Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing between DMZ and GW both using a subnetted range

    Scheduled Pinned Locked Moved
    Routing and Multi WAN
    3
    9
    829
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      andrew.frowen
      last edited by

      Hi all, We have a new installation of a pair of pfSense boxes running CARP to replace a single Cisco ASA.
      We have LAN/DMZ/GW interfaces, the LAN is 192.168.x.x/24 with NAT translation working ok to GW interface and out to internet all ok, however we have one /27 Network assigned 213.122.xxx.xxx by ISP and we have sub-netted this down to two /28's one half of this network is used on the GW interface and on the upstream providers managed router and for other LAN endpoints that can use NAT. We have on the DMZ the second /28 and some hosts (PBX) off a separate switch with public IP within that same /28 however we cant seem to get the DMZ /28 to route traffic out of the GW /28? We have checked all the masks are correct and no overlapping. There is only one default route on the pfsense pointing out of GW.

      i hope i have explained this well enough!

      1 Reply Last reply Reply Quote 0
      • JeGrJ
        JeGr LAYER 8 Moderator
        last edited by

        @andrew-frowen said in Routing between DMZ and GW both using a subnetted range:

        There is only one default route on the pfsense pointing out of GW.

        Did you tell your Upstream/ISP, that you are segmenting the /27 into two /28 subnets? Does he route the second half to your pfSense IP in the first half? If not you'll encounter a routing error. If you have that /27 routed to you via a transfer network, that is another case, but as that wasn't mentioned I suppose you have your GW in the same /27 network that your pfSense is (the first /28 now)?

        Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

        If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

        1 Reply Last reply Reply Quote 1
        • A
          andrew.frowen
          last edited by

          Hi Thanks for the help. We have one 213.122.167.xxx/27 assigned by BT and this is all routed to our GW interface. We have then split this into 2x /28's

          1 Reply Last reply Reply Quote 0
          • JeGrJ
            JeGr LAYER 8 Moderator
            last edited by

            @andrew-frowen said in Routing between DMZ and GW both using a subnetted range:

            this is all routed to our GW interface

            So it is routed via a transfer network, something different that the IPs in the /27?

            If that's the case:

            • How have you configured WAN & DMZ interfaces of pfSense
            • What's the GW setting on the DMZ Host
            • What's your GW on the WAN side
            • Are there rules in Outbound NAT?

            Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

            If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

            A 1 Reply Last reply Reply Quote 1
            • A
              andrew.frowen @JeGr
              last edited by

              @JeGr said in Routing between DMZ and GW both using a subnetted range:

              What's the GW setting on the DMZ Host

              Hi, I will try and answer your questions bwlow-

              • How have you configured WAN & DMZ interfaces of pfSense
                The WAN interface has xxx.xxx.34 and the ISP router has xxx.xxx.xxx.33 all in 255.255.255.224 (/27) bit boundary is .32 Network, however I am unsure if the mask on the ISP side is 255.255.255.255 but the mask on our GW interface is 255.255.255.240 (/27)
                We are also unsure how the ISP is routing the /27 network to us and could either be next hop or out of ETH0 as its cisco

              • What's the GW setting on the DMZ Host
                The GW setting on the DMZ host xxx.xxx.xxx.52 /28 is the DMZ CARP address xxx.xxx.xxx.49 /28

              • What's your GW on the WAN side
                WAN GW is the ISP Interface xxx.xxx.xxx.33 (not sure is this is host 255 or /27 224)

              • Are there rules in Outbound NAT?
                Yes, to block IP originating from DMZ to WAN

              1 Reply Last reply Reply Quote 0
              • JeGrJ
                JeGr LAYER 8 Moderator
                last edited by

                @andrew-frowen said in Routing between DMZ and GW both using a subnetted range:

                The WAN interface has xxx.xxx.34 and the ISP router has xxx.xxx.xxx.33 all in 255.255.255.224 (/27) bit boundary is .32 Network, however I am unsure if the mask on the ISP side is 255.255.255.255 but the mask on our GW interface is 255.255.255.240 (/27)

                That's what I asked above! If your ISP has your Gateway in the same network (/27) as your IP range, then it's not routed to you (via transfer net). They have to change their netmask in the gateway device from /27 to /28 and route the other half of that /28 to your .34 WAN IP. Without them changing their netmask - and no I don't think they have anything configured with /32 (why should they?) - your configuration won't work, as the traffic won't hit your pfSense WAN interface on the way in.

                Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

                If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                A 1 Reply Last reply Reply Quote 0
                • A
                  andrew.frowen @JeGr
                  last edited by

                  @JeGr

                  Understood, would as an alternative to sub-netting the /27 down, we use bridging on the DMZ interface using the same /27 subnet?

                  JeGrJ 1 Reply Last reply Reply Quote 0
                  • JeGrJ
                    JeGr LAYER 8 Moderator @andrew.frowen
                    last edited by

                    @andrew-frowen said in Routing between DMZ and GW both using a subnetted range:

                    , we use bridging on the DMZ interface using the same /27 subnet?

                    Nope, if it can be avoided, don't bridge. Just tell them to split the /27 in 2x/28 and route the second half to the IP you communicate (.34)

                    Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

                    If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by johnpoz

                      Yeah you need them to route the network to you via just directly attaching you via the bigger network.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.