Internal routing of Vlans

AK 0 · Feb 20, 2019, 4:29 AM

@Derelict
Vlan are created under physical Lan interface ig0 and parent interface for these vlan`s is ig0.

Actually what i want to achieve is if traffic from Vlans goes out first it should reach
Vlan gateway>>Lan gateway>> Wan port and should not do Vlan>>Wan port.
Tracert should be
1.Vlan IP (192.168.100.1)
2.Lan IP (192.168.10.1)
3.Gateway IP (1.2.3.4)
instead of
1.Vlan IP (192.168.100.1)
2.Gateway IP (1.2.3.4)
I`m trying to double NAT for Vlans, first NAT should be internal and then gateway.

@tim-mcmanus : If we simply capture the packet and on inspection it can show the source device and then the route the packet came from. So, someone with that much information and hacking knowledge can easily walk into your network. Also, can send packet with header upside down to hit the server behind pfsense firewall, located on VLAN.

Derelict · Feb 20, 2019, 4:30 AM

Still makes no sense. What does LAN gateway have to do with anything

johnpoz · Feb 20, 2019, 4:31 AM

@ak-0 said in Internal routing of Vlans:

So, someone with that much information and hacking knowledge

I think someone been watching many nonsense hacker movies ;)

AK 0 · Feb 20, 2019, 4:38 AM

@Derelict Lan interface gateway is just used for router VLan traffic to wan.

@johnpoz Its just the requirement. I`ve tried it on cisco, mikrotik routers and it does work. As, mentioned earlier pfsense is under trial test to check if it does things what other routers was doing. So, can replace cisco or mikrotik.

johnpoz · Feb 20, 2019, 4:48 AM

Requirement of who?? Sorry but been in the biz for 30 some years.. Ran multiple infosec teams, audits out the ying yang... Never heard of such a thing.. So who is saying you should do it this way? Mr Robot? ;)

AK 0 · Feb 20, 2019, 4:54 AM

@johnpoz its client requirement and got same king of traffic routing setup before. So, pfsense trial testing is to show that it can do it or we have to go with other solutions.

So, if i want to route all VLAN traffic to LAN not to wan. Then this VLAN traffic will go through LAN interface to WAN.What can be done to accomplish this.

johnpoz · Feb 20, 2019, 5:10 AM

You put your vlans behind a dowstream router and use your "lan" as the transit to get to the edge.. It makes ZERO sense to hit a router, and then internally route it to another interface on the same router, and then to go out the wan.. ZERO!!!

You know in IT the customer is NOT always right... They have some idiot that should be swapping out mice for users that somehow got into some CSO position? You need to explain to them that its nonsense to do such a thing..

Why are you trying to save them money? If cisco will do such nonsense - then charge them for the $20K cisco router/asa and put your 20% mark up on it, etc. etc.. And make more money ;) Unless your trying to charge them cisco budget while using pfsense? ;)

JKnott · Feb 20, 2019, 11:56 AM

@ak-0 said in Internal routing of Vlans:

If we simply capture the packet and on inspection it can show the source device and then the route the packet came from.

????

The packet will show only the source and destination addresses. Nothing at all about the route. Of course, once you pass through NAT the original source is overwritten.

JKnott · Feb 20, 2019, 12:14 PM

@johnpoz said in Internal routing of Vlans:

You know in IT the customer is NOT always right..

Yep, I had one customer last year who had the office wired with CAT6. She was upset that I used a CAT5 cable to connect my computer to the switch. She apparently thought it would bog down the entire network. Apparently her husband reads computer magazines, so that makes her an "expert"!

Gryman · Feb 21, 2019, 10:25 PM

@ak-0 said in Internal routing of Vlans:

@Derelict
Vlan are created under physical Lan interface ig0 and parent interface for these vlan`s is ig0.

Actually what i want to achieve is if traffic from Vlans goes out first it should reach
Vlan gateway>>Lan gateway>> Wan port and should not do Vlan>>Wan port.
Tracert should be
1.Vlan IP (192.168.100.1)
2.Lan IP (192.168.10.1)
3.Gateway IP (1.2.3.4)
instead of
1.Vlan IP (192.168.100.1)
2.Gateway IP (1.2.3.4)
I`m trying to double NAT for Vlans, first NAT should be internal and then gateway.

@tim-mcmanus : If we simply capture the packet and on inspection it can show the source device and then the route the packet came from. So, someone with that much information and hacking knowledge can easily walk into your network. Also, can send packet with header upside down to hit the server behind pfsense firewall, located on VLAN.

I've worked in environments that required double NATs, and I would suggest avoiding it at all costs. The only real reason to do this is IP overlap between networks. Security through obscurity is not something to rely on, and even if they knew your internal IP was 192.168.1.20, they can't do anything with it from the outside.