Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Set static route but cant port forward

    Scheduled Pinned Locked Moved Routing and Multi WAN
    24 Posts 4 Posters 4.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator
      last edited by

      I am all for failure backup.. So setup a HA pair for your firewall and connect your main connection and your failover connection to it.. If you primary circuit goes down then you could leverage your backup line for email and such.  And can be used to access your network if need be, etc.

      What your trying to do is not anywhere close to standards or best practice - for very good reasons!!!  You can not just throw up a second connection into your network and expect stuff to work when they all point to a different gateway.

      if all you want is to use this connection as out of band sort of access into your network.  Then setup a route on your L3 switch that says traffic comes from this source IP or network then send to firewall 2.  So where do you access this out of band access from?  Another office, your home, etc.  You need to put up routes to all the places you would ever use this 2nd address..

      This is really a pretty bad way to accomplish the goal.  If you goal is failover for connection and hardware failure of your firewall.  Then setup firewalls in a HA pair (carp) and add whatever wan connections you have into your clustered firewalls.

      example here is some basics on how to setup hardware failover with pfsense
      https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_%28CARP%29

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • R
        robina80
        last edited by

        I have created the pfsense firewall as i have created an openvpn server BUT the openvpn server can only access my lan subnet and not all the other ranges on my switch even tho i have created static routes on my pfsense fw and added the other ranges on my openvpn server

        I think i need to look at the hp switch procurve documwntation to look at if traffic comes from nwtwork source a make it go out the same source not the default static route

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          I do this too. Have a remote site with fiber (Cisco router) and an ADSL into a pfSense for out-of-band access.  For a couple hosts there we place static routes to all RFC1918 addresses back to pfSense (instead of the default gateway) so we can ssh directly to them over OpenVPN.

          So if the fiber goes down we can ssh into something on the subnet and work FROM THERE.

          IP routing just doesn't work like you want it to without an active routing protocol like OSPF on ALL INTERFACES on the subnet.  And even that won't solve your asymmetric routing problem unless you use OSPF to swing the DEFAULT ROUTE from tmg to pfSense for the entire subnet - or at least the destination host in question.

          You might also be able to do something with outbound NAT so, to other hosts on the subnet, connections would appear to come from the pfSense interface on the subnet making routing the return traffic out-of-scope.

          Usually in an outage I'm just happy to be able to get in at all.  Even if I have to chain a couple ssh sessions.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • R
            robina80
            last edited by

            So create a host (linux or windows machine)  on the same lan as the pfsense fw and give the host the pfsense gateway or the gateway of the vlan switch?

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              To accomplish what?

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • R
                robina80
                last edited by

                You said "for a couple of hosts"  and i thought you meant you put couple of pcs on the same subnet as pfsense

                What did you mean by hosts then

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  Tell your switch to route traffic from 172.16.8.100 to pfSense instead of the default gateway and it will work.

                  Put a host on the 10.10.20.0 subnet with pfSense as its default gateway and it will work.

                  But you will then have other issues like traffic from the subject host to other local assets.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • R
                    robina80
                    last edited by

                    Thanks all for everyones replies really appreciate it thank you

                    Rob

                    1 Reply Last reply Reply Quote 0
                    • R
                      robina80
                      last edited by

                      As i have enabled openvpn server on my pfsense fw and i can remotley vpn in to it i can access the remote lan but obviously not the other networks as the static routes dont work

                      I was wondering if i build a host on the same nwtwork ie a linux machine and make that machine use pfsense as the gateway and on the linux machine add static routes to the other network

                      If i install openvpn server on that linux machine will it manage to access the other networks aswell or just its lan network

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        I can't tell squat from "same network" (same network as what) or "that linux machine."

                        IP addresses, subnets, and routes.  That's all that we need to try to help you.  Specifics.

                        What, exactly, are you trying to accomplish?

                        OpenVPN is extremely flexible - especially with assigned interfaces, but it's still subject to IP routing rules.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by

                          Using this I can RDP/SSH etc into 172.26.45.100 from 192.168.223.100 and look at the entire network from behind the router if the Metro-E fails.

                          pfSense-Management-VPN.png
                          pfSense-Management-VPN.png_thumb

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • R
                            robina80
                            last edited by

                            Same network i mean same network as the pfsense fw,  its local network

                            And then on the linux machine i install openvpn server and it will be able to talk to the other networks,  as i will add the static routes to the other networks on the linux machine

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.