Routing from WAN to DMZ (routing loop ?)
-
Thanks for your quick reply !
The DMZ is connected to the LAN and internet via an IPFire distro.
For the rest of your diagram, it's correct, pfsense only relays outgoing data to the ISP router which handle the VPN connection. -
I would get rid of the LAN facing interface on the IPFire box and create a transit network between pfSense and the IPFire box intead, ideally a /30 network. Once you setup the appropriate static routes everything will work just the way you want it.
-
"The DMZ is connected to the LAN and internet via an IPFire distro."
So you have a downstream router/firewall this ipfire box that hangs off your LAN? Yeah that is not good.. All kinds of asymmetrical routing could be happening.
MaxPF has it right if your going to have a downstream router it should be on a transit network..
-
Here is the network attached.
I get your point but the pfsense server only has 2 network interfaces. But still, I don't understand why I can't ping a LAN ip from the WAN interface, since pfsense is directly attached to the destination network, the routing process should be transparent…
-
Nice drawing thanks!! Make its much easier to visualize your setup.
"I can't ping a LAN ip from the WAN interface,"
What exactly are you trying to ping and from where?
If you do not have another interface in pfsense - just use a vlan on your lan interface.. I would hope your switch in your lan is vlan capable??
if not you could aways get a cheap vlan switch with a few ports and use it to split the vlans before you connect to your ipfire and your other dumb switch. Does your pfsense have room for another interface if so - nics can be had for cheap..
That setup is a asymmetrical nightmare ;)
-
On the pfsense web interface, I go to Diagnostics -> Ping, I select the WAN interface as source address and I get the same output :
PING 192.168.1.2 (192.168.1.2) from 192.168.100.240: 56 data bytes
36 bytes from 192.168.100.250: Redirect Host(New addr: 192.168.100.240)
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 28 0054 2c45 0 0000 40 01 66f9 192.168.100.240 192.168.1.2Which makes me think that's not just a routing problem.
By asymmetrical, you mean that the DMZ will answer to the VPN sites by taking another path ? That is not possible because the DNS they are using makes the DMZ unreachable via internet.
-
What I mean by asymmetrical is your lan devices, unless they have host routing to point to the ipfire to get to the dmz are going to be hairpin and then asymmetrical return.. 1st pic.
Now on your vpn devices getting to your dmz.. What is the routes on the ipfire for 192.168.x that is in your vpn/mpls cloud?? 2nd pic.
-
Hello,
Thanks, I have totally forgotten to add a route on ipfire, I can be dumb sometimes…
-
So your hosts have routes into the dmz on them? If not its an asymmetrical condition.
-
Yes, you're right it's asymetrical.
It's working now but we'll upgrade the pfsense with some NICs later…Thanks again.
