Multi Lan/Wan Routing configuration
-
Hello to everyone in the community! Thank you for taking the time to read my post and hopefully help with this routing configuation.
Currently I am trying to remove IPSEC tunnels and replace them with a communication providers direct layer 2 fiber point to point networks. Allowing for local internet/LAN access over the direct tunnel though the main firewall. Each one of the locations connections is a physical interface, brought back to the Main firewall except for one. I figured I could use static routes to on the Main firewall and the pfsense router to accomplish the connection.
On the Pfsense router at the top of the diagram (192.168.3.254/192.168.16.254) I disabled all packet filtering and, for testing, placed in wildcard all rules in the firewall. I setup two static routes, the main firewall to the remote 192.168.16.0/24 using the gateway of 192.168.3.254 and on the pfsense router to the remote network of 192.168.0.0/23 and a gateway of 192.168.1.254. I can ping from either side of the network and pass traffic.
The problem is that I am unable to route to the internet from the remote 192.168.16.0/24 network. How can I accomplish this ? This is something I am doing wrong, and after many hours of google searches and reading the forum I hope you all can help!
![Network Layout for pfsense.JPG](/public/imported_attachments/1/Network Layout for pfsense.JPG)
![Network Layout for pfsense.JPG_thumb](/public/imported_attachments/1/Network Layout for pfsense.JPG_thumb) -
still beating my head against a wall on this, is there any other NAT routed solutions that would work ?
-
Your drawing isn't absolutely clear.
There are 8 instances total of pfSense represented here? Or 2 instances, Main, and the Remote you're having difficulties with?
Opt4 192.168.3.253/24 represents what?
pfSense Router WAN 192.168.3.254 LAN 192.168.16.254 represents what? -
Sorry about the confusion ! Hopefully this revised diagram is more helpful.
There are 2 instances of pfSense, the main firewall and the pfSense router. The main firewall has 6 network cards, the LAN side of the firewall is 4 networks (opt4, opt2, opt3, LAN) and each is connected to their own switch. The WAN side of the firewall is the remaining 2 NICs (WAN, opt1).
The router is the one I am having issues with, attempting to access the internet from the 192.168.16.0/24 network. I can get pings to/from 192.168.1.254/23, 192.168.3.254/24 and 192.168.16.254/24 networks but attempting to use internet from the 192.168.16.0/24 routed though first the pfSense router then though the main firewall is not working.
![Network Layout for pfsense v2.JPG](/public/imported_attachments/1/Network Layout for pfsense v2.JPG)
![Network Layout for pfsense v2.JPG_thumb](/public/imported_attachments/1/Network Layout for pfsense v2.JPG_thumb) -
If your not going to nat frrom 192.168.16 to the 192.168.3 network then 192.168.3 becomes a transit and you have to have a gateway setup on the main pfsense to point to the 192.168.3.254. Then create a route to tell the main pfsense how to get to 192.168.16 via that gateway.
You will then have to make sure that main pfsense allows that downstream network, and if you have messed with outbound nat other than automatic you will have to make sure outbound nat will nat that downstream network.
You will have a problem with devices on the 192.168.3 and 192.168.16 talking to each other because with hosts on a transit network you now have asymmetrical routing between them. Any hosts on a transit network (which there should really never be any) would need host routing to know how to talk to this downstream network from them via pointing to their default gateway the main pfsense.
-
After some googling i think i understand what you mean, I will try to set this up on the test bench today and verify!