destined for SRV2 to the LAN IP address of FW1. But this way, the logs on SRV2 will always display the IP address of FW1 as the client, when traffic from clients comes through FW1. Could be a security issue.
-
Add static routes on SRV2 that tells it when to use FW1 as the gateway. For instance, add a static route on SRV2 that covers the subnet you use for OpenVPN clients.
-
-
The solution 1 looks good to me but, before try it, I would like to understand how the traffic through FW2 is routed with this solution
-
The traffic will not be routed through FW2, not when it originates from FW1. That's what the outbound NAT rule does. SRV2 will see the FW1 as the client, and since they are in the same subnet, it will not need to route the returning traffic to the default gateway. This won't affect the existing traffic that normally passes through FW2 towards SRV2.
-
Perfect, I'll try as soon as possible
Thanks!
-
Remember to use your LAN-interface on the oubound NAT rule, and set the destination to SRV2 (or create an alias containing the server(s) and use that). If you know what source addresses that will be accessing SRV2 through FW1, you should also enter source address.
-
Greate!!!!! It's working perfectly with solution 1
Thank you very much!
