Set static route but cant port forward
-
I am all for failure backup.. So setup a HA pair for your firewall and connect your main connection and your failover connection to it.. If you primary circuit goes down then you could leverage your backup line for email and such. And can be used to access your network if need be, etc.
What your trying to do is not anywhere close to standards or best practice - for very good reasons!!! You can not just throw up a second connection into your network and expect stuff to work when they all point to a different gateway.
if all you want is to use this connection as out of band sort of access into your network. Then setup a route on your L3 switch that says traffic comes from this source IP or network then send to firewall 2. So where do you access this out of band access from? Another office, your home, etc. You need to put up routes to all the places you would ever use this 2nd address..
This is really a pretty bad way to accomplish the goal. If you goal is failover for connection and hardware failure of your firewall. Then setup firewalls in a HA pair (carp) and add whatever wan connections you have into your clustered firewalls.
example here is some basics on how to setup hardware failover with pfsense
https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_%28CARP%29 -
I have created the pfsense firewall as i have created an openvpn server BUT the openvpn server can only access my lan subnet and not all the other ranges on my switch even tho i have created static routes on my pfsense fw and added the other ranges on my openvpn server
I think i need to look at the hp switch procurve documwntation to look at if traffic comes from nwtwork source a make it go out the same source not the default static route
-
I do this too. Have a remote site with fiber (Cisco router) and an ADSL into a pfSense for out-of-band access. For a couple hosts there we place static routes to all RFC1918 addresses back to pfSense (instead of the default gateway) so we can ssh directly to them over OpenVPN.
So if the fiber goes down we can ssh into something on the subnet and work FROM THERE.
IP routing just doesn't work like you want it to without an active routing protocol like OSPF on ALL INTERFACES on the subnet. And even that won't solve your asymmetric routing problem unless you use OSPF to swing the DEFAULT ROUTE from tmg to pfSense for the entire subnet - or at least the destination host in question.
You might also be able to do something with outbound NAT so, to other hosts on the subnet, connections would appear to come from the pfSense interface on the subnet making routing the return traffic out-of-scope.
Usually in an outage I'm just happy to be able to get in at all. Even if I have to chain a couple ssh sessions.
-
So create a host (linux or windows machine) on the same lan as the pfsense fw and give the host the pfsense gateway or the gateway of the vlan switch?
-
To accomplish what?
-
You said "for a couple of hosts" and i thought you meant you put couple of pcs on the same subnet as pfsense
What did you mean by hosts then
-
Tell your switch to route traffic from 172.16.8.100 to pfSense instead of the default gateway and it will work.
Put a host on the 10.10.20.0 subnet with pfSense as its default gateway and it will work.
But you will then have other issues like traffic from the subject host to other local assets.
-
Thanks all for everyones replies really appreciate it thank you
Rob
-
As i have enabled openvpn server on my pfsense fw and i can remotley vpn in to it i can access the remote lan but obviously not the other networks as the static routes dont work
I was wondering if i build a host on the same nwtwork ie a linux machine and make that machine use pfsense as the gateway and on the linux machine add static routes to the other network
If i install openvpn server on that linux machine will it manage to access the other networks aswell or just its lan network
-
I can't tell squat from "same network" (same network as what) or "that linux machine."
IP addresses, subnets, and routes. That's all that we need to try to help you. Specifics.
What, exactly, are you trying to accomplish?
OpenVPN is extremely flexible - especially with assigned interfaces, but it's still subject to IP routing rules.
-
Using this I can RDP/SSH etc into 172.26.45.100 from 192.168.223.100 and look at the entire network from behind the router if the Metro-E fails.
-
Same network i mean same network as the pfsense fw, its local network
And then on the linux machine i install openvpn server and it will be able to talk to the other networks, as i will add the static routes to the other networks on the linux machine
