CentOS - sending all LAN traffic to pfSense



  • Hi,

    I've been playing with policy-based routing on CentOS, and generally succeeding in getting where I want. I am missing one piece of the puzzle - I would like all my LAN-side equipment to communicate through pfSense, in effect using pfSense as a gateway not only between LAN and WAN but between LAN and LAN.

    I know I can have each equipment on it's own subnet, or plugged in directly to pfSense (if, say, I had a 15 port pfSense), but I would like to avoid that if at all possible and have them all plugged into a switch, but forcing their ip routes through pfSense.

    I've tried putting the following route into CentOS to test one single destination:

    ip route add 192.168.4.8/32 via 192.168.4.1
    ```….and it works - once! Then all subsequent tracert go directly to 192.168.4.8, instead of through 192.168.4.1
    
    Is this even possible? Or does it require a special switch with a specific feature to accomplish this ?


  • I'm a little unclear on a few things here, so perhaps you could explain. You have a LAN (I assume the network is on 192.168.4.0/24, but you've not said) and you want all your hosts on that LAN to not send traffic directly to one another on the same network but only through the firewall. Is this right? And if this is right, then my next question is this: Why?



  • @muswellhillbilly:

    I'm a little unclear on a few things here, so perhaps you could explain. You have a LAN (I assume the network is on 192.168.4.0/24, but you've not said) and you want all your hosts on that LAN to not send traffic directly to one another on the same network but only through the firewall. Is this right? And if this is right, then my next question is this: Why?

    You are exactly right. Context: I have two LANs in this particular setup. One is composed of PCs and printers, and works "normally". The other is made of a few critical servers, which I want to micro-manage to the extend that even server-to-server communications have to be explicitly allowed to happen. I could do this with iptables on each server, but it seems more easily manageable from a central location (pfSense in this case).

    Therefore I want the 192.168.4.x servers to send everything, even destined to its own subnet, to pfSense.



  • You're not supposed to put multiple layer 3 networks on the same wire.  Routing inter-LAN traffic through the gateway is a nasty hack.  Why not just use VLANs or a separate interface altogether if it's that critical?



  • @KOM:

    You're not supposed to put multiple layer 3 networks on the same wire.

    They aren't on the same wire - my pfSense box has 6 interfaces, so I used one for WAN and one for each LAN. From LAN A to LAN B everything goes through pfSense already, as it should.

    But I can't put each server thats on 192.168.4.x on it's own pfSense interface - I don't have enough of those. Would that be the only (good) solution for what I want?



  • A network diagram of your setup would help us in our guesswork here.  You just have WAN, LAN and OPT1 defined?  What are you LAN subnets and masks?

    Why not just have a separate subnet for your servers, and put them on their own pfSense OPT interface, essentially a DMZ?  So much easier and logical than what you were trying to do.



  • @Mike:

    I want to micro-manage to the extend that even server-to-server communications have to be explicitly allowed to happen.

    I'm with KOM here. Put your servers on their own network (OPT1/DMZ?) and if you want to restrict server-to-server comms, either selectively enable only those services each server needs to broadcast or - as you initially suggested - put iptables rules on the machines directly.



  • Got it - so there is no easy way to do this, short of putting them on their own networks or putting the rules on the servers themselves.

    Thank you


Log in to reply