How to set up Static Routes?
-
Hello all,
I need to set up a static route for certain traffic for a vpn connection. Hopefully here in enough information.
For our business system I'm being told the following:
"You will need to add a route in the PFSense that reads as follows: From Any to 10.8.10.0/24 for any-port, next-hop 192.168.1.1"
Below is probably more than is needed, but I figure too much info is better than stinging out a topic to 10 pages asking questions back and forth.
Our current hardware setup: We currently have a SonicWall unit for that is acting as our firewall, router, and VPN connection for an offsite business system (we are required by the system provider to use this unit to connect to their system) for all traffic. All internal, internet and VPN traffic is handled by this unit.
Our planed future setup: Use the SG3100, we just got today, as out firewall and router (for all local and web traffic). Use the SonicWall for the vpn connection only.
Our setup will have an unmanaged switch between the SG3100, the SonicWall and the cable modem. There will be a cable from the modem to the switch, from the switch to the SG3100, from the switch to the SonicWall and from the SonicWall to the SG3100.
Any and all help will be GREATLY appreciated.
On a side note: If I can use the "Opt1" port on the SG3100 for the connection to the SonicaWall, that will help with the rest of my network physical setup.
-
I think, I've seen that post before.
Have you got a second SG3100 now?Our planed future setup: Use the SG3100, we just got today, as out firewall and router (for all local and web traffic). Use the SonicWall for the vpn connection only.
Our setup will have an unmanaged switch between the SG3100, the SonicWall and the cable modem. There will be a cable from the modem to the switch, from the switch to the SG3100, from the switch to the SonicWall and from the SonicWall to the SG3100.
A schematic drawing of your setup with IPs would bring some light in that here.
Also a description what's the goal of the static route. -
"If I can use the "Opt1" port on the SG3100 for the connection to the SonicaWall, that will help with the rest of my network physical setup."
Yeah you would connect any sort of other router via a transit network.. So yes using optX interface would be good for that.
You then just create static routes down the transit network to use the sonicwall.
But really with viragomann here - drawing is worth 10K words.. Please draw up how your network is currently and how you believe it should look in FMO..
-
I have attached an image showing our current and planned maps. The "Ports" list on the links to the SG3100 refer the ports on the SG3100 only. I hope this helps. The goal of the static route is: Our business system uses a terminal emulator to connect to an offsite server. I need to point all 10.8.10.0/24 traffic to the SonicWALL (Hopefully on OPT1 Port) and all other traffic to the WAN port. The reason for this is our business system provider requires us use their SonicWALL for the VPN connection. For their security reasons, we are not allowed to have any access to the SonicWALL to make any changes.
-
What network is on the wan port? Your behind a cable modem so you get multiple public IPs from your ISP, or is that really a gateway doing nat? and this wan network some rfc1918 space?
Is that switch smart or just a dumb switch so your pfsense and sonic wall sharing the same layer 2 network?
But sure such a setup is very possible, But if you can not make any changes on the sonic wall you would have to nat the traffic.. And you would not be able to have 192.168.1 on your lan and your opt network.
You would need your lan to usea different network than what sonicwall is currently using..
-
The network on the WAN port is just the switch (Dumb switch)
We currently have a single static IP but we will Have 5 once this is implemented.
The purpose of the dumb switch on the WAN port is for connecting multiple devices to the Cable modem.
The SG3100 will have one static IP and the SonicWALL will have its own. -
Great.. What is that network behind the sonicwall… You can not route to it from pfsense if its going to be the same network as pfsense 192.168.1 lan network.. If you an not setup this sonic wall network, then the network you put behind pfsense is going to have to be something different.
-
Physically speaking, nothing is behind the SonicWALL. I will have its own ip address (Not sure what it will be just yet.) It will also no longer have DHCP turn on. its only reason to exist is to maintain the VPN tunnel to our business system.
-
You stated you can not make changes to the sonicwall.. So you can get them to put whatever IP on it you want? Will they be able to put routes on it for you? Or you going to have to nat..
-
They will change its IP address. I assume it can be anything I want. The only routes they will set up on the SonicWALL is whatever they need for the vpn tunnel. I'm hoping to set up pfSense to route all 10.8.10.0/24 traffic to the SonicWALL and everything else will go through the SG3100.
-
The planned configuration looks fine, but bear in mind that you would need to add static routes to the SonicWall as well so it can route the packets back. As is, the SonicWall does not know where your LAN segment is.
There are multiple solutions for this depending on how much you can tinker with the SonicWall. Your planned configuration is my favorite, but if you cannot add static routes on it, you can also NAT on pfSense's OPT1. Or you can leave the SonicWall directly hanging on you LAN (with some security considerations) and the single static route on pfSense would do the trick.
-
They will configure the sonicwall on there end i just need to make sure that pfsense is routing correctly on my end
