Two pfSense serving same LAN

misurex

Hello,

I have the following :

DMZ
|
|
+–------------+
www | Proxy | ...40.x
| +--------------+
| |
+-------------+ +---------------+
| | | |
| pfSense1 | | pfSense2 |
| | | |
+--------------+ +---------------+
Gateway \ /
...30.x \ / ...30.x
\ /
\ +----------------+ /
| App Server | /
+----------------+

From the DMZ I can ping the App Server (for now pfSense2 is full open to both ends), but I cannot ping from the LAN side, as expected, the only gateway of the ...30.x address is on the pfSense1 side.

Please help me to resolve my problem, I don't know what to do to route the ...40.x requests to the pfSense2.
Thank you.

doktornotor

Is this some most broken network design contest going on now, or what? Cannot even see what's WAN where. Why on earth are you multihoming the App Server, instead of letting router route things?

misurex

Because the App Server is in the same subnet (GREEN) with the rest of my computers (desktops, laptops, NAS, etc).
Ok, here's the whole design:

WWW
|
|
RED |
+–-----------------------------------------+
| |
| pfSense1 |
| |
+------------------------------------------+
GREEN | | BLUE | ORANGE
| | |
(LAN) | wireless |
| |
| |
| |
| | DMZ
| |
| |
| |
| |
| |
| |
| +--------------+
| | Proxy | ...40.x
| +--------------+
| |
| +---------------+
| | |
| | pfSense2 |
| | |
+---------------+
\ /
...30.x \ / ...30.x
\ /
\ +----------------+ /
| App Server | /
+----------------+

and the rest of the LAN subnet

Thank you.

KOM

You can't ping appserver on LAN from some other client on the same LAN segment? If so, pfSense is not involved in that issue? And like dok said, I also fail to see why you're multi-homing the appserver. I don't understand why you even have the second router.

doktornotor

@misurex:

Ok, here's the whole design:

Well that's even worse than what I thought. Huh…

misurex

I cannot ping from LAN (App Server) to PROXY (because the default gateway is on …30.x side (pfSense1), pfSense2 do not have a gateway).

I have two branches because:

GREEN is used to make the Updates of anything in the LAN ( Servers, Desktops)
DMZ is used only to serve to WWW the sites/apps from the Servers

Thank you.

misurex

OK, I figure it out, it's not a pfSense problem, I need to play with the server routing table, to indicate what to do if a request come from the .40.x side.

Thank you.

johnpoz

"request come from the .40.x side."

So your source natting as well? Putting a host in both your dmz and your lan via multihoming pretty much defeats the whole purpose of a "dmz"