Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] Same subnet, two firewalls

    Scheduled Pinned Locked Moved NAT
    14 Posts 3 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Skywlker
      last edited by

      It is not possible because there are dedicated services that run through FW2

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        What do you mean by 'dedicated services'?  You have some port forwards on FW2 that point to SRV2?  Or is FW2 itself providing some critical services?

        1 Reply Last reply Reply Quote 0
        • S
          Skywlker
          last edited by

          I apologize for my English, it is very bad.

          FW2 providing a critical services to SRV2 and it is untouchable and unusable for other connectivity.

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            Your English is just fine, but I wanted to confirm what I thought you were saying.  I don't think this will ever work like this, or at least I do not know how if it is possible.  You are starting a session through one stateful firewall and getting replies from another completely different firewall, which your end is dropping.  Maybe one of the smarter network guys here has a trick up his sleeve, but I don't.

            1 Reply Last reply Reply Quote 0
            • S
              Skywlker
              last edited by

              For best clarity

              Schema.jpg
              Schema.jpg_thumb

              1 Reply Last reply Reply Quote 0
              • S
                Skywlker
                last edited by

                In addition to, with others firewalls (eg. Kerio Winroute :o) it was working

                1 Reply Last reply Reply Quote 0
                • V
                  vindenesen
                  last edited by

                  I see two possible solutions:

                  • You could create an outbound NAT rule on FW1, that translates the source address on traffic destined for SRV2 to the LAN IP address of FW1. But this way, the logs on SRV2 will always display the IP address of FW1 as the client, when traffic from clients comes through FW1. Could be a security issue.

                  • Add static routes on SRV2 that tells it when to use FW1 as the gateway. For instance, add a static route on SRV2 that covers the subnet you use for OpenVPN clients.

                  Support the project by buying a Gold Subscription at https://portal.pfsense.org
                  Running pfSense on SuperMicro A1SRI-2758F with ESXi 5.5

                  1 Reply Last reply Reply Quote 0
                  • S
                    Skywlker
                    last edited by

                    The solution 1 looks good to me but, before try it, I would like to understand how the traffic through FW2 is routed with this solution

                    1 Reply Last reply Reply Quote 0
                    • V
                      vindenesen
                      last edited by

                      The traffic will not be routed through FW2, not when it originates from FW1. That's what the outbound NAT rule does. SRV2 will see the FW1 as the client, and since they are in the same subnet, it will not need to route the returning traffic to the default gateway. This won't affect the existing traffic that normally passes through FW2 towards SRV2.

                      Support the project by buying a Gold Subscription at https://portal.pfsense.org
                      Running pfSense on SuperMicro A1SRI-2758F with ESXi 5.5

                      1 Reply Last reply Reply Quote 0
                      • S
                        Skywlker
                        last edited by

                        Perfect, I'll try as soon as possible

                        Thanks!

                        1 Reply Last reply Reply Quote 0
                        • V
                          vindenesen
                          last edited by

                          Remember to use your LAN-interface on the oubound NAT rule, and set the destination to SRV2 (or create an alias containing the server(s) and use that). If you know what source addresses that will be accessing SRV2 through FW1, you should also enter source address.

                          Support the project by buying a Gold Subscription at https://portal.pfsense.org
                          Running pfSense on SuperMicro A1SRI-2758F with ESXi 5.5

                          1 Reply Last reply Reply Quote 0
                          • S
                            Skywlker
                            last edited by

                            Greate!!!!!  It's working perfectly with solution 1

                            Thank you very much!

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.